Wednesday 7 May 2025

By Hanif Barma, co-founder of the Risk Coalition and director of Board Alchemy

Organisations today face an increasingly volatile, uncertain and challenging future.  A number of factors – geopolitical, macroeconomic, technological and competitive forces amongst them – combine to make things tough for organisations.  A challenging and rapidly changing environment means that achieving business goals and objectives is far from a straightforward matter.  And continued uncertainty and change may even serve to question the ongoing validity of an organisation’s underlying strategy and business model.

This context serves to reinforce the importance of effective risk governance and risk management.  Understanding the risks that impact on a business achieving its strategy and its business objectives becomes essential.  Effective risk governance and risk management enable a business to respond to changes and better cope with uncertainty, creating a more resilient and sustainable organisation.

Unfortunately, risk-related matters are still too often seen by boards and management as an exercise in box-ticking, or a matter of compliance, rather than being regarded as value-adding.  Risk is often viewed negatively, as something to be avoided, rather than a possible paradigm shift creating new opportunities for a business to pursue.

Effective board-level oversight of risk and good risk governance is key, but boards don’t always ask the right questions about their organisation’s risk arrangements and risk practices.  They also don’t routinely focus on the link between risk and business objectives, and don’t give sufficient focus to considering new opportunities.  If this is the case, boards need a change in mindset, as well as a more robust and structured approach to risk governance and oversight to support them.

The Risk Coalition, a network of not-for-profit professional bodies and membership organisations committed to raising the standards of risk governance, published Raising Your Game in February 2025.  Setting out cross-sector risk governance guidance for boards, Raising Your Game builds on the Risk Coalition’s earlier work for the financial services sector.  Raising Your Game provides a framework for risk governance that enables organisations to better navigate risk, pursue opportunities and improve decision making.

Raising Your Game‘s framework sets out eight principles, key aspects of which are:

  1. Board accountability

The board has ultimate accountability for the overall effectiveness and appropriateness of the organisation’s risk management arrangements.  The board has primacy for these arrangements and should establish a board risk policy that is consistent with the organisation’s strategy and strategic objectives.  This policy should define the organisation’s overall approach to risk and its appetite for risk.  The board should also regularly consider whether the organisation is likely to achieve its strategic aims, seeking assurance that its risk management arrangements operate effectively and remain appropriate in changing circumstances.

  1. Committee purpose

The board should establish a risk committee to give appropriate focus to risk matters.  This could be a dedicated risk committee or, for example, the remit of its audit committee could be extended to give focus to risk-related matters.  This committee is primarily an advisory committee to the board (which retains ultimate accountability).  Its aim should be to support focused and informed board discussions on risk-related matters and to help executive management make better risk decisions.  The committee should provide consolidated risk oversight through close coordination with other board committees by monitoring the organisation’s principal and emerging risks.

  1. Committee composition and membership

To enable effective oversight, the independence of the committee from management, who are responsible for day-to-day risk management and accountable to the board and the committee, is an important consideration.  Accordingly, the committee should solely comprise independent non-executive directors.  The committee should be chaired by a risk-experienced independent non-executive director and it should, as necessary, have access to external risk advice expertise.

  1. The organisation’s approach to risk

The committee should provide the board with advice as to whether the organisation’s approach to – and appetite for – risk, as well as its wider risk management arrangements, remain appropriate.  In doing so, it should consider changes in the external environment, and the alignment to the organisation’s purpose, values and culture.  The committee should challenge management on whether risk management arrangements are embedded across the organisation, and whether risk-related roles are clearly allocated.  It should also monitor the risks the organisation is willing to take to achieve its strategic objectives and to exploit new business opportunities.

  1. Risk culture and behaviours

Monitoring behaviours and culture exhibited in the boardroom by the executives and across the organisation should be a matter of focus of the committee.  It should consider and periodically report to the board whether the organisation’s purpose, values, and risk culture expectations (as defined in the board risk policy) are appropriately embedded at all levels and are reflected in observed behaviours and decisions.  As part of its role, the committee should monitor attitudes towards the organisation’s risk, compliance, and audit functions, as this will be reflective of the organisation’s culture.

  1. Navigating risks and pursuing opportunities

The committee should assess and advise the board on the likely achievement of the organisation’s strategic objectives and progress with emerging opportunities, in the light of its principal and emerging risks.  Where concerns about their achievement persist, the committee should advise the board whether additional actions are needed to increase the certainty of their achievement, whether the organisation’s strategic aims need to be revised or whether the risk (and therefore the reduced certainty of achieving the strategic aims) should be accepted.

  1. Risk management, internal control systems and reporting

The committee should monitor, periodically review and advise the board on the effectiveness and continued improvement of the organisation’s risk management and internal control arrangements, including the quality and completeness of risk-related information and reporting that is required by the board.  The committee should also, when necessary, commission appropriate independent assurance (e.g., from internal audit) over the appropriateness and effectiveness of the organisation’s risk management and internal control arrangements.

  1. Independent risk oversight and challenge

The appointment of a chief risk executive or senior risk leader – typical in financial services – will enhance the organisation’s risk governance arrangements by providing support to the committee, as well as a challenge to the executives, and advice and assurance to both on risk-related matters.  Where a chief risk executive has been appointed, the committee should safeguard their independence and objectivity.  The committee should also sponsor the development of a risk charter that defines the role and responsibility of the risk function.

The eight principles set out in Raising Your Game provide a framework for boards to determine their approach to risk governance.  These principles are intended to be proportionally applied, so boards are encouraged to discuss and consider their applicability to their organisation.  Where an organisation’s approach to risk is developing and maturing, the principles can be used to set out the desired future state of its risk governance, and a plan developed to evolve its current risk arrangements.

Ultimately, the purpose of the guidance is to position risk governance as a strategic enabler to support the success of the organisation, using risk to manage complex environments, unlock competitive advantage and build resilience.  Risk taking is inherent to growth, and organisations that approach risk governance in a structured, disciplined and forward-looking way can turn uncertainty into opportunity.

Hanif Barma is a co-founder of the Risk Coalition and director of Board Alchemy, a governance consultancy focused on assessing board effectiveness and improving the performance of risk and audit functions.  The Risk Coalition’s Raising Your Game was published in February 2025.