At present, many, perhaps most boards outside the financial sector (where Risk Committees are now the norm) appear to delegate most risk matters to the Audit Committee. A minority of Audit Committee time seems to be dedicated to risk rather than audit matters. Reports suggest that risk is not a constant strand in board conversations but rather seen as something to be delegated as far as possible and looked at once or twice per year.
A series of recent rulings from the Financial Reporting Council make this approach outdated and untenable.
The FRC's recent Guidance on the Strategic Report requires boards to report annually on ‘Principal Risks’ whether they have their origins in “strategic decisions, operations, organisation or behaviour, or from external factors over which the board may have little or no direct control”. The board’s description of Principal Risks should be “sufficiently specific that a shareholder can understand why they are important to the company”.
In going down this route, the FRC has applied the lessons from the post mortem on the banking crisis and research such as ‘Roads to Ruin’, the 2011 Cass Business School report for Airmic, which found that the root causes of most crises lie in human behaviour and in the way that organisations are led, structured and managed.
Because the field is relatively new, few risk professionals outside aviation or nuclear safety, let alone board members, have that know-how. Fewer have the authority or inclination to delve into these areas, which rapidly lead to the personal danger zone of dissecting leadership behaviour and decisions.
The latest FRC Guidance on Risk Management should overturn any reluctance by stating that board responsibilities for risk include:
“financial, operational, reputational, behavioural, organisational, third party, or external risks, such as market or regulatory risk, over which the board may have little or no direct control”.The Risk Guidance goes on to state that the board should consider:
“whether it, and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively. Boards should consider specifically assessing this as part of their regular evaluations of their effectiveness”Given that behavioural and organisational risks are not included in classical risk management schemes and that the root causes of reputational damage are not widely understood, this presents a series of problems for boards. They have to extend risk management systems to include behavioural and organisational risks wherever it is found in the firm; yet they lack knowledge of the field as do their risk teams. And in our experience even board members can be reluctant to explore behavioural and organisational risks for fear of what they may find or whom they may upset.
So how should boards extend risk management systems to include management of behavioural and organisational risks and their reputational consequences?
Boards cannot expect to succeed until they have an adequate understanding the subject. Board members cannot be criticised – yet – for an inadequate understanding of these risks. But the FRC’s suggestion that boards should evaluate their skills as to risk as part of the annual board evaluation process means that ignorance is rapidly ceasing to be an excuse.
Competent board evaluators will wish to ensure that sufficient board members have adequate skills across the whole range of “financial, operational, reputational, behavioural, organisational, third party risks”. Boards are expected to report and act on the results of board evaluation. Board deficiencies as to risk will have to be remedied rapidly, by education tailored to their needs. This will, in virtually all cases, include specialist education as to behavioural and organisational risks and their relation to reputational damage.
Thus educated, boards will be able to integrate risk into their discussions and decision-making. They can also make a good start on specifying how to extend the scope of their existing risk management system.
Long term delivery is a different matter. Boards will have to develop their risk team’s competence so that it includes behavioural and organisational risks and their reputational consequences. Few risk professionals yet have adequate knowledge, skill and/or aptitude in the field. Careful recruitment and education are likely to be needed.
However, having a competent risk team is not sufficient. As the Risk Guidance makes clear, boards should ensure that both they and their risk teams have the:
“authority and support to enable [them] to assess the risks the company faces and exercise [their] responsibilities effectively”.Only Chairmen can ensure that board members and risk teams can explore and report on these risk areas without fear that they are putting their careers at risk. Culture may have to change.
The risk management profession has been highly successful in dealing with whole families of risk, to the great benefit of their companies and of society in general.
Tackling behavioural and organisational risks is a new frontier. But with support from Chairmen and Chief Executives, there is no reason to suppose that this family of risks cannot also be tamed. On the contrary both the transformation of aviation safety over recent decades and our own research and experience show that – and how - success can be achieved.