Click on the Link to Download the PDF of How Risky are your Unknown Unknown’s
An Article by Pete Laburn
The economic crisis of the past two years has led organisations, regulators, shareholders, and other stakeholders to think anew about the role and scope risk management plays in their companies and in the wider economy. While some organisations have employed sophisticated risk management processes, others have managed risks informally or on an ad hoc basis. In the aftermath of the financial crisis, executives and their Boards realise that these current processes may be inadequate in today’s rapidly evolving business world. Boards specifically are under increased scrutiny due to the perception that organisations encountered risks during the crisis for which they were not adequately prepared. Clearly, one result of the financial crisis is an increased focus on the effectiveness of Board risk oversight practices.
The King III report on corporate governance, which took effect earlier this year, has much to say about risk management and the role of the company’s Board in the oversight of this area. King III confirms the role of the Board as the focal point for corporate governance. The Board has a collective responsibility to provide and ensure good corporate governance. In order to do this, King III proposes that the Boards of all companies establish audit, risk, remuneration and nominations committees. While most companies would be familiar with the roles and responsibilities of the audit, remuneration and nominations committees, few are clued up on the role of the risk committee regarding a company’s strategic risk, and it is this issue that this article wishes to address specifically.
King III says that a company should have a risk assessment framework that identifies the root causes of risk and considers all aspects of risks and risk sources. It says risk management must be embedded into the company’s day-to-day operations and that management should not ‘follow the herd’ when faced with systemic and pervasive risks, but should be able to identify and understand how risks are related.
King III emphasises the fact that risk management should be seen as an integral part of the company’s strategic and business processes. The Board’s responsibility for governance of risk should be set out in a risk management policy and plan. The Board should consider the risk policy and plan, and should monitor the whole risk management process. The Board remains responsible for risk management and should pay particular attention to a number of specific risks, including reputational risk, sustainability risk, IT risk and the risk of the unknown.
While the Board remains responsible for the risk management policy and the determination of the company’s risk appetite and risk tolerance, management is responsible for the design, implementation and effectiveness of risk management. The Board should receive assurance regarding the effectiveness of the risk management process. The Board may assign its responsibility for risk management to the risk committee. Membership of this committee should include executive and non-executive directors. Where the company decides to assign this function to the audit committee, careful consideration should be given to the resources available to the audit committee to adequately deal with governance of risk in addition to its audit responsibilities.
The company’s approach to risk management should be intrusive to ensure that risks are properly assessed and managed. King III identifies three lines of defence for risk management, namely line management, risk experts and finally the assurance functions. Risk is a pervasive part of everyday business and organisational strategy. But, the complexity of business transactions, technology advances, globalisation, speed of product cycles, and the overall pace of change have increased the volume and complexities of risks facing organisations over the last decade. Many companies have underinvested in or ignored strategic risk to their company, instead focusing on smaller financial and compliance risks.
Recent research conducted by The Corporate Executive Board of the UK analysed the causes of a steep drop in a firms’ market capitalisation and found that 68% of risk events are strategic, and responsible for destroying more than 50% of firms’ market value. Another 13% of these events are operational risks. These disruptive risk events are directly attributable to the strategic management activities of an organisation, but unfortunately most companies struggle to provide assurance over these activities.
What Board members need to realise is that while audit committees oversee the company’s compliance with financial risks – this is value preservation work, risk committees need to oversee the company’s preparation for other unknown risks faced by the company – this relates to strategy creation and value creation work. The risk committee of the Board needs to make sure that the strategic objectives of the company are aligned to avoid and prepare for major strategic risks, and in this way they aid the company in achieving its important goals.
Here are four areas of focus for Boards of directors to steer them through their risk oversight duties.
1. Understand the company’s risk philosophy and concur with the company’s “risk appetite,” that is, the amount of risk that the company is willing to accept in pursuit of stakeholder value.
2. Know the extent to which management has established effective risk management processes that identify, assess and manage the company’s most significant enterprise wide risks.
3. Review the company’s risk portfolio in relation to the agreed risk appetite, including through strategic and operational initiatives that integrate enterprise-wide risk exposures.
4. Be apprised of the most significant risks and whether management is responding appropriately.
If there is any lesson to be drawn from the events that led up to the financial crisis it is that risk management can, and should, have a significant impact on shaping business strategy and its successful execution. However, the key to the development of an effective business strategy, that takes into account all possible risks, is the ability to strategise in the headspace of the time you are strategising for.
In order to develop a three or five year strategy from now, companies need to be able to think three to five years forward. A company’s management team needs to be able to visualise the world of 2015 and chart the company’s ideal future at that time. Only once this ideal future is clear do you then back-cast your thinking in order to understand what needs to be developed, changed and enhanced in order to realise this ideal future you desire. Thinking in the future and then back-casting your strategy to today will help you to internalise why you need to do things differently as you know the ideal outcome that you are trying to achieve. This process of seeing into the future and then marrying it back to the present is crucial to a vibrant process of strategic planning that takes into account potential risks. In essence, strategic risk management is about managing the future, backwards.
Most managers or staff, who are focused on dealing with the everyday operations of a complex company, will find it very difficult to get their head around this jump into the future by themselves, and so they will need to get someone to help them to think ‘in the future’. You cannot develop an effective strategic risk framework thinking in the mode of the present, but need to be able to develop the mental frameworks of the future in order to come up with the fascinating outcomes needed to position your company safely for the future.
In order to develop a comprehensive risk management strategy, it is important to note that critical thinking only happens with an ‘outside-in approach’ and not an ‘inside-out approach.’ Corporate managers need to be able to step away from daily managerial tasks and see the organisation objectively as an outsider in order to accurately identify what strategic decisions need to be made, changes need to be implemented and capabilities need to be developed in order to arrive at the ideal outcome in the future. Strategic risk management needs to be driven by what the rules of your industry will be 3-5 years out, and what capabilities your organisation will need to possess in the future to be relevant at that time. You will need to identify what your market will require of you in the future, and make sure that your capabilities are ‘five years time’ compliant and relevant. All this requires courageous forward thinking leadership and a sense of imagination that brings out fascinating outcomes. Sadly, whilst many business leaders claim to be such leaders, few demonstrate it, preferring to muddle their way forward by focussing on crisis management. As Harvard professor James Quinn observed “most companies proceed by trial and error, constantly revising their strategies in the light of their experiences.” Unfortunately, with the fast pace of today’s strategic risks, it may be too late to make a significant positive difference to your company’s future.