How to Brief Your Board on Critical Risk: A Practical Guide

How to brief your board on critical risk – and why most H&S presentations miss the mark

Key takeaway: There’s a difference between reporting and briefing. Reporting tells the board what happened. Briefing shapes how the board thinks. Given the direction of officer liability in New Zealand, the ability to brief a board well on critical risk is becoming one of the most valuable things an H&S professional can do.

Most H&S leads are good at reporting. They’re less often given the tools to brief – and the difference matters more than it might seem.

While reporting tells the board what happened, briefing shapes how the board thinks. A good H&S report summarises incidents, near-misses, and audit findings from the past quarter. A good H&S brief changes the questions the board asks, the information they demand, and the standard they hold the organisation to. One is backwards-looking and descriptive; the other is forward-looking and diagnostic.

Given where health and safety governance is heading in New Zealand – with the Port of Auckland conviction setting a new precedent for officer liability and the Health and Safety at Work Amendment Bill about to redefine what due diligence requires – the ability to brief a board well on critical risk is becoming one of the more consequential skills an H&S professional can develop.

Here’s a framework for doing it.

Start with the governance frame, not the H&S frame

The single most common mistake in board H&S presentations is framing the content through an H&S lens when the board’s primary concern is a governance one.

Boards aren’t ultimately responsible for H&S in the way an H&S manager is. They’re responsible for ensuring the organisation has the systems, oversight, and information flows to manage H&S effectively – and for exercising due diligence over the critical risks that could result in serious harm. That’s a governance question, and it calls for a different kind of presentation than a monthly H&S update.

When you walk into a board meeting, the most useful reframe you can make is this: you’re not there to tell them how H&S is going. You’re there to help them exercise their due diligence obligations. That shift in framing changes what you present, how you present it, and – importantly – what you ask the board to do with it.

Lead with critical risks, not incident counts

Incident rates and near-miss numbers have their place, but they’re a poor foundation for a board conversation about critical risk. They measure what went wrong and was reported – they don’t tell the board whether the controls that are supposed to prevent the most serious harm are actually working.

A board brief focused on critical risk governance should lead with the critical risks themselves: what they are, what controls are in place to manage them, and – most importantly – what evidence exists that those controls are functioning. That last part is what most H&S presentations skip, because it’s the hardest to answer. But it’s the question that the current legal environment requires boards to be able to answer, and your job is to give them what they need to do that.

Critical risk board brief: a structure that works

• These are our identified critical risks – defined against the incoming statutory definition where applicable, and specific enough to be meaningful rather than generic categories
• These are the controls we rely on to manage them – the specific, named controls for each risk, not a general description of the management system
• This is how we verify those controls are working – the verification process, its frequency, and who’s responsible
• This is what we currently know – the actual verified status of each control, including any gaps or deviations identified since the last board meeting

That last point is where most organisations have the least to say – and where the most governance value is created when you can say something meaningful.

Make the distinction between documentation and verification explicit

Boards often don’t know that there’s a difference between a control being documented and a control being verified. It’s worth naming it directly, because once they understand it, they’ll start asking better questions on their own.

A useful way to introduce it: “Our management system tells us what our critical controls are supposed to look like. What I want to show you today is what we know about how they’re actually functioning.” That framing signals that you’re operating at a higher standard than documentation-based reporting, and it sets up the verification evidence that follows as meaningful rather than routine.

It also gives the board a mental model they can apply themselves. Once directors understand the documentation/verification distinction, they’re more likely to probe the right things – asking not just “do we have a control for that?” but “how do we know it’s working?”

Questions to seed at your next board meeting

A well-structured board brief doesn’t just inform – it shapes the conversation that follows. If you want the board to engage seriously with critical risk governance, it helps to seed the questions that will get them there.

A few that tend to unlock productive conversations:

• “If one of our critical controls failed today, how quickly would we know?”
• “What does ‘work as done’ look like for our highest-risk operations – and how confident are we that it matches ‘work as planned’?”
• “Are there risks in our contractor supply chain that we don’t currently have verified visibility into?”
• “What would it take for us to have continuous, rather than periodic, confidence in the status of our critical controls?”

These aren’t rhetorical. They’re questions that the current legal environment – and basic good governance – requires boards to be able to answer. Your role is to surface them in a way that leads to genuine engagement rather than a checkbox exercise.

Be honest about the gaps

The instinct in most board presentations is to present a picture that’s as reassuring as possible. That instinct is understandable, but it’s also the instinct that gets organisations into trouble – like in the Port of Auckland case. Gibson was aware of gaps – he’d seen the audit findings and the critical risk reports that flagged under-reporting. The problem wasn’t that the gaps existed; it was that they weren’t translated into action.

A board that’s genuinely exercising due diligence needs to know where the gaps are. Not to assign blame, but because identifying a gap and taking steps to address it is exactly what due diligence looks like. If you’re aware of controls that aren’t being adequately verified, risks in the supply chain that aren’t currently visible, or reporting systems that may not be capturing the full picture – that’s the information your board needs most, and it’s the information that’s most often left out of presentations designed to reassure rather than inform.

The brief that changes the conversation

The goal of a good critical risk brief isn’t to get through the agenda item without difficult questions. It’s to leave the board with a clearer, more accurate picture of the organisation’s real risk exposure – and with the right questions on their minds for next time.

That means leading with what matters most, being specific about what’s verified versus what’s assumed, naming the gaps honestly, and giving the board the framing they need to ask better questions on their own. Done well, it’s not just a governance exercise. It’s how H&S leads build the kind of board engagement that makes a real difference to how critical risk is managed.

Critter is built by IMPAC – 27 years of health and safety expertise, purpose-built for the critical risk governance challenge. Learn more about IMPAC.