Author Archives: Fay Booker

Risk Governance, Governance Risk

Originally Published in Biz Magazine, September 2015

A key area of responsibility for all Boards of Directors is risk governance. Risk governance focuses on recognizing the risks inherent to the business of the organization and instilling processes to provide for protection of people, assets, and reputation. Governance risk recognizes that the ability or ineffectiveness of a Board can actually add to an organization’s risk profile rather than providing a deductive factor to the risk profile.

We have seen headlines where risk was allowed to consume the organization and lead to drastic consequences. Costa Concordia sailing an unsafe route which the Captain claims was condoned by superiors. General Motors and faulty ignition switches which staff claim was known within the company but action taken to deal with the risk was not adequate. Montreal, Maine & Atlantic and unsafe transport of dangerous goods; XL Foods and tainted beef; Mattel Toys and lead paint. If the Boards were exercising their risk governance responsibility the unfortunate outcomes of these events could have been prevented.

Enterprise risk management (ERM) is a methodology that has been in place for years. Identify the risk, assess the risk, take action to mitigate the risk, and monitor the behaviour of the risk and effectiveness of the risk response. The illustration shows the phases of an effective risk management approach. As an organization moves through the phases in the risk process, the risk intelligence of the organization builds.

Creating a Risk Intelligent Organization


Risk is an inevitable and acceptable part of all businesses. Not managing the level of risk is not acceptable. The ERM process requires an explicit identification of the risks inherent to the business given the products and services offered and the means by which they are delivered. For example, companies which transact over the internet and which store confidential personal information will identify a cyberattack as a high risk. The Board needs to gain assurance that the inherent risks have been thoroughly identified and evaluated in terms of the severity that each presents to the business. More importantly, the Board needs to gain assurance that appropriate measures are being taken to mitigate the risk to an acceptable level. A level that if the risk does still occur, the situation can be dealt with in a calm and reasonable manner. This is not crisis management. It is making sure you don’t have to activate that crisis management plan. It is the essence of operating in a sound and secure manner to achieve the strategic and business objectives of the organization.

Before establishing a risk framework and undertaking the process to identify the risk profile, the following elements must be in place to permit effective risk management.

  1. Support at senior levels: Concern for risk management must start and be supported at the highest level within the company. This includes the governance level and the CEO.
  2. Risk management efforts must be dynamic: This includes active identification, measurement and management of the risks, scanning for changes in the risk profile, and reporting on the risk profile.
  3. Clarity of understanding: There needs to be a clear definition of the risks and these must be understood across the organization.
  4. Accountability: Responsibility for responding to and managing the risks must be clearly understood and individuals held accountable for fulfilling the roles. Everyone is a risk owner.
  5. Resources: Appropriate resources including people and tools need to be deployed and available to help staff, managers, executive, and the Board fulfill their duties within the ERM framework.
  6. Culture: The organization’s culture must support the active managing of risk in terms of attitude.

Risk governance is one thing; the Board also needs to take action to not create governance risk. Does the Board have the capability to oversee the risk profile of the organization? Has it set an appropriate risk appetite? Does it receive fulsome information to monitor the risk profile on a dynamic basis? Does the Board fit within the framework for a risk intelligent organization? To test your risk literacy capability, I invite you to take the self-assessment here.

Fay Booker is the president of Booker & Associates, a consulting firm focused on promoting excellence in corporate governance, risk management and operational effectiveness.

Risk Appetite and Risk Tolerance

No doubt you’ve heard the terms Risk Appetite and Risk Tolerance in discussions about Enterprise Risk Management (ERM) implementation. But do you know the subtle difference between the two? I’ve heard Boards of Directors say ‘risk tolerance’ when they really mean ‘risk appetite’. Let’s clear up some of the confusion.

Risk appetite is a statement regarding the degree of risk which an organization is willing to take or accept in pursuit of its objectives. The risk appetite sets the boundary for risk taking and the tone for taking risk.

