About Me

This blog carries a series of posts and articles, mostly written by Anthony Fitzsimmons under the aegis of Reputability LLP, a business that is no longer trading as such. Anthony is a thought leader in reputational risk and its root causes, behavioural, organisational and leadership risk. His book 'Rethinking Reputational Risk' was widely acclaimed. Led by Anthony, Reputability helped business leaders to find, understand and deal with these widespread but hidden risks that regularly cause reputational disasters. You can contact Anthony via the contact form.

Sunday 21 September 2014

Risk Governance for Boards


The boards of publicly quoted companies face a step change in their approach to risk management.

At present, many, perhaps most boards outside the financial sector (where Risk Committees are now the norm) appear to delegate most risk matters to the Audit Committee. A minority, often a small minority of Audit Committee time seems to be dedicated to risk rather than audit matters. Reports suggest that risk is not a constant strand in board conversations but rather seen as something to be delegated as far as possible and looked at once or twice per year.

A series of recent rulings from the Financial Reporting Council make this approach untenable.

Recent FRC Guidance on the Strategic Report requires boards to report annually on ‘Principal Risks’ whether they have their origins in “strategic decisions, operations, organisation or behaviour, or from external factors over which the board may have little or no direct control”. The board’s description of Principal Risks should be “sufficiently specific that a shareholder can understand why they are important to the company”. A ‘Principal Risk’ is “a risk or combination of risks that can seriously affect the performance, future prospects or reputation of the entity”.

In going down this route, the FRC has applied the lessons from the post mortem on the banking crisis and ‘Roads to Ruin’, the 2011 Cass Business School report for Airmic, that the root causes of most crises lie in human behaviour and in the way that organisations are led, structured and managed.

Because the field is relatively new, few risk professionals outside flight or nuclear safety, let alone board members, have that know-how. Fewer have the authority or inclination to delve into these areas, which rapidly lead to the personal danger zone of dissecting leadership behaviour and decisions.

The latest FRC Guidance on Risk Management trumps any reluctance by stating that board responsibilities for risk include:
“financial, operational, reputational, behavioural, organisational, third party, or external risks, such as market or regulatory risk, over which the board may have little or no direct control”.
The Risk Guidance goes on to state that the board should consider:
“whether it, and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively. Boards should consider specifically assessing this as part of their regular evaluations of their effectiveness”
Given that behavioural and organisational risks are outside classical risk management schemes and that the behavioural and organisational causes of reputational damage are not widely understood, this presents a series of problems for boards. They have to extend risk management systems to include behavioural and organisational risks wherever it is found in the firm; yet they lack knowledge of the field as do their risk teams. And in our experience even senior board members can be reluctant to explore behavioural and organisational risks for fear of what they may find or whom they may upset.

How should boards extend risk management systems to include management of behavioural and organisational risks and their reputational consequences?

Boards cannot expect to succeed until they have an adequate understanding the subject. Board members cannot be criticised – yet – for an inadequate understanding of these risks. But the FRC’s suggestion that boards should evaluate their skills as to risk as part of the annual board evaluation process means that ignorance is rapidly ceasing to be an excuse.

Competent board evaluators will wish to ensure that sufficient board members have adequate skills across the whole range of “financial, operational, reputational, behavioural, organisational, third party risks”. Boards are expected to report and act on the results of board evaluation. Board deficiencies as to risk will have to be remedied rapidly, by education tailored to their needs. This will, in virtually all cases, include education as to behavioural and organisational risks and their relation to reputational damage.

Thus educated, boards will be able to begin acting on the FRC’s encouragement seamlessly to integrate risk into their discussions and decision-making. They can also make a good start on specifying how to extend the scope of the risk management system.

Execution is a different matter. Boards will have to develop their risk team’s competence so that it includes behavioural and organisational risks and their reputational consequences. Few risk professionals yet have adequate knowledge, skill and/or aptitude in the field. Careful recruitment and education are likely to be needed.

Having a competent risk team is not sufficient. As the Risk Guidance makes clear, boards should ensure that both they and their risk teams have the:
“authority and support to enable [them] to assess the risks the company faces and exercise [their] responsibilities effectively”.
Only Chairmen can ensure that board members and risk teams can explore and report on these risk areas without fear that they are putting their careers at risk. Culture may have to change.

The risk management profession has been highly successful on taming whole families of risk, to the great benefit of their companies and of society in general.

Taming behavioural and organisational risks is a new frontier. With support from Chairmen and Chief Executives, there is no reason to suppose that this family of risks cannot also be tamed. On the contrary both the transformation of flight safety over recent decades and our own experience show that – and how - success can be achieved. 

Other risk issues emerge from the FRC's latest guidance and we shall write about them in the coming weeks.  To make sure you don't miss out, please sign up to 'follow' our blog by email.


Anthony Fitzsimmons
Reputability LLP
London

Anthony Fitzsimmons is Chairman of Reputability LLP and, with the late Derek Atkins, author of “Rethinking Reputational Risk: How to Manage the Risks that can Ruin YourBusiness, Your Reputation and You

Wednesday 17 September 2014

New FRC Guidance for Boards on Risk

The boards of companies publicly quoted in the UK face a step change in their approach to risk management.  A similar change for banks and insurers worldwide is imminent.

The change is long overdue. The recent financial and banking crises happenned despite the labours of tens, probably hundreds of thousands of risk professionals. The episode probably reflects the largest ever failure of risk management and internal control by boards, risk managers, internal auditors and regulators.  It was system-wide and it continues.

