Risk Review Meetings

“The Risk Was Theoretical. The Panic Was Real.” Over the weekend, a good friend called me, frustrated after sitting through a board risk session. They said: We were reviewing this vendor fraud risk, and the dashboard—one that’s been around for years—had it flagged as “High Inherent Risk.” A board director asked whether they should pause the rollout until it turned green. Another director said, “Residual risk is low—we’ve implemented multiple controls.” But then someone else said, “Inherent risk can’t be lowered. It’s theoretical. It assumes no controls.” So a director asked, “Then why is it on the dashboard?” Everyone looked at each other… and the meeting was adjourned. The topic was tabled for discussion in two weeks. They gave me some more context—all anonymized, of course. Then they asked me: “Am I crazy? Or is this just broken?” I responded: You’re not crazy. But yeah—this is broken. The board was reacting to a theoretical number—a red warning light tied to a world that doesn’t exist. Controls were in place. Incidents were zero. Residual risk was low. But the color red still hijacked the conversation. I’ve seen this too many times: • Boards asking for mitigation of a risk that’s already been mitigated • Directors getting spooked by “inherent” risk ratings with no operational meaning • Anchoring on worst-case scores instead of real-world data What I Told Them If a score assumes zero controls—and the real world has controls—then it’s not insight. It’s just inertia disguised as analysis. The root of the confusion? It traces back to legacy risk frameworks—particularly COSO’s internal control model, which introduced “inherent risk” as a theoretical baseline. But theory doesn’t run companies—context and evidence do. When boards fixate on inherited terminology without questioning its relevance, oversight becomes ritual instead of risk governance. What I suggested was this: Before the next board meeting, propose reframing the dashboard to reflect actual, observable risk. Swap out “inherent” for impact potential, and pair it with evidence-based assessments of control effectiveness. Give the board a narrative they can respond to, one grounded in what’s real, not what’s red. And just before we hung up, I said: “Look, this isn’t official advice—just two friends talking. But if the dashboard’s telling a story no one believes, maybe it’s time to change the script.” Your Turn… Have you ever had to coach a board or executive team through this kind of misalignment? What helped get the conversation back on track? Have a great week and holiday! Jonathan T. Marks #risk #controls #coso

Most nonprofit boards of Directors don’t think enough about risk. They assume risk management is the finance committee’s job. Or the executive director’s. And most nonprofit boards only talk about risk in two situations: • When the annual audit forces the conversation • When something bad happens By then, it’s already too late. Here’s how to shift to a proactive risk strategy in five steps: 1. 𝗡𝗮𝗺𝗲 𝘁𝗵𝗲 𝗥𝗶𝘀𝗸𝘀 𝗕𝗲𝗳𝗼𝗿𝗲 𝗧𝗵𝗲𝘆 𝗡𝗮𝗺𝗲 𝗬𝗼𝘂 If your board isn’t talking about risk, it’s not because risks don’t exist. It’s because you haven’t identified them yet. • Financial risks (financial mismanagement, budget shortfalls) • Operational risks (tech failure, leadership transitions) • Reputational risks (poor crisis response, ethical missteps) Write them down. Make them visible. 2. 𝗥𝗮𝗻𝗸 𝗥𝗶𝘀𝗸𝘀 𝗯𝘆 𝗟𝗶𝗸𝗲𝗹𝗶𝗵𝗼𝗼𝗱 & 𝗜𝗺𝗽𝗮𝗰𝘁 Not all risks are created equal. Use a simple metric: ✅ High likelihood, high impact → Requires immediate action. ⚠️ High likelihood, low impact → Manage with systems. 🔍 Low likelihood, high impact → Have a contingency plan. 3. 𝗔𝘀𝘀𝗶𝗴𝗻 𝗥𝗶𝘀𝗸 𝗢𝘄𝗻𝗲𝗿𝘀𝗵𝗶𝗽 If everyone owns a risk, no one does. Assign specific risks to board committees or individuals. 4. 𝗧𝗵𝗲𝗻 𝗠𝗮𝗸𝗲 𝗥𝗶𝘀𝗸 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗮 𝗦𝘁𝗮𝗻𝗱𝗶𝗻𝗴 𝗔𝗴𝗲𝗻𝗱𝗮 𝗜𝘁𝗲𝗺 After assigning risk ownership, make identified risk areas a standing board agenda item, not a one-time discussion. Spend 5 -10 minutes each board meeting reviewing key risks in order of importance to your organization. 5. 𝗧𝗮𝗸𝗲 𝗮 𝘀𝗲𝗾𝘂𝗲𝗻𝘁𝗶𝗮𝗹 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵.     This way, urgent issues don’t get buried while still preparing for long-term stability.     -> Start with the risks that require immediate action. The ones that could quickly derail your mission if left unaddressed. (Financial mismanagement, key leadership resignation). -> Then, tackle risks that need a contingency plan. Those low-probability but high-impact events could cause major disruption. (Data breach or a PR crisis). -> Finally, focus on risks that can be managed with systems. The ongoing challenges that can be controlled with the right processes in place. (Mission drift, board turnover). ----- Start now, and by the end of this year, your board will be a more proactive, resilient, and mission-focused organization. Ignoring risk won’t make it disappear. It will show up anyway. And when an unplanned issue pops up (there is always something), you'll have a starting point to work from, even if it's not exactly the risk you already identified. Is your board ready for the risks ahead?

#Safetytechtip for solo safety pros overwhelmed with risk register admin. As a solo safety professional, developing a comprehensive risk register can feel like a massive undertaking. But what if you could use a simple, tech-driven workflow to get it done faster and with better results? All while maintaining critical thinking & collaboration with teams. Here's a pro tip to streamline the process & tap into the collective knowledge of your organisation. Full disclosure: This entire post, from my core ideas to the final text, was generated using my voice—a workflow created entirely through my dictation & insights, then crafted into this narrative using LLMs. No keyboard used aside from pressing Ctrl + Windows key to activate my dictation tool*. Step 1: Brainstorm and Categorise with AI Start by physically walking through your planned risk scenarios, dictating your job steps, potential hazards, processes and areas of risk. Transcribe (there's loads of ways to do this) then use an AI tool like Claude, Gemini, ChatGPT etc to summarise these notes into risk assessment categories based on a company risk template which you can upload as context. This gives you a structured foundation for your register. Step 2: Host a Multidisciplinary Risk Conversation Schedule a session with key stakeholders to host a risk discussion - try to make it more conversational than line by line; nobody likes sitting through excel risk reviews. Use the risk categories you developed as a talking guide. Use an omnidirectional microphone to capture the conversation (with consent) & ask each person to state their name & role which with speaker identification during transcription. Step 3: Transcribe & Populate Your Register Upload the audio file to a transcription service (even Microsoft Word can do this) to get a written record of the discussion. Then use Claude to populate your risk register. Step 4: Develop Your Management Plan Once your register is populated, start a new chat with the same or alternate LLM** Upload a reference example of a risk management plan and prompt it to create a new one based on your newly populated risk register. This ensures your action plan aligns with your identified risks. Step 5: Turn Plans into Action Finally, turn your management plan into a clear, actionable list. Export these tasks directly into an electronic task manager like Microsoft Tasks or Asana; I used Google Tasks for my latest action register. This ensures accountability and helps you track progress toward mitigation. By leveraging AI and collaborative tools, you can evolve risk management into an efficient and effective process. *Hit me up if you'd like to learn more about how I overlay dictation into everything from excel cells to email replies. ** I like to use different LLMs for different tasks - they all perform differently depending on what you want to do; if you need coaching or guidance on this let me know. #Safetytech #Safetyinnovation