The credit crunch has placed new urgency on boards of directors to grapple with business risks. Clearly such risks are growing rapidly – especially reputational and business continuity risks.
Risk management is systematic process to deal with threat, uncertainty and adverse events. Directors have critical role in risk management as the very nature of business demands that risks are taken, but these risk decisions must be well-informed and astute. Effective risk management is rather like strategy development in that it requires mix of both sound systematic structure and creative thinking.
Sound risk management should:
1. Be core function of the board.
2. Be part of the culture of the whole organisation.
3. Create value and not just add cost to the organisation.
4. Be tailored to the unique needs of each organisation.
5. Be dynamic and respond to environmental changes.
6. Continually improve.
Having undertaken many board evaluations in the past six years, including assessments of risk management processes, my experience suggests the following.
1. Many boards tend to see risk in narrow sense and so equate risk management with insurance rather than considering it as broad cultural issue.
2. Few boards give serious consideration to formally articulating their risk appetite, ie, the level of risk that is appropriate for the organisation.
3. Even where sound risk policies exist and the boards feel confident that their organisation can respond effectively to an expected crisis, there is still little done in terms of continuous improvement programme to systematically enhance risk mitigation and management.
4. There are often large discrepancies in board evaluation scores, in the risk management area, between the chair and CEO on the one hand and the rest of the directors on the other. Consistently the board members rate the organisation lower on most risk management items (risk policies, risk appetite, risk culture etc) compared to the chair and CEO. This discrepancy is typically two to four points on seven-point scale. Perhaps directors