Many participants in our workshops are surprised when I show them the first sentence of the Companies Act:

An Act to reform the law relating to companies, and, in particular,

(a) to reaffirm the value of the company as a means of achieving economic and social benefits through the aggregation of capital for productive purposes, the spreading of economic risk, and the taking of business risks;

The emphasis on risks is mine.

I want to highlight that taking risks is intrinsic to business. The purpose of accepting those risks is to achieve economic and social benefits.  There is an implied expectation that a company takes risks but with the social contract to provide economic and social benefits.

Risk is the potential for loss or the lower opportunity for gain (however “loss” and “gain” are measured).

Because risk is intrinsic to business, every decision the Board makes should have a risk profile attached which needs to be considered.

So how should Directors approach the task of Risk Governance?



The Board needs to understand the critical risks in their business and have a clear reporting framework.

Does your Board ask: What are the risks?

(Write them down)


Consider if they can be moderated or eliminated?

  • Are these risks acceptable to you? 
  • How likely is the risk to result in an event?


Are you prepared to accept a 1 in 500 year event? A 1 in 50 year event?

  • Is a risk highly likely because of some recent events?
  • What will the impact be if the risk comes to pass?
  • Can injury to life or limb occur?
  • Will business be able to continue?
  • How can we eliminate the risks? Or minimise the impact of the risk?

For example you can eliminate the risk of business slowing when someone is on leave by training others in their role.

You can minimise the impact of losing a Key person with Key person Insurance.


How are the risks going to be managed or eliminated?

A Risk Report can easily be prepared in a tabular format.  Risks are named, there may be a colour coding or numerical value for indicating how likely and impactful the risk is and a column saying how the risk is being addressed and by whom.

We have provided a template for this among our resources. Start listing your risks today!


The Board considers whether those management strategies are sufficient and if so the matter is considered dealt with. It is often the case that the risk is never, or rarely, revisited or updated. Directors should ask if there are any trends that are changing the risk profile. 

  • Have the business environment changed either internally or externally? 
  • Are our working assumptions still reasonable?

While the CEO usually has ultimate responsibility for operational risks the Board should meet with staff who have been assigned specific risks and activities to manage. Directors should be aware of their responsibilities under the health and Safety at Work Act 2015.


According to Worksafe there were 108 workplace related deaths in 2019 with the Arts and Recreation Service sector being the most accident prone or in other words: negligent. Physical harm is not the only risk in an organisation but can reflect how risk aware the culture. 

  • How does the Board communicate its level of acceptance of risks? Some Board rooms are gung-ho while others are very risk adverse.
  • Do you set tight timeframes for your drivers to keep to timetable?
  • Do you make it difficult to access Personal Protective Equipment?
  • Have you appropriate levels of delegation of financial authorities?
  • Do incentives reward the right behaviour?
  • How do you encourage thinking differently?
  • Does the business have a culture where it is encouraged to challenge other employees?

This could be with reference to safety risks but also in terms of working assumptions so that ‘Group Think’ is avoided. Those in authority must be comfortable with being challenged from less senior employees. Collaboration but with ownership and accountability reduces risk.


Few organisations are entirely risk free. When we meet as a District Health Board we know that our organisation is dealing with risk every day of the week. Whether its through surgery, having employees servicing remote communities unaccompanied, or the danger of cyberattacks the organisation is a high-risk place. We can’t eliminate all risks by the nature of the organisation. So as a Board we have to agree what level of risk we are prepared to accept. 

A Board always has an appetite for some level of risk. A Board should be conscious of what their appetite is. It will be demonstrated by behaviours when risks are raised or when an incident occurs. The levels of Financial delegations give a clue to risk appetite.

How does the organisation respond to a workplace accident? Boards should actively address their appetite for risk as part of their strategic thinking.  For example what are the dashboard measures to be monitored? 

How would you describe your Board’s appetite for risk?

  • Averse: Avoidance of risk and uncertainty is a key organization objective.
  • Cautious: Preference for safe options that have a low degree of risk.
  • Open: Willing to consider all potential options and choose the one most likely to result in successful delivery, but accepting of some risk in return for an acceptable level of reward and value for money.
  • Aggressive: Eager to be innovative and to choose options offering potentially higher business rewards, despite greater inherent risk.



Risk Maturity models look at how integrated risk management is in an organisation. At the lower end Risks are identified as they happen and processes put in place to stop happening again. Typically risks are recognised at an operational level by people at the workface. As an organisation gains in risk maturity a more strategic approach is taken at an whole-of- organisation level.

Hillson (1997) maturity model 

Level 1, Naïve: The naive risk organisation is unaware of the need for risk management and has no structured approach for dealing with uncertainty. Management processes are repetitive and reactive with little or no attempt to learn from the past or to prepare for future threats or uncertainties. 

 Level 2, Novice: The novice risk organisation is experimenting with [the] application of risk management, usually through a small number of nominated individuals, but has no formal or structured generic process in place. Although aware of the potential benefits of managing risk, the novice organisation has not effectively implemented risk processes and is not gaining the full benefits.

 Level 3, Normalised: The normalised risk organisation has built management of risk into routine business processes and implements risk management on most or all projects. Generic risk processes are formalised and widespread, and the benefits are understood at all levels of the organisation, although they may not be consistently achieved in all cases. 

Level 4, Natural: The natural risk organisation has a risk-aware culture, with a proactive approach to risk management in all aspects of the business. Risk information is actively used to improve business processes and gain competitive advantage. Risk processes are used to manage opportunities as well as potential negative impacts.

 (Hillson, D. (1997) Towards a risk maturity model. International Journal of Project and Business Risk Management, 1(Spring), 35–45)

Hopkinson risk maturity model for businesses, level 4


  • Board’s risk management (RM) policy reported to shareholders
  • Management leads RM by example. Practical definition of “significant risks”
  • Practical definition of the risks to be borne
  • Clear RM channels of communication

Risk Identification

  • All sources of risk considered, including strategic, financial, technological, resource,

disaster, projects, operational and external

  • New risks identified in a timely manner
  • Unusual events investigated for risk
  • All employees can identify risks

Risk Analysis

  • Consistent definition of probability
  • Consistent definitions of impact
  • Prioritisation influences agendas and promotes cost effectiveness
  • Widespread availability of RM expertise
  • Analysis traces risk source and secondary effects
  • Risk records retained on state of the art tools

Risk Control

  • Risk control actions based on cost–benefit analysis after considering all strategies
  • Well-focused actions on individuals
  • Actions are consistently completed
  • Business continuity planning as appropriate

Risk Review

  • Annual formal board review of RM effectiveness
  • Strategy for review of all risks maximises cost effectiveness
  • New information on significant risks is reported immediately
  • Board regularly review significant risks
  • Risk reports optimised for effectiveness


  • Board’s policy translated into management instructions understood by all employees
  • Atmosphere of mutual trust
  • Proactive risk management rewarded.
  • Key managers have good RM skills and relevant experience in the core business


(Hopkinson, M. (2000) Risk maturity models in practice. Risk Management Bulletin, 5(4)).


Stellaris offer specialised Governance, Strategy training and advice tailored specifically for your organisation.

Up skill your Board by learning more about our Directors Chair Course or develop a Clear, Meaningful, Effective Strategic Plan designing especially for you.