Does Your Board Have an Effective Approach to Risk Management?
Risk management is a key component of sound corporate governance. There has been a popular view in the past that risk management was a brake on progress: a discipline inhabited by clip-board clutching box tickers intent on stifling entrepreneurial innovation. Not any more – for enlightened organisations have embedded an effective approach to managing risk into their culture and everyday processes. Risk management should be as much about spotting opportunities, as avoiding hazards.
‘The effective development and delivery of an organisation’s strategic objectives, its ability to seize new opportunities and to ensure its own long-term survival depend on its identification, understanding of, and response to, the risks it faces,’ says the Financial Reporting Council.
High profile scandals in private, public and third sectors, corporate failures, the banking crisis of 2008-2009, as well as increased globalisation, interconnectedness and the fast pace of change in the business environment, have all focused more attention on the way boards handle risk management. There has been a step change in the need for boards to focus on risk in the last few years. Regulators have toughened their approach – all but the smallest companies in the UK must now prepare a ‘strategic report’ which includes a ‘fair review of the company’s business and a description of the principal risks and uncertainties facing the company.’ For charities, the SORP 2015 requires in the annual report from trustees ‘a description of the principal risks and uncertainties facing the charity and its subsidiary undertakings, as identified by the charity trustees, together with a summary of their plans and strategies for managing those risks’. Sector specific regulators from the Care Quality Commission, to the Health & Safety Executive expect to see a proper risk management strategy.
Corporate Governance codes all stress the need for an effective approach. The UK Code states in Section C, ‘The board is responsible for determining the nature and the extent of the principal risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.’ In the 2014 edition this was strengthened to include a new provision that ‘a robust assessment’ is carried out annually of the ‘principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity.’ Similarly, the Governance Code for the Voluntary Sector requires that the board must ensure ‘..it regularly identifies and reviews the major risks to which the organisation is exposed and has systems to manage those risks.’ But also, there are increasing expectations from all stakeholders that the Board is aware of risks and has an effective plan to manage them. It is no longer acceptable in the public’s mind for organisations to find themselves in a position where unexpected events cause financial loss, operational disruption, damage to reputation and loss of market position. Witness the outcry every time a bank’s cashpoint network goes offline.
What is risk?
A useful working definition is ‘an event with the ability to impact (inhibit, enhance or cause doubt about) an organisation’s mission, strategy, projects, routine operations, objectives, core processes, key dependencies and/or the delivery of stakeholder expectations.’
By taking a proactive approach to risk management, organisations should achieve positive benefits:
- Operations should be more efficient because events that can cause disruption are identified in advance and actions taken to reduce the likelihood and containing the costs if they do occur.
- Processes should be more effective because of the thought that is given to selecting processes and thinking about the risks involved in different alternatives.
- Strategy should be more effective, because risks associated with different options will have been carefully analysed and better decisions reached, leading to better outcomes.
Types of risk
Risks break down into different types. Risk management practitioners classify risks into hazard risks, control risks and opportunity risks. In general terms, organisations seek to mitigate hazard risks, manage control risks and embrace opportunity risks.
Risks break down into categories:
- Financial risks – (e.g. accuracy and timeliness of financial information, accurate accounting records, adequacy of cashflow, interest rates, exchange rates, investment returns).
- Operational risks (machine failure, human errors, service quality, incorrect contract pricing, employment issues, health and safety, IT failures, data breaches, fraud and theft).
- Environmental and external risks (reputation and adverse publicity, cyber attacks, demographic trends, government policy, terrorism, extreme weather events, pandemics).
- Compliance with laws and regulation – risk of legal claims, regulatory action, prosecution and fines for failure to comply with obligations.
Risk assessment
Having identified the risks faced by your organisation, they should be categorised in terms of their likelihood of occurrence and potential severity of impact (including financial loss or impact on reputation). Sometimes a risk score of 1-5 may be awarded (with 1 being very low and 5 being very high). The impact score may be multiplied by the likelihood score to identify the areas where most board attention and scrutiny is required. This will build up into a risk register similar to the one shown in Figure 1 below.
