Including risk management on a Board’s agenda

Including risk management on a Board’s agenda is very important to reinforce strong risk culture within the organisation. There are various ways of including risk discussion on the Board’s agenda, however we believe that it is more effective to spend fifteen minutes on risk matters at every meeting than an hour once a quarter or a day once a year.

It is recommended to discuss risks associated with each decision instead of having risk management as a separate agenda item. After all items on Board’s agenda are risk items.

For example, the Board may want to discuss risks associated with the quarterly budget when discussing the actual budget, or discuss project risks when approving project financing, as opposed to discussing the top ten corporate risks at the end of the meeting when all decisions have already been made.

The risk manager should, along with the Board secretary, make the necessary amendments to the presentation templates to include a section on risks for every significant decision. The risk manager, in conjunction with the internal audit, should also ensure that the risk information provided to the Board is complete, accurate and consistent. To improve the quality of such information, risk managers may wish to consider staff training or personally quality check the information before it goes to the Board.

Some Boards may create a separate Risk Committee or expand the scope of the Audit Committee to review matters related to risks. Our experience, when talking to different risk managers during the interviews, shows that this may be more fashionable than practical, since most decisions are taken long before the information is formally presented to the Board of Directors. Several people interviewed mentioned that it makes more practical sense to have a management level risk committee instead.

Nevertheless, the Board level risk committee can play an important oversight role and have a very positive impact on the overall risk culture within the organisation. Sometimes this is called “security theatre”.




Watch more free risk management videos on or subscrive to RISK-ACADEMY youtube channel

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.