About Me

My Photo
Reputability LLP are pioneers and leaders in the field of behavioural risk and organisational risk. We help business leaders to find the widespread but hidden behavioural and organisational risks that regularly cause reputational disasters. We also teach leaders and risk teams about these risks. Here are our thoughts, and the thoughts of our guest bloggers, on some recent stories which have captured our attention. We are always interested to know what you think too.

Thursday, 2 October 2014

FRC makes pay a risk issue

One of the big behavioural risk issues that emerged from the recent banking crisis was the role played by incentives.  This has taxed many minds since, including the UK's Parliamentary Commission on Banking, Professor John Kay, the Cass Business School team that researched 'Roads to Ruin' for Airmic, a variety of financial and corporate regulators and, most recently, the International Monetary Fund.

The Financial Reporting Council, which regulates most UK listed companies, has made executive pay a risk issue.  Part of its recent focus on behavioural and organisational risk more generally, this specific measure is a significant and beneficial change of emphasis because it creates a feedback loop within the company as to the effect of remuneration systems on the risk profile and longevity of the company.

The 2014 Corporate Governance Code ("CGC") now states that executive directors' remuneration should be designed to
"promote the long term success of the company."
This is a change from the 2012 version which provided that it should be designed to "attract, retain and motivate directors of the quality required to run the company successfully".

Having reminded non-executive directors of the conflicts of interest inherent in taking views on pay from executive directors and senior managers, the CGC focuses on the design of performance related pay.

Reflecting the recommendations of Professor John Kay's Review of Equity Markets, the CGC recommends that:
  • Remuneration schemes should allow for claw-back of amounts already paid and for withholding payments in appropriate circumstances;
  • Remuneration incentives should be compatible with risk policies and systems;
  • Remuneration committees should consider requiring directors to hold a minimum number of shares and to hold shares for a further period after vesting or exercise of options for a further period after vesting or exercise, including for a period after leaving the company.

This new emphasis is echoed in the FRC's 2014 Guidance on Risk Management, which encourages boards to consider whether the company's human resource policies and performance reward systems support the business objectives and the risk management system.

This approach accords with evolving best practice, but assessing the risk consequences of remuneration systems is not straightforward.  As a minimum we suggest that some basic current research findings should be part of the repertoire of both Remuneration Committees and Remuneration Consultants.

The research can be simplified to three propositions.
  1. For performance that involves thinking skills as opposed to dexterity, small incentives produce better performance; but performance deteriorates as incentives grow.
  2. Recent IMF research suggests that incentives that produce risk awareness and avoidance when the company is successful and solvent may produce the opposite effect when the company is in difficulties approaching insolvency.
  3. The IMF research also suggests that caps on incentives may increase risk - cautiously supporting the position taken by the Prudential Regulation Authority criticising the European Union's bonus caps.
Remuneration committees face a period of change that must be accompanied by learning.

Boards are now expected to gain general expertise as regards behavioural and organisational risks.  But the FRC's Guidance on Risk also makes it clear that they should not rely unquestioningly on advice from consultants.  They should test consultants' competence - or acquire the competence themselves.  This note should provide boards with at least some assistance when assessing remuneration consultants.

Postcript 13 October 2014:  The Basel Committee on Banking Supervision proposes adopting a similar position.  Watch out for our forthcoming post.

Anthony Fitzsimmons
Reputability LLP

Wednesday, 17 September 2014

New FRC Guidelines for Boards on Risk

The boards of companies publicly quoted in the UK face a step change in their approach to risk management.  A similar change for banks worldwide is imminent.

At present, many, perhaps most boards outside the financial sector (where Risk Committees are now the norm) appear to delegate most risk matters to the Audit Committee. A minority of Audit Committee time seems to be dedicated to risk rather than audit matters. Reports suggest that risk is not a constant strand in board conversations but rather seen as something to be delegated as far as possible and looked at once or twice per year.

A series of recent rulings from the Financial Reporting Council make this approach outdated and untenable.