Figure 1 Example Risk Register
Once each risk has been evaluated, the board will need to consider any action that needs to be taken to mitigate the risk, either by reducing the likelihood of it occurring, or lessening the impact if it does. The technique of ‘4Ts’ is sometimes used:
- Tolerate – accept the risk because it is not considered a significant threat.
- Trim – take measures to control or reduce the risk, so that the residual risk after control measures have been applied is acceptable (e.g. create policies and processes, train staff on how to reduce likelihood).
- Transfer – shift the financial consequences to third parties (e.g. through taking out insurance or outsourcing to the supply chain, or using indemnity clauses in contracts).
- Terminate the risk – by getting out completely – e.g. closing down an excessively risky operation or facility.
The risk register should be used for recording risks that have been identified, actions taken to investigate the risk, identifying the person with management responsibility for the risk, recording measures taken to deal with risks, and recording regular reviews of the risks. The risk register should be a living document that is reviewed at scheduled intervals by the board – not a one-off exercise that then sits in a filing cabinet
How does the Board discharge its responsibility?
The approach taken by any Board obviously depends on the size of the organisation and the complexity of its operations, but any organisation can benefit from a structured approach. In an organisation with full time professional managers, it would be usual for the managers to take the lead in assembling the risk register and bringing it to the board for review. However, in a smaller organisation the board members themselves may have to take the lead in compiling a risk register, perhaps with the assistance of an external facilitator, such as Elderflower Legal.
The processes which boards use to consider risks were examined in some detail by the FRC in 2011 and the Sharman Inquiry in 2012. The key areas of best practice recommended were:
- The board must first decide on its appetite and willingness to take on risk – this feeds into the organisation’s culture, behaviour and values. Are the risks commensurate with the expected returns? An environment of excessive or ill-informed risk-taking could be fatal to the organisation’s long-term future. The Walker report into the banking crisis found that boards simply did not understand the risks that their traders were taking on mortgage backed-securities. At its simplest level, the board may set financial downside limits on transactions and these feed through into specific limitations on the authority of managers in any scheme of delegation. There are also inevitable linkages to personal reward systems and motivations and HR policies and how these influence staff attitudes to risk.
- Risk management and internal control should be incorporated within the organisation’s normal management and governance processes – not treated as a separate or one-off compliance exercise.
- The board must make a robust assessment of the main risks to the organisation’s business model, including ability to deliver its strategy, solvency, liquidity and long-term viability.
- Once the risks have been identified, the board should agree how they will be managed and mitigated. It should satisfy itself that the management and control systems are adequate and, in larger organisations, receive adequate formal assurances from managers, the audit committee and external auditors. Regular reports should be coming to the board to provide this. Risk data should be captured from across the organisation: often front-line staff are the first to be aware of problems.
- Risks and associated control systems should be reviewed on a regular ongoing basis.
- The organisation should report publicly and transparently to its stakeholders on the principal risks it faces, any material uncertainties and their review of the risk management and internal controls. Stakeholders should feel that the board has a visible role in governance and stewardship and that the board is held accountable.
Five key questions for the Board
What are the top 5 actions the board can take to ensure success?
- Focus on the culture – is there an embedded commitment to risk management and control in your organisation? Does the board lead by example? There should be openness and creativity around risk issues. (Don’t be like HBOS, which sacked its group head of risk when he tried to warn the Board they were taking excessive risk).
- The risk register and associated controls must be documented, understood, reviewed and disseminated regularly – not locked in a filing cabinet and dusted off once a year, or even less frequently.
- There must be a process for monitoring and reviewing risk – adequate time must be scheduled at board meetings to consider risk issues and review whether the organisation has the skills and capacity and tools to manage risks effectively. The board should focus its attention on the top ten areas identified with highest risk score.
- The board must be alert to new and emerging risks (such as cyber attacks, sovereign debt crises, Grexit/ Brexit, global political instability/ terrorism, climate change, social media, pandemics, demographic changes).
- Report on the board’s activities in examining and reviewing risks so that stakeholders can gain assurance that the board is discharging its duties and form a balanced, clear and informed view of the organisation’s prospects.
As with all aspects of good governance, the effectiveness of risk management and internal control ultimately depends on the skills, knowledge and behaviour of those responsible for operating the system. The board must set the desired values, ensure they are communicated, incentivise the desired behaviours, and sanction inappropriate behaviour.