9 risk management best practices for directors

Complex, fast-moving threats to organisations can hit at any time.

Disruptions caused by competitors, to cyber-attacks, to devastating economic fluctuations can strike from outside, and there is no shortage of internal troubles, whether the act of a rogue employee, health and safety incident or a toxic culture, that can also cause major reputation damage for your brand. Take the scandals at Volkswagen, BP, Teva, as well as the many #MeToo incidents of sexual harassment. 

Any company can be implicated. No company can ever be completely immune. 

Increasing regulatory scrutiny combined with heightened expectations for ISO standards has put the roles and responsibilities of leadership in the spotlight.

Directors are more accountable than ever.

However, following online, anonymous surveys of over 400 quality professionals a key theme remains: leadership are still not doing enough to address risk in their organisations.

It is hardly surprising.

Even for the most gifted directors, the process of managing risk is an arduous journey of continuous learning and self-development.

We asked newly appointed Compliance Director at Qualsys, Kate Armitage, to share risk management best practices for directors. 

ISO 45001 Kate hurdles

1. Make risk part of your culture.

Most directors are taking responsible efforts towards a sustainable, ethical and quality-first culture.

But risk management is too often treated as a compliance issue which can be solved by writing lots of rules and making sure employees follow them. 

Risk needs to be a collaborative, ongoing process. 

Your role needs to ensure risk policies are effectively documented and available for those who need to read and review them. But that there is also a process to ensure risk is treated and peer reviewed at a strategic, tactical and operational level. 


Risk assessment methodology 1

2. Know your Achilles heel.

Effective organisational risk management is multi-dimensional. It’s a science and an art. It relies on both an individual and a collective team.

But humans have a tendency to overestimate our abilities and underestimate what can go wrong.

All the heroes throughout time - Achilles, Agamemnon, Xerxes died because they did not address their weaknesses.

The same is true in business. Any business that doesn’t recognise its Achilles heel is fated to die because of it.

Know your weaknesses and vulnerabilities, ensure they are properly treated. 

Establishing Risk Context (002)
3. Get formal risk training.

When Tony Hayward became CEO of BP, in 2007, he vowed to focus on safety “like a laser.”

Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving.

Several years later, the Deepwater Horizon oil rig exploded in the Gulf of Mexico, causing one of the worst man-made disasters in history.

The investigators attributed the disaster to management failures that crippled “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.”

Many directors are promoted to significant roles of responsibility, authority and power without formal training and qualifications in risk management.

Here are two formal risk management training course examples for Directors: 


4. Spend a day a month with your customer.

As Directors climb up the organisation, they naturally become more distant from customers and more reliant on the information shared from others.

There’s an issue in many organisations where only the good news is reported to senior management teams, which causes ongoing disconnect, conflict and frustration among all employees.

As a director, you rely on constant communication between you and your quality, sales, marketing, support and services staff to feed information to detect risks.

What are customers telling you? What are prospective customers telling you? What is your reputation? Does that align with your positioning statement, values and plans for the organisation?

Spend at least a day a month with a customer or customers you don’t usually talk with. They’ll be a source of ideas and inspiration and will also help you to understand your vulnerabilities.


Governance, risk and compliance management - chris owen and mike pound

5. Collect data.

Most directors are expected to be strategic problem solvers. They are measured by their ideas. And there is a resource battle between directors for innovation projects. This drive to change and deliver transformation is rarely backed up with holistic risk management.

What most boards are missing is the data and the information they need to drive strategic decision making. Growth strategies are based on inklings and ideas, but have little evidence.

Use data for a risk based approach

Schlumberger discovered motor vehicle-related accidents were the number one cause of employee fatalities worldwide, so it launched a multi-pronged initiative to address the problem that included a driver education program and a trip management system to monitor routes, driver fatigue, and more. 

At the root of this program is a fundamental corporate commitment to the company’s health, safety, and environment (HSE) function as a core differentiating competency. 

In many organisations, HSE is managed by a team and it’s seen as solely their responsibility. However, directors need to have the data to be able to apply a risk based approach to health and safety, environment, quality, and information security initiatives. 


Risk based thinking


6. Get a system to manage communications. 

Strong back office processes is one of the key drivers and empowerment tools for the front of house staff. The results? An efficient and aligned business.

Many businesses just expect good communication and employee empowerment to happen if they say it.

However, without the right systems and tools, employees are held back by assumptions, broken processes and information silos. 

Your employees, in particular your internal auditors, are the eyes and ears of senior management.

The best company cultures identify and manage risk on a continual basis. By collecting issue, incident, complaints and ideas through simple forms, this data can be automatically fed back to management for data analysis. 

Engineer collaborative processes which collect both tangible and intangible data from employees across the business.

Risk based thinking in EQMS

7. Communicate more 

Make the mantra “If in doubt, put it out” something which employees, even the directors, across the organisation live by.

When in doubt whether or not to communicate something to the rest of the business – always apply the principle that you should communicate more, rather than less.

Assad Quality and governance, risk and compliance softwre


8.  Promote a safe and open working environments

Maintaining a “toxic” workplace leads to unhappiness, dishonesty, and ultimately a potentially consequential scandal. Take the Uber and Wells Fargo's scandals as examples. At Uber, a former engineer from wrote a letter alleging blatant sexism and aggression in Uber’s workplace. At Wells Fargo employees opened millions of fake accounts due to unrealistic sales targets set by leadership.

Monitor employees. Keep your eyes open, your ears open and follow your nose. If something's not right, take action to correct it. 

Here are a few ideas:

  • Monitor company culture using surveys
  • Talk to staff, suppliers and customers
  • Read online reviews / feedback about your company  
9. Make a challenger mindset the norm

Netflix, Hubspot, Monzo – all these challenger brands have disrupted industries. Each has a company culture which focuses on diversity and employee empowerment. 

Challenger brands ask and then answer what they do better than everyone else.

How to do this?

Bold vision coupled with commitment to embrace a unique and authentic difference are key to motivating employees. Identify your North Star metric and establish your distinct positioning. Risks to your North Star metric can then be evaluated as and when. 



What to do now: 

a) Risk management software - Watch webinar

Normalising risk and making it part of the business DNA starts with having the right tools. EQMS is an integrated risk management solution which empowers you to make it everyone's responsibilities and turn risk into opportunities for improvement. 

Watch our risk management software webinar here: 


b) Risk management workshop - online training materials

Qualsys hosts monthly workshops across the UK to give you training and skills to make governance, risk and compliance part of your company culture. 

To access the materials from our integrated risk management workshop, access 

Access the risk workshop materials free here:



Topics: Risk Management, Risk Based Thinking, ISO 31000, Data integrity

Share your thoughts on this article