The FRC's recent Guidance on the Strategic Report requires boards to report annually on ‘Principal Risks’ whether they have their origins in “strategic decisions, operations, organisation or behaviour, or from external factors over which the board may have little or no direct control”. The board’s description of Principal Risks should be “sufficiently specific that a shareholder can understand why they are important to the company”.

In going down this route, the FRC has applied the lessons from the post mortem on the banking crisis and research such as ‘Roads to Ruin’, the 2011 Cass Business School report for Airmic, which found that the root causes of most crises lie in human behaviour and in the way that organisations are led, structured and managed.

Because the field is relatively new, few risk professionals outside aviation or nuclear safety, let alone board members, have that know-how. Fewer have the authority or inclination to delve into these areas, which rapidly lead to the personal danger zone of dissecting leadership behaviour and decisions.

The latest FRC Guidance on Risk Management should overturn any reluctance by stating that board responsibilities for risk include:
“financial, operational, reputational, behavioural, organisational, third party, or external risks, such as market or regulatory risk, over which the board may have little or no direct control”.
The Risk Guidance goes on to state that the board should consider:
“whether it, and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively. Boards should consider specifically assessing this as part of their regular evaluations of their effectiveness”
 The FRC recommends that the board should:
"satisfy itself that [its] sources of assurance [on risk] have sufficient authority, independence and expertise to enable them to provide objective information and advice to the board."
Since this was originally written, the Basel Committee on Banking Supervision has issued draft guidelines that point in a similar direction.

Given that behavioural and organisational risks are not included in classical risk management schemes and that the root causes of reputational damage are not widely understood, this presents a series of problems for boards. They have to extend risk management systems to include behavioural and organisational risks wherever it is found in the firm; yet they lack knowledge of the field as do their risk teams. And in our experience even board members can be reluctant to explore behavioural and organisational risks for fear of what they may find or whom they may upset.

So how should boards extend risk management systems to include management of behavioural and organisational risks and their reputational consequences?

Boards cannot expect to succeed until they have an adequate understanding the subject. Board members cannot be criticised – yet – for an inadequate understanding of these risks. But the FRC’s suggestion that boards should evaluate their skills as to risk as part of the annual board evaluation process means that ignorance is rapidly ceasing to be an excuse.

Competent board evaluators will wish to ensure that sufficient board members have adequate skills across the whole range of “financial, operational, reputational, behavioural, organisational, third party risks”. Boards are expected to report and act on the results of board evaluation. Board deficiencies as to risk will have to be remedied rapidly, by education tailored to their needs. This will, in virtually all cases, include specialist education as to behavioural and organisational risks and their relation to reputational damage.

Thus educated, boards will be able to integrate risk into their discussions and decision-making. They can also make a good start on specifying how to extend the scope of their existing risk management system.

Long term delivery is a different matter. Boards will have to develop their risk team’s competence so that it includes behavioural and organisational risks and their reputational consequences. Few risk professionals yet have adequate knowledge, skill and/or aptitude in the field. Careful recruitment and education are likely to be needed.

However, having a competent risk team is not sufficient. As the Risk Guidance makes clear, boards should ensure that both they and their risk teams have the:
“authority and support to enable [them] to assess the risks the company faces and exercise [their] responsibilities effectively”.
Only Chairmen and Chief Executives can ensure that board members and risk teams can explore and report on these risk areas without fear that they are putting their careers at risk. Culture may have to change.

The risk management profession has been highly successful in dealing with whole families of risk, to the great benefit of their companies and of society in general.

Tackling behavioural and organisational risks is a new frontier. But with support from Chairmen and Chief Executives, there is no reason to suppose that this family of risks cannot also be tamed and its management made routine. On the contrary both the transformation of aviation safety over recent decades and our own research and experience show that – and how - success can be achieved. 

Anthony Fitzsimmons
Reputability LLP

Monday, 4 August 2014

Reporting on Important Risks - Guidance for Chairmen and Boards

The Financial Reporting Council's latest guidance on the reporting of important risks has now been published.  In a nutshell, boards are required to report 'principal risks' that have their origins in 'behaviour or organisation', what we call behavioural and organisational risks.  This new recommendation effectively recognises our conclusion, that there is a hole in the 'Three Lines of Defence' doctrine that underlies most current risk analysis and reporting.

