At present, many, perhaps most boards outside the financial sector (where Risk Committees are now the norm) appear to delegate most risk matters to the Audit Committee. A minority, often a small minority of Audit Committee time seems to be dedicated to risk rather than audit matters. Reports suggest that risk is not a constant strand in board conversations but rather seen as something to be delegated as far as possible and looked at once or twice per year.
A series of recent rulings from the Financial Reporting Council make this approach untenable.
Recent FRC Guidance on the Strategic Report requires boards to report annually on ‘Principal Risks’ whether they have their origins in “strategic decisions, operations, organisation or behaviour, or from external factors over which the board may have little or no direct control”. The board’s description of Principal Risks should be “sufficiently specific that a shareholder can understand why they are important to the company”. A ‘Principal Risk’ is “a risk or combination of risks that can seriously affect the performance, future prospects or reputation of the entity”.
In going down this route, the FRC has applied the lessons from the post mortem on the banking crisis and ‘Roads to Ruin’, the 2011 Cass Business School report for Airmic, that the root causes of most crises lie in human behaviour and in the way that organisations are led, structured and managed.
Because the field is relatively new, few risk professionals outside flight or nuclear safety, let alone board members, have that know-how, though a few Chief Risk Officers in the insurance sector have begun to grapple with the subject. Fewer have the authority or inclination to delve into these areas, which rapidly lead to the personal danger zone of dissecting leadership behaviour and decisions.
The latest FRC Guidance on Risk Management trumps any reluctance by stating that board responsibilities for risk include:
“financial, operational, reputational, behavioural, organisational, third party, or external risks, such as market or regulatory risk, over which the board may have little or no direct control”.The Risk Guidance goes on to state that the board should consider:
“whether it, and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively. Boards should consider specifically assessing this as part of their regular evaluations of their effectiveness”Given that behavioural and organisational risks are outside classical risk management schemes and that the behavioural and organisational causes of reputational damage are not widely understood, this presents a series of problems for boards. They have to extend risk management systems to include behavioural and organisational risks wherever it is found in the firm; yet they lack knowledge of the field as do their risk teams. And in our experience even senior board members can be reluctant to explore behavioural and organisational risks for fear of what they may find or whom they may upset.
How should boards extend risk management systems to include management of behavioural and organisational risks and their reputational consequences?
Boards cannot expect to succeed until they have an adequate understanding the subject. Board members cannot be criticised – yet – for an inadequate understanding of these risks. But the FRC’s suggestion that boards should evaluate their skills as to risk as part of the annual board evaluation process means that ignorance is rapidly ceasing to be an excuse.
Competent board evaluators will wish to ensure that sufficient board members have adequate skills across the whole range of “financial, operational, reputational, behavioural, organisational, third party risks”. Boards are expected to report and act on the results of board evaluation. Board deficiencies as to risk will have to be remedied rapidly, by education tailored to their needs. This will, in virtually all cases, include education as to behavioural and organisational risks and their relation to reputational damage.
Thus educated, boards will be able to begin acting on the FRC’s exhortation seamlessly to integrate risk into their discussions and decision-making, including on changes in strategy and new projects. They can also make a good start on specifying how to extend the scope of the risk management system.
Execution is a different matter. Boards will have to develop their risk team’s competence so that it includes behavioural and organisational risks and their reputational consequences. Few risk professionals yet have adequate knowledge, skill and/or aptitude in the field. Careful recruitment and education are likely to be needed.
Having a competent risk team is not sufficient. As the Risk Guidance makes clear, boards should ensure that both they and their risk teams have the:
“authority and support to enable [them] to assess the risks the company faces and exercise [their] responsibilities effectively”.Only Chairmen can ensure that board members and risk teams can explore and report on these risk areas without fear that they are putting their careers at risk. Culture may have to change.
The risk management profession has been highly successful on taming whole families of risk, to the great benefit of their companies and of society in general.
Taming behavioural and organisational risks is a new frontier. With support from Chairmen and Chief Executives, there is no reason to suppose that this family of risks cannot also be tamed. On the contrary both the transformation of flight safety over recent decades and our own experience show that – and how - success can be achieved.
Other risk issues emerge from the FRC's latest guidance and we shall write about them in the coming weeks. To make sure you don't miss out, please sign up to 'follow' our blog by email.