“Risk” deals with the uncertainty of achieving objectives – in the real world, no outcomes are certain!
Some objectives will be more challenging to reach, and some will be more important to reach, but all are not equal. For example, on two “people” objectives, you may agree that there should be zero tolerance for sexual harassment in the workplace, but that for the average time taken to fill an administrative vacancy, up to a three-month range may be acceptable.
The big idea here is to attach “risk” to each objective, so that you – and management – can tell if you are “hitting” or “missing” the target, or “tolerance” range. This helps management to move resources around to meet the priorities (zero or low tolerances) that you set together.
The goal of risk management is to optimize risk, not to minimize risk. For instance, we could eliminate all sports activities at schools to minimize the risk of sports injuries, but that would not serve our students well. Risk taking is the essence of how school boards exist, generate student outcomes and sustain themselves. Without risk taking there would be no innovation, no progress and no advances in student outcomes. But, how do we provide oversight in this area?
The Director of Education and staff manage risks by identifying, assessing, measuring, mitigating and monitoring them. (Please refer to Risk Management in Brief in the Supplemental Information for an explanation of Risk Management.)
Beyond staff’s role in risk management, you, the board, then have three roles in risk:
The first is “risk direction”, board and management discussing and agreeing on “tolerances”, or acceptable levels of risk for each objective or outcome area.
The second is “risk oversight”, monitoring the effectiveness of the risk management system.
Risk control, your third role in risk governance, is about having your auditors and internal controls reporting to you (usually the Audit Committee) to make sure that sufficient controls are in place and that these are effective at mitigating risks.
We will now look at these first two roles in a little more depth.
Risk Tolerances and Policies
Through an informed dialogue between board and management, you will agree on (and the board will approve):
- risk tolerances: these are ranges of acceptable vs unacceptable outcomes for each objective area (e.g. for each KPI from the BSC), and perhaps too
- risk appetites: these are ranges of desired or target outcomes for each objective area.
This often occurs during the “environmental scanning” phase early on in strategic planning, although risk tolerances can be reviewed and reset at any time during the year in response to real events.
The purpose in setting risk tolerances is so that management has a clear understanding of the board’s priorities when it comes to taking, avoiding or managing risks. These are also important when it comes to management’s reporting to the board, and the board using these reports for monitoring (this will be discussed in the next section Governance and Resources).
Risk tolerances are recorded and used in several ways:
- strategic plan and performance reports: tolerances (ranges) are shown for each outcome, so that actual performance can be tracked to these;
- budget: priorities and tolerances are reflected in the business and operational plans that management writes, culminating in the annual budget;
- policies: most risk tolerances are written down in plain language in Board-level Policies (see supplemental information from section 1, Governance and Strategy), for example:
- Code of Conduct or Ethical Code; Conflicts of Interest; Confidentiality; Integrity Assurance (Whistle-blowing); Attendance; Travel & Expense Policies: write down tolerances re: acceptable vs. unacceptable behaviour and activities. These are based on both the Statement of Values and risk tolerances.
- Delegation of Authority (Executive Limitations); Procurement Policy: write down what decisions the Director of Education may make on her/his own, and how, vs. what decisions must be brought back to the board for approval.
- Governance Policy/Protocol; Board and Committee Charters (Terms of Reference): write down what the board is responsible for, and how (e.g. meetings, voting).
- Human Resources Policy; Education Policy: write down the board’s parameters for how staff are to be treated, hired, paid, etc.
- Communications Policy/Protocol: writes down who speaks on behalf of the School Board, when and how.
- Investment Policy; Insurance and Risk Policies: write down the board-approved tolerance for investment, insurance and other risks.
These are just the most common board-level policies, some boards use others as well, e.g. environmental and social responsibility, archiving and records retention policies.