On Board: a guide for members of statutory boards

Risk Management and Internal Controls

Risk concerns uncertainty of outcome. The delivery of an organisation's objectives is surrounded by uncertainty which both poses threats to success and offers opportunities for increasing success. Risk is defined as this uncertainty of outcome, whether positive opportunity or negative threat, of actions and events.

Each public sector organisation's internal control systems should include arrangements for identifying, assessing and managing risks. Risk management should be closely linked to the business planning process and performance monitoring arrangements.

Public bodies are required to provide a Governance Statement in order to comply with best practice as recommended by the Turnbull Committee Report. As part of that process, Directors (in the case of public bodies, the Board) are required to review, at least annually, the effectiveness of all controls, including financial, operational and compliance controls. Organisations need to show that they have established and maintained effective and on-going procedures for identifying, evaluating and managing business risks.

The Board must ensure that there is a system in place for continuous risk management which extends from the front-line services through to the Board. This involves having a framework of prudent and effective controls in place to enable risks to be identified, assessed and managed. The Board itself should regularly review key business risks affecting the organisation.