Behavioural and organisational risks are important causes of reputational damage and of many better-recognised risks. However, boards cannot properly report on 'principal risks' until they have systematically identified and evaluated both the range of behavioural and organisational risks at work in the company and the extent to which they may give rise to principal risks including reputational hazard.

We have written about the practical implications for boards, chairmen and company secretaries, for Governance, the authoritative publication on international corporate governance.

You can find our article here.

Anthony Fitzsimmons
Reputability LLP

Tuesday, 24 June 2014

Can the NHS embrace behavioural and organisational risk?

A year ago, Mike Bell wrote about the safety culture in civil aviation which has made flying so safe.  He wrote:
"There are two principal factors involved in aviation’s success: 

  • There is an independent regulator, with a clearly defined role, expert staff, accountable to parliament, and funded by those it regulates; and 
  • There is a culture of openness, with timely and honest reporting of all untoward occurrences whether or not they cause harm and widespread dissemination of the lessons to be learnt. "
The UK's National Health Service ("NHS") now appears to be moving in that direction, with the Secretary of State, Jeremy Hunt, announcing "unprecedented hospital data release which aims to ensure NHS remains a world leader on safety" and a "new safety drive with ambition to save up to 6,000 lives and halve avoidable harm".

The move was been prompted by the Report of Sir Robert Francis QC into the Mid-Staffordshire Hospital Trust debacle with support from the Clinical Human Factors Group which was founded by a commercial airline pilot following the death of his wife from a clinical accident.

The aviation sector has long recognised the crucial role of reducing behavioural and organisational risks - what the industry calls "Human factors".  The industry recognises that special measures have to be taken to ensure that all mistakes, including those without adverse consequences, are reported.  Only then can they be analysed to their real root causes and lessons learned and disseminated widely.

Such a system is intrinsically fragile because it takes very little for the supply of reports of mistakes to dry up.  People will not own up to their own mistakes if they suspect they may be treated unfairly.  They will not tell a superior that they may be making a mistake unless they are confident that their honest view will not be met with disdain or aggression.  They will not report what they believe are unacceptable practices if they fear retribution or if they think no action will be taken.  Fear of litigation or prosecution may drive mistakes underground.  And if hospital manager body language gives the impression that they do not really want to learn about and from all mishaps, however minor in consequences, the system will also be undermined.

It is therefore important that Sir Robert is to chair the independent review into what further action is necessary to protect NHS workers who speak out in the public interest and help to create the kind of open culture that is needed to ensure safe care for patients.

The NHS should be congratulated in trying to move in the right direction in dealing with the behavioural and organisational risks that have bedevilled patient safety for decades.  But there remains much work to be done, and to be successful it will need a sea change in the attitudes of politicians as well as by those who run the NHS.

Anthony Fitzsimmons
Reputability LLP

Monday, 23 June 2014

Character, Trustworthiness and Incentives

Charlie Munger isn't as well known as Warren Buffett, but he is Vice Chairman at Berkshire Hathaway and, among other interests, a business philosopher.

A recent paper from the Rock Center for Corporate Governance collected Munger's ideas on corporate governance.  His thinking is worth summarising.

Munger starts from the premise that companies need a governance system because individuals working for a firm are inevitably self-interested and may therefore tend to act in their own interests rather than those of the firm.  To anyone with a background in behavioural risk that is a good place to start.

Having noted the current trend for ever more control systems, Munger rows in the opposite direction.  He advocates a governance system based on "a seamless web of deserved trust".  This requires recruitment for character, something that was also emphasised in 'Leadership on Trial', a research report from the Richard Ivey School of Business in Canada. 
"Good character is very efficient.  If you can trust people, your system can be way simpler.  There's enormous efficiency in good character and dis-efficiency in bad character."
But can you trust the people?  That, as Munger acknowledges is a key question.  You can only rely on a trust-based system to the extent that you can rely on the people not to put their self-interest above the corporate interest.

