“Handle them carefully, for words have more power than atom bombs.”
Pearl Strachan Hurd
Words, more powerful than an atom bomb? Words are risky. We must think about our words carefully! Risk is the possibility that something bad will happen. In Policy Governance® is it the Board of Directors’ or the CEO’s role to manage risk? The correct answer is that both have a role, but it starts at the Board with the governance of risk through the use of policies.
The Board’s “leadership through explicit policies offers the opportunity to think big and to lead others…Policy leadership clarifies, inspires, and sets a tone… Because policies merely represent our values or perspectives, written or unwritten, they can be revealed in every event that occurs in an organization.”1 Defining risk as the potential of loss or harm, the Board must write policies that protect the organization. The Board must be prudent, not only in thinking of the actual risks facing the organization, but in how it expresses its expectations about the management of those risks in words.
In Policy Governance it becomes the CEO’s responsibility to make a reasonable interpretation of the Board’s words as written in policy. It’s important that the CEO manages risk by thinking carefully through all components of monitoring. Does the CEO have to do this alone? No, the CEO can use whatever resources are appropriate, including other staff, to arrive at “an interpretation of the policies…shown to be reasonable. The CEO then assigns the accomplishment of parts of the task to various staff…as the time for monitoring approaches, the CEO sees to it that credible data are gathered to present to the Board.”2
Developing monitoring reports is a complex task for staff. As the first set of monitoring reports are developed, you may witness the wringing of hands and the gnashing of teeth! Why? To ensure appropriate management of risk, the interpretation must address all criteria in the policy. The interpretation of each policy item (the board’s words) includes a measurable, operational definition of what will demonstrate compliance and rationale as to why the interpretation (the CEO’s words) is reasonable. Metrics must be specific, independent, and repeatable by someone else. Then the report must provide evidence of compliance with that reasonable interpretation of each item. Since the CEO is likely not doing all the work on the reports but does sign a statement attesting to the completeness and veracity of the information, there had better be accurate evidence of compliance. If not, that could be a source of risk for the staff to whom the work was delegated!
Each of these steps – the governance of risk through well-crafted board policy, the identification of what that actually means in measurable terms for management of risk, and the written, verifiable evidence that risk management has actually occurred – involves the use of words. Carefully crafted words, followed through, have the power to mitigate the risks faced by an organization.
1John Carver, (2006, p. 41, 59). Boards That Make A Difference, third edition. San Francisco: Jossey Bass. 2 Carver, p. 179.