Risk management for public boards: What you need to know
In the town of Millway, the city council recently experienced a harrowing cyberattack that exposed sensitive resident data, leading to a public outcry and a loss of trust. City Manager Sara Thomson, who had always been passionate about community safety, found herself at the center of the crisis. Residents bombarded her with calls and emails, demanding answers and solutions. The incident not only disrupted the town's operations but also put a strain on the council's ability to function effectively.
Realizing the gravity of the situation, Sarah knew that the council needed to take immediate action. She proposed a special meeting to address the cyber breach and to discuss the broader need for a more robust risk management strategy. The council's response would be crucial in restoring public confidence and ensuring the town's resilience against future threats.
As this scenario shows, public boards today can face an array of risks, from cyber threats and financial instability to natural disasters and declining trust. Whether you’re overseeing a municipality, school district or community college, one thing is clear: proactive risk management is essential for safeguarding operations, ensuring continuity and maintaining public trust.
Yet many organizations still lack a clear, board-level strategy for identifying and responding to risk.
So, how should a board proceed, especially if there’s no dedicated risk management committee in place? In this article, we’ll explore best practices for managing risk at the board level, how to establish or enhance oversight, and tools to streamline the process. Whether you’re building a formal committee or embedding risk planning into regular meetings, there are strategic steps every board can take now.
The time for risk management planning is now
Threats can spring up at any time. We’ve seen many examples in recent years, from pandemics and weather emergencies to financial crises and ransomware attacks. Any of these can affect a public board, whether its organization is a small municipality, large school system or a medium-sized community college.
Boards can't afford to wait to take action.
However, it's also important for boards to be clear on how their role interfaces with senior administrators — and not micromanage. The board isn't responsible for eliminating risks; they're only responsible for making sure that risks are accounted for and that a plan is in place for preventing and responding.
So, the board has a fine line to walk, but it can be helpful to think about active risk management for boards as being visionary and strategic. Risk management in today's climate requires taking knowledge of the past risks and past performance to predict future scenarios and solutions in order to ensure the long-term prosperity of the organization.
Planning efforts should balance the cost of action against potential risks.
AI-powered risk benchmarking
As a Diligent Community customer on the Diligent One Platform, use Diligent AI Risk Essentials to simplify oversight with AI-powered benchmarking for identifying risks quickly
I'd love to know more!Risks public boards need to be aware of and oversee
Operational, strategic, political and reputational risks each present unique kinds of opportunities as long as the board is aware of them and it takes a responsible approach to addressing them.
The list of risks is long, and no matter what type of entity you oversee, there is likely overlap between categories. Still, there are risks particularly significant for each type of organization. Let’s take a look:
- Government: Unsustainable public finances, weak or unsustainable growth, labor shortages, deficient cybersecurity and more
- School districts: Cyber attacks, aging infrastructure, legal exposure and more
- Community colleges: Cyber breaches, faculty and staff attrition, student activism, national disaster and more.
Starting with the risks more likely to affect your organization or entity can make preparation efforts more manageable.
Establishing a board-level risk committee
Accountability is an important component to managing risk. Boards can assign responsibility to a risk management committee, so they have assurance of accountability. The committee takes responsibility for board-level risk management and oversight of management-level risk programs.
What does a board-level risk committee do?
- Establish the organization’s risk profile and define its overall approach to risk management.
- Explore the best ways to put controls in place to make sure all parties fulfill their obligations of controlling risks. Committee members could be instrumental in raising awareness of best practices and procedures of risk governance and providing education to the board.
- Communicate the risk management profile to the board and the management team and encourage them to use it as a standard in making decisions. Boards can minimize or avoid major risks by practicing good oversight over the agreed-upon risk management profile.
Communication is key. Other board committees should equally be aware of the organization's risk profile. Boards with communication committees should coordinate their communications efforts with those of the risk management committee, and the audit, compliance and strategic planning committees must share the profile as well.
It's best to take an open and honest approach in communicating the risk management profile and plan to internal and external stakeholders.
Risk management without a dedicated committee
Perhaps your organization doesn’t have the resources to form a separate risk management committee. In that case, risk management tasks can be added to the regular meeting agenda to ensure your entity covers this topic meaningfully.
Much of the work of a risk management committee can be completed by smaller boards meeting regularly or by working groups providing regular updates.
The important thing is to take action, no matter the size or your organization.
Approaching risk management planning
A newly formed risk management committee, working group or effort will have many tasks ahead in the beginning. The first is to clarify the organization's risk tolerance and risk profiles. Noting the failures and successes of similar organizations and municipalities serves as a learning experience for all boards.
From there, the committee must evaluate the risks and rewards, as well as any potential trade-offs. The committee will also need to evaluate any environmental circumstances that they need to monitor or manage. In addition, they'll need to scan the internal and external environment for new threats and any new opportunities they might present.
Consider some examples:
- A city has personally identifiable information, or PII, for employees and residents. What if a ransomware demand threatens the exposure of data?
- A charity depends on a charismatic, well-networked executive director for a large percentage of annual donations. What happens if that individual departs suddenly?
- An older facility on a school campus lacks modern fire-protection measures and is in an area prone to drought. What is the plan to relocate that building’s functions if it is threatened?
Upfront planning lessens the possibility that the board will need to be reactive toward viable threats like those above. Clear risk management reduces the negative impact on employees, processes, technology and the general environment.
How board management software can help with risk management
Diligent Community streamlines meeting preparation, making sure agendas and board packets are centralized, accessible and easy to update. With less time spent manually compiling agendas and board packets and fixing errors, the team can focus on identifying and addressing risks instead of wrestling with paperwork.
Board members can access key information for meeting preparation and decision-making easily on any device, anywhere and any time, and they can make private annotations as they prepare for upcoming discussions and votes.
Documents and board business are kept secure instead of in unsecure email or file-sharing systems, helping to mitigate against cyber risk.
Committee Manager also allows you to:
- Seamlessly manage multiple board committees or meeting groups all within Diligent Community
- Customize who can create, access and engage with content within each committee, ensuring the right stakeholders are involved
- Tailor custom workflows and approval trees for each committee, optimizing efficiency and accountability
- Allow the public to subscribe to specific committee groups for updates through your public website, enhancing transparency and engagement
- Optimize efficiency by creating custom workflows and approval trees for every committee
Diligent Community helps improve public trust around how the board is managing risks, by giving the board a way to show the community they are making thoughtful, responsible decisions. The tools make it easy to share meeting minutes, voting records and financial updates online. With everything out in the open, residents can feel reassured and board members feel empowered to keep making smart choices.
As a Diligent Community customer on the Diligent One Platform, your team will also be able to access Diligent AI Risk Essentials, helping you simplify risk oversight with AI-powered benchmarking to identify relevant risks quickly, and support you along the way with guided onboarding and educational resources, including access to Diligent Institute’s new ERM Certification.
Risk management is increasingly falling under a public board’s purview, so every board member needs to be aware how teamwork on risk can protect the organization’s future. With Diligent Community, boards can streamline the work to minimize threats. Let Diligent show you how today.