Here is an example of the formulation of a risk appetite statement (select the appropriate word):

Given [stability, volatility, uncertainty] in the business environment, [stability, amount of change, anticipated change] in internal operations of the organization, [satisfactory, adequate, unsatisfactory] earnings of the organization over past three years, anticipated [satisfactory, challenging] near term future earnings of the organization, and [surplus, adequate, minimal] capital position, the risk appetite of the organization is [low/modest, moderate, high/assertive].

You must also define what is meant by the levels low/modest; moderate; high/assertive. So that everyone is working within the same parameters.

Risk tolerance is the level of risk that a company is willing to accept in various risk areas. Generally the tolerance can be measured in terms of quantitative and qualitative dimensions. There can be a stated tolerance for the organization as a whole and tolerances by areas within the organization.

Here is an example of a risk tolerance statement:

The Board directs that there be a cost/benefit analysis for the approach to individual and collective risks and directs that residual risk levels that remain not represent a tolerance in excess of 1% of total annual expenses, not jeopardize the health and safety of staff and customers, and not unduly impair the reputation of the company, and that in the event that risk responses are absent or fail, the occurrence of the risk will not cause instability to the company’s daily operations.

Both risk appetite and risk tolerance should be clearly defined and stated in the organization’s Enterprise Risk Management framework. After all the framework relies on these two things to outline what is acceptable and informs strategic and operational decisions.

Boards—Take Back Governance

Originally published in The Bay Observer, Hamilton ON

Who runs the Board of Directors? The Board Members? The Chair of the Board? Or is it really – the CEO or Executive Director.

To fulfill good governance the Board must know its responsibilities and take action to fulfill them. This requires competency, self-motivation, and leadership. It requires the Chair of the Board to be the leader of the Board. Unfortunately we see many Boards where the Board’s governance responsibilities falls under the control of the CEO.

We see CEO control over the Board in different forms.

The CEO who thanks Board members for taking time to participate in the strategic planning session. But is it not the Board who is responsible for setting a valid strategic direction for the organization and if the wrong direction is selected based on valid data and research, isn’t it the Board that takes responsibility and accountability?

We see CEO control through the calling and cancelling of Board meetings based on the CEO’s schedule. Hold on – the Chair of the Board is responsible for calling and cancelling meetings. Board meetings are held to provide a forum for the Board to perform its duties – it is not about meetings being held for the convenience of the CEO.

CEOs have huge control over Boards through information provided by the CEO (or staff) to the Board and its Committees. Many Boards are manipulated by CEOs through selective release of information and the tone and manner in which information is delivered. Best practice CEOs share information in a fully transparent manner – they provide information that is succinct, timely, complete and objective. When presenting information for the Board’s decision making, best practice CEOs provide Boards with the options which were considered, the pros and cons of each, and the reason for the recommendation to the Board.

Then there is the matter of control over the Board through people dynamics. This includes CEOs being involved in the Director nomination process to control who becomes his/her boss and which Directors get on each of the Board Committees. Not to mention the respect (or lack thereof) which CEOs display when communicating with Directors in meetings, particularly in front of staff, as well as in communications outside formal meetings.

Boards set themselves up for this take over by the CEO. People are appointed to the Chair position without consideration for their ability to be an effective leader or their ability to be an effective facilitator. Board Chairs permit CEOs to take over and own communication with the Board. I know a Board Chair that never, in four years of being Chair, had any communication with Board members that had not been scripted by the CEO. He never sent an email to the board members, never picked up the phone to call any Board member. Only the CEO had direct contact with the Board members. So how did the CEO’s performance review get done if the Chair abdicated responsibility? A consultant was brought in to do the work that the Board Chair should have done and guess what, the consultant was selected by the CEO.

I have interviewed many CEOs over the years and here are some revealing comments from the mouths of CEOs: “It would be a great job if it wasn’t for that darn Board.” “The Board just gets in my way.” The Board can’t have a meeting without me.” “The Board only knows what I choose to tell them.” “I let the Board get really involved in the small stuff—it occupies them and keeps them away from the big issues and out of my hair.” Comments like these represent a huge risk for the organization. A CEO who does not respect the role of the Board will not feel accountable or worse will run the Board (their boss).

