Collaboration within organisations will create a united and diverse resource to help boards deal with risk
Risk management is moving up the corporate agenda. It is now viewed as more than a tick-box compliance exercise, and regulatory bodies such as the FRC are increasingly calling on business leaders and senior management to have a greater involvement in their organisation's risk management strategy.
But how do boards actually view risk management? Do they see it as a necessary evil or as a vital contributor to the successful development and execution of their business strategy? Managing risk in today's complex world is no easy task and boards are having to respond to growing pressure to take an active role in shaping their agenda and conversation on risk.
Airmic has spent the past year asking UK boards about risk, through a series of round table meetings hosted with the Chairman's Forum, the Chartered Institute of Management Accountants and Alvarez & Marsal. The answers to these questions were not only fascinating, but extremely encouraging.
To sum it up, today's boards care about risk management – and not just about paying lip service to it, but actually getting it right. That dozens of FTSE chairmen, CEOs and non-executive directors, were both willing and keen to have these discussions speaks volumes in itself. To quote the Director of the Chairman's Forum, Richard Sermon: 'Boards now want a more qualitative conversation about risk.'
The outcome of these discussions culminated in our report entitled 'Ensuring corporate viability in an uncertain world – framing the board conversation on risk'. The report shares some practical thinking on the key issues and offers an agenda and road map for senior executives on how to have an effective board risk conversation.
The report includes commentary from senior business leaders, including Sir Peter Gershon, Chairman of National Grid and Tate & Lyle, Sir Roger Carr, Chairman of BAE Systems, and Sir Win Bischoff, Chairman of the FRC.
One of the core messages that came out of the discussions is that boards are concerned about the growing complexity of global risks. Managing risk is clearly not a new concept for businesses, but what is new is that the scale of the challenge is dramatically more profound than in the past. Broadly speaking, this is due to three factors:
- Speed of change, of markets, environments, distribution and geography. The rate of acceleration requires a speed of response which is greater than anything previously experienced.
- Complexity of risk, of business models, of technology dependence, and of the external environment, beyond anything seen before.
- Transparency, whether planned or otherwise, occasioned by social media, traditional media, and the pervading investigative process – we all live in a glass bubble.
Risk profiles are changing. When creating lists of risks that typically keep business leaders awake at night, intangible risks which are harder to define, quantify and manage, such as cyber, reputational and non-physical business interruption, feature more prominently than the tangible or more physical asset-rich risks.
Add to this the potential for digital, non-physical triggers to cause physical damage and the potential for substantial physical damage is vast.
Risks will continue to become more complex and interconnected, and change will continue at an unprecedented pace. Boards are acutely aware that sound risk management is becoming vital in this context.
According to Robert Walker, Chairman of Travis Perkins and Enterprise Inns: 'In an interconnected world there is an increasing need for boards to understand and seek to manage "complexity risk" by factoring in a combination of risks, including the impact of global economic and geopolitical trends and issues, cyber security and the potential impact of reputational risk.'
Not just compliance
Given this backdrop, it is imperative that risk management is driven from the very top of the company. Encouragingly, the interviews that took place prior to writing the report, demonstrated real progress in this area and illustrated that senior management understands the importance of board-level leadership for the management of risk.
The report reminds boards of the need to ensure that the organisation's approach to risk has been properly considered when setting strategy. It states that risk management should support better decision-making, rather than inhibit sensible risk-taking in line with growth strategies and operations.
It also emphasises that the board's responsibility for the organisation's culture is essential to the way in which risk is considered and addressed.
There was clear recognition that although risk managers have day-to-day responsibility for implementing the risk management system and providing help and support, it is up to senior management to ensure that the appropriate system is in place to support the effective integration of risk management and to foster collaboration in the management of risk, vertically and horizontally around the organisation.
For this to happen successfully, the risk management system should comprise a series of principles, frameworks and processes which must be embedded in all parts of the business model. The system needs to be dynamic and adaptable to respond to rapidly changing circumstances.
To quote Charles Tilley, Executive Chairman of the CGMA Research Foundation, who participated in the research for the report: 'Every aspect of the business has a risk management element; every decision made or action taken can be viewed as risk prevention or risk mitigation. For companies to have success over the long term, risk management should be integrated into the fabric of every business.'
One of the most positive messages that rings clear throughout the report is that when risk management is elevated to a strategic level it opens up opportunities for value creation. In other words, good risk management is not just about 'saying no' or 'business prevention', but can have a material and positive impact on long-term resilience, competitiveness and value creation.
Managing risk, resilience and longer-term viability are inherently linked. Longer-term viability requires a good understanding of the risks facing the organisation, how they are being managed, and how the company would respond if they materialise. Resilience is the ability of an organisation to anticipate, prepare for, respond and adapt, to change and sudden disruptions in order to survive and prosper.
An integrated approach
The fact that risk management has a growing status within organisations has been backed up by surveys conducted by Airmic of its membership, which show that risk managers now find it easier to gain attention from the top. Respondents also reported greater support and leadership from the board on risk issues.
This remains work-in-progress, but it is clear that boards increasingly appreciate the value of risk management. But while the message is getting through to the top, research indicates that more is needed to embed risk management across organisations.
In the same survey of Airmic members, almost three-quarters of respondents said they were concerned that risk management and risk education are not being fully integrated with wider business units.
Although different sectors approach enterprise risk management in different ways, one thing is common: all activities of an organisation involve risk. Successful enterprise risk management requires an integrated approach.
It is not possible for the risk function or senior management alone to be effective at identifying and assessing risks, and in particular identifying aggregations of risk across a business. As business models continue to become more complex, risk no longer falls into neat categories along organisational lines.
Take digital risk as an example. As the digital revolution penetrates all aspects of a business, so digital risk becomes a component of all risks in all areas of business. The only way to manage this is for departments to work together – digital risk is the biggest concern for most CEOs and managing it cannot be confined to the boardroom, the IT department or the risk management department.
Breaking down silos, however, can be a challenge – it requires a cultural shift for IT and risk departments to work together. Business function leaders have the potential to become influential business leaders if they are smart about building relationships with their peers, hire the right teams and build the right capabilities. Different functions typically have different profiles and these need to be understood to build sustainable, collaborative relationships.
Although boards play a vital part in promoting collaboration between functions, company secretaries also have an important role in meeting this challenge.
Managing risk is an important part of a company secretary's role and, as the key link between the board and other functions, they – together with their colleagues in risk management – can play a pivotal role integrating the management of risk across a business.
There are enormous demands placed on boards and, for many senior executives, finding adequate time to focus on risk management can be a challenge. One of the messages that rang clear from our conversations with boards is that senior management is looking for help on how to translate the risk management imperative into practice.
Collaboration across management and teams in an organisation not only produces collective intelligence but can create a united, diverse resource for boards to call upon.
Julia Graham is Deputy CEO at Airmic
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.