Munger sees the lynchpin as a high calibre CEO who can be trusted to put his firm above himself.  As the researchers observe, the trust based systems that Munger uses as his examples, such as James Sinegal, the founder and former CEO of Costco, are founder-led organisations.  This is an important observation.  Founders of integrity who understand the value of integrity have the power to recruit others of integrity.

Warren Buffett unsurprisingly has a similar approach to hiring CEOs.
“Somebody once said that in looking for people to hire, you look for three qualities: integrity, intelligence and energy. And if they don’t have the first, the other two will kill you. You think about it; it’s true. If you hire someone without integrity, you really want them to be dumb and lazy.”
A different basis for a trust-based system is recognised in a recent academic study of the community who trade at Lloyd's, the insurance market.  

Lloyd's is ultimately a community of people who, by and large, like the work they do, are proud to be working in Lloyd's and have much of their social life connected to Lloyd's.  Participants know that the long-term well-being of Lloyd's is vital to their future well-being, both financially and socially.  And they know that their own social position in Lloyd's depends on adhering to widely accepted standards of behaviour.  This state of affairs gives participants strong incentives to good behaviour and a strong self-interest in the future well-being of Lloyd's.  Munger would probably recognise that strongly aligning personal self-interest with the long-term interests of Lloyd's should encourage trustworthy behaviour towards Lloyd's within Lloyd's.  (Afficionados of Lloyd's structure will recognise that there is another axis, the relationship between individuals who trade at Lloyd's and their employers.)

Add recruitment for character, often at a young age, and a reinforced memory of near-death in the early 1990s and you have a powerful combination of history, culture and incentives that should help to keep behaviour within widely acceptable limits. 

But the world of companies that have emerged from their founders' aura onto competitive stock markets seems different.  CEOs are under many short-term pressures.   These are amplified by the 'Agency' issue and the fact that a CEO's expectancy of tenure is a small number of years.  It is much harder to remain a paragon under such conditions.

Anthony Fitzsimmons 
Reputability LLP

Wednesday, 11 June 2014

New FRC Guidance on Reporting Behavioural and Organisational Risks

On 9 June 2014 the Financial Reporting Council published new guidance as to boards' reporting important behavioural, organisational and reputational risks in the annual Strategy Report of companies it regulates.  The guidance effectively comes into force immediately.  You can find background here.

The FRC's "Guidance on the Strategic Report" ("the Guidance") provides:
"The Strategic Report should include a description of the principal risks and uncertainties facing the entity together with an explanation of how they are managed or mitigated."
This explicitly includes risks with their origins in behaviour and organisation and risks to reputation.


The 'principal risks' which boards should now disclose and describe are defined to include risks and risk combinations that could seriously affect the performance, future prospects, reputation or business model of the entity.  Boards should disclose principal risks with their origins in various sources including behaviour or organisation.  This ruling encourages boards to fix the gap in current risk analysis practice that leaves behavioural and organisatinal risks unrecognised and therefore unmanaged.

It follows that boards should disclose and describe behavioural and organisational risks that could cause serious reputational or other damage were they to materialise as well as how those risks are mitigated.  Descriptions should be sufficiently specific that a shareholder can understand their potential impact and any mitigation applied.

Current analytical approaches identify some reputational risks but the most widely used are unsystematic and miss important areas of reputational risk.  There are no widely used techniques to identify behavioural and organisational risks.  Few even endeavour systematically identify the reputational and other consequences of behavioural and organisational risks.  These gaps must be filled if boards are to be able to follow this FRC guidance.

Given that specific guidance on reporting such risks has been given, there may be legal consequences for boards that report inadequately.  We would hope that courts will in practice allow boards a reasonable period of grace to bring behavioural, organisational and reputational risks under systematic management.

Since the FRC's revised draft guidance to boards on risk, including behavioural and organisational risks, is already available, we believe that boards should start work in this area without delay.

Action for Chairmen and Company Secretaries

Boards cannot report on these risks until they have systematically identified and evaluated behavioural, organisational and reputational risks. 

However, boards cannot insightfully specify the work they require to be done, let alone monitor its progress and consider its conclusions or report on 'principal risks', unless they understand the recently identified family of behavioural and organisational risks.

This is an exceptionally acute problem.  One of the findings of 'Roads to Ruin' was that even classically trained risk professionals lack both the necessary skills and the authority needed to find risks of these kinds.  The most astute Chief Risk Officers are starting to tackle the issue, but many face difficulties in engaging their boards and gaining their authority.  Some also see personal risks in raising the subject with their boards because many of these risks have their root cause at board level.  This confirms the conclusion in 'Roads to Ruin' that board leadership is essential to bringing this family of risks under control within organisations.

How can boards gain adequate knowledge to understand and deal with these newly recognised risks?  The first step is for Chairmen and Company Secretaries to commission tailored board education about behavioural and organisational risks and their relationship with reputational damage.

Armed with that education, boards can re-brief and empower their risk and internal audit teams.  The aim will be to put boards into a position where they can meet both the guidance on risk disclosure and the forthcoming FRC guidance on the management of behavioural and organisational risks.

Boards that initiate prompt action should have little difficulty in meeting the new guidance.

Anthony Fitzsimmons
Reputability LLP

Saturday, 7 June 2014

Dysfunction at the heart of government?

Giles Wilkes spent four years as a Special Adviser in Vince Cable's Department for Business, Innovation and Skills.  He has written about his experience rather as the proverbial Martian might report on a visit to Planet Earth 

He makes five dispiriting observations.
  • There is 'no such thing as HM Government'; it is a 'ship without a bridge', let alone a captain.  He sees the Government as consisting of about 20 departments each fighting for its own agenda, each led by politician who was selected for his success in internecine strife.  The result is a silent kind of dysfunctionality characterised not by open argument but by the sullen silence so characteristic of teenage boys.
  • Ministerial Private Secretaries are debonair, politically savvy fixers, the best of whom breezily fudge discord so that it gains the appearance of agreement.
  • Politicians - and perhaps Civil Service leaders, Wilkes is unclear here - usually start ignorant, gaining their knowledge of important subjects from lobbyists.  This is a dangerous way to make policy.  A little learning is a dangerous basis for policymaking especially if its source is a combination of dogma and one or more propagandists, or lobbyists as Wilkes politely calls them.
  • The Treasury has abolished the use of money as a store of value or as a unit of exchange.  Thus unspent money cannot be saved for use next year but disappears at the end of the financial year unless spent.  And money assigned to one department  for one purpose cannot be used for another purpose let alone used by another department who might achieve that purpose better.  This creates bizarre incentives.
  • The heart of government regularly trades policy in a way for which is often despised others, such as the American Congress, Senate and White House.  Mr Wilkes proudly records having traded a regulatory issue about taxis for an unrelated benefit concerning oil from the tar sands of Alberta.
Through 'Roads to Ruin', the Cass Business School report for Airmic and our extension of that research, 'Deconstructing failure', we have identified a series of behavioural and organisational risks that apply to all organisations run by humans, but our sample consisted in the main of commercial organisations.  How do these apply to Government?

If Mr Wilkes' observation of his time in Government is a fair view, we can see many of these potentially catastrophic risks manifested in his snapshot, for example risks from:-
  •  A lack of effective overall leadership
  • A complex and ungoverned structure with a lack of join-up across the whole
  • Incentives that drive perverse, potentially dangerous or wasteful behaviour
  • A lack of critical skills and knowledge among leaders who need them
  • A culture of internecine strife that stifles internal communication and learning from mistakes
  • A series of dominant leaders whose characters and behaviour discourage co-operation
  • The consequent dysfunctionality
  • Blindness to the risks inherent in such a system, such as the risks from selective briefing by protagonists as opposed to systematic education by disinterested professionals and many more
Unfortunately, risks such as these remain unrecognised, let alone managed, in the Civil Service.  This is made worse because the Civil Service resolutely resists revising its bible on risk management the Orange Book to take account the recently recognised class of 'behavioural' and 'organisational' risks.

And as 'The Blunders of our Governments' by Professors King and Crewe so dismally illustrates, these potentially lethal risks regularly materialise to lose huge amounts of taxpayers' money.

Anthony Fitzsimmons
Reputability LLP