I have seen many Boards which have not been able to organize and operate itself to make decisions without the CEO present. You can be sure that the CEO is enjoying it that way. Unfortunately it spells disaster for the organization.

Boards! It is time to take back governance. It is your responsibility to govern, not to perform tasks as directed by the CEO. Who works for whom?


Fay Booker is principal of Booker & Associates, a firm focused on promoting good governance, enterprise risk management and operational effectiveness-

Are You Practicing S.M.A.R.T. Governance? 

Originally published in The Bay Observer, Hamilton ON

Good governance is critical for the success of an organization. We continue to see weak governance at play in many organizations—think Nortel, General Motors, Enron, eHealth, and many organizations which don’t make the mainstream news.

A Board displaying S.M.A.R.T. governance will be strategic, will adequately oversee management, demonstrate accountability for doing the right job right, display respect for the interrelationship with management, stakeholders and within the Board, and is trustworthy and talented.

Strategic governance is focused on mission, vision and values and the organization’s strategic direction and goals. Strategic governance causes an organization to move forward, to be successful, to continuously improve the service that it provides to its customers, to inspire employees to do their best, and to meet the expectations of the stakeholders. But do we have strategic thinkers around the Board table or at the Council table? This is not a trait that fits nicely on those darn checklists for skills based boards. Too many of the players around the governance tables are non-strategic and are focused on fiduciary issues and compliance. The lack of strategic governance is seen in organizations which do not move forward and at best continue to do the same-old, same-old. Did we see strategic governance in the stadium discussions? Or was it all about grabbing the dollars off the table regardless of long term consequences?

Management oversight is the most common governance activity. Over seeing how management is operating the organization is indeed a job for the Board. It is here though that many Board members dip dangerously into micromanagement. Holding management accountable for a positive employee environment, good customer satisfaction, effective operations, and financial health should be focused on the end results. Not on telling the CEO how to do it. Doing an annual review of the CEO’s performance is a must. How did the Board miss the generous spending, untendered contracts and self-dealing at eHealth?

A high performance Board is accountable and independent. The Board has a job to do and it needs to be assessed on how it has done that job. Boards do self-assessments. We know that there are flaws with self-assessments. Having an objective assessment conducted by a knowledgeable governance consultant is the superior method. However few Boards and organizations will invest in governance to actually benefit from this process. Remember when the Education Minister had to relieve the trustees from their duties at Toronto Catholic School Board due to misuse of expenses accounts. Were they conducting themselves in an accountable manner?

Respect is a necessary ingredient for good governance. Respect between Directors, respect by Directors for the expertise of management, respect by management of the role of the Board. If there is a lack of respect on any of these dimensions, there will be a detriment to the governance effectiveness. I have heard more than one CEO muse that his/her job would be so much easier if it wasn’t for the waste of time that the Board is. That doesn’t sound like respect to me.

Stakeholders place trust in a Board of Directors to do the right job in order to have a successful organization. This trust needs to be well placed. Boards can earn this trust by having Directors who possess qualities of integrity, competence, knowledge, and motivation to carry out his/her duties in the long term best interests of the organization. Directors need to exhibit strong ethical conduct, and honour a strong code of conduct. I have often heard the Board of Hamilton Community Foundation described as exhibiting the qualities where donors can place trust in the sound governance that it provides.

Boards need to be talented. To be talented, Boards need diversity, curiosity, knowledge, positive personal attributes, and a commitment to continuous development. The Board should be comprised of individuals who can bring different life experiences, knowledge, diversity of views, as well as strategic thinking to the table. We need Directors to be curious and be willing to ask questions of management that gives them full understanding of the issues. Director education creates Boards with ever increasing capability which can benefit the organization.

Find a Board in Burlington or Hamilton that lives up to 50% of the above characteristics – you will have an average Board – but if you have one that lives up to 80% of the above, join it and tell me who it is!

All Boards should ask themselves if they practice S.M.A.R.T. governance: Strategic, Management oversight, Accountable, Respectful, Trustworthy and talented.


Fay Booker is principal of Booker & Associates, a firm focused on promoting good governance, enterprise risk management and operational effectiveness –