The same chasm in risk management, the failure systematically to find and deal with risks from people, affects virtually all organisations worldwide with few exceptions, notably pockets of activity in the aviation and nuclear sectors.

The New Regulatory Approach

A series of recent rulings from the Financial Reporting Council provides authoritative  recognition that this approach outdated and untenable. (Since this article was written,  Andrew Bailey, then Chief Executive of the Bank of England's Prudential Regulation Authority, put this robustly in his speech on 9 May 2016.)

The FRC's recent Guidance on the Strategic Report requires boards to report annually on ‘Principal Risks’ whether they have their origins in “strategic decisions, operations, organisation or behaviour, or from external factors over which the board may have little or no direct control”. The board’s description of Principal Risks should be “sufficiently specific that a shareholder can understand why they are important to the company”.

In going down this route, the FRC has applied the lessons from the post mortem on the banking crisis and research such as ‘Roads to Ruin’, the 2011 Cass Business School report for Airmic, which found that the root causes of most crises lie in human behaviour and in the way that organisations are led, structured and managed.

Because the field is relatively new, few risk professionals outside aviation or nuclear safety, let alone board members, have that know-how. Fewer have the authority or inclination to delve into these areas, which rapidly lead to the personal danger zone of dissecting leadership behaviour and decisions.

The latest FRC Guidance on Risk Management should overturn any reluctance by stating that board responsibilities for risk include:
“financial, operational, reputational, behavioural, organisational, third party, or external risks, such as market or regulatory risk, over which the board may have little or no direct control”.
The Risk Guidance goes on to state that the board should consider:
“whether it, and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively. Boards should consider specifically assessing this as part of their regular evaluations of their effectiveness”
 The FRC recommends that the board should:
"satisfy itself that [its] sources of assurance [on risk] have sufficient authority, independence and expertise to enable them to provide objective information and advice to the board."
(Since this was originally written, the Basel Committee on Banking Supervision has issued draft guidelines that point in a similar direction.)

Given that behavioural and organisational risks are not included in classical risk management schemes and that the root causes of reputational damage are not widely understood, this presents a series of problems for boards. They have to extend risk management systems to include behavioural and organisational risks wherever it is found in the firm; yet they lack knowledge of the field as do their risk teams. And in our experience even board members can be reluctant to explore behavioural and organisational risks for fear of what they may find or whom they may upset.

So how should boards extend risk management systems to include management of behavioural and organisational risks and their reputational consequences?

Boards cannot expect to succeed until they have an adequate understanding the subject. Board members cannot be criticised – yet – for an inadequate understanding of these risks. But the FRC’s suggestion that boards should evaluate their skills as to risk as part of the annual board evaluation process means that ignorance is rapidly ceasing to be an excuse.

Competent board evaluators will wish to ensure that sufficient board members have adequate skills across the whole range of “financial, operational, reputational, behavioural, organisational, third party risks”. Boards are expected to report and act on the results of board evaluation. Board deficiencies as to risk will have to be remedied rapidly, by education tailored to their needs. This will, in virtually all cases, include specialist education as to behavioural and organisational risks and their relation to reputational damage.

Thus educated, boards will be able to integrate risk into their discussions and decision-making. They can also make a good start on specifying how to extend the scope of their existing risk management system.

Long term delivery is a different matter. Boards will have to develop their risk team’s competence so that it includes behavioural and organisational risks and their reputational consequences. Few risk professionals yet have adequate knowledge, skill and/or aptitude in the field. Careful recruitment and education are likely to be needed.

However, having a competent risk team is not sufficient. As the Risk Guidance makes clear, boards should ensure that both they and their risk teams have the:
“authority and support to enable [them] to assess the risks the company faces and exercise [their] responsibilities effectively”.
Only Chairmen and Chief Executives can ensure that board members and risk teams can explore and report on these risk areas without fear that they are putting their careers at risk. Culture may have to change.

Practicalities: Tackling Behavioural and Organisational Risks

Tackling behavioural and organisational risks is a new frontier.  Self assessments are not the answer because cognitive biases and behavioural and organisational risks prevent companies, their risk teams and their boards from seeing what outsiders can see.

The first step is to explain these unrecognised but destructive risks to boards and alert them to the dangers of cognitive biases.  Tailored board education will achieve both.

The second step is to provide boards with a tool to find and deal with these risks. Our boardroom tool, ‘Board Vulnerability Evaluation’ is designed to help boards to find and tackle these risks in a way that minimises the effects of  cognitive biases.  Its cousin, Corporate Vulnerability Evaluation helps risk teams to find these risks elsewhere in the organisation.  Both kinds of evaluation are designed to help our clients to prioritise and deal with issues identified before they cause harm.

The risk management profession has been highly successful in dealing with whole families of risk, to the great benefit of their companies and of society in general.

With support from Chairmen and Chief Executives, there is no reason to suppose that this family of risks cannot be tamed and its management made routine. On the contrary both the transformation of aviation safety over recent decades and our own research and experience show that - and how - success can be achieved.

You can read about the FRC's 2017 Guidance on Board Effectiveness here.

Should you wish for an external board evaluation focused on helping your board to see and avoid the fundamental pitfalls that regularly fell well-respected companies, please get in touch.

Note:   

Since this blog was first published, we have written "Rethinking Reputational Risk: How to Manage the Risks that can Ruin Your Business, Your Reputation and You".  This provides a comprehensive explanation of reputational risks and their behavioural and organisational risk drivers, eight case studies and an introduction to how to deal with them.




Anthony Fitzsimmons
Reputability LLP
London
www.reputability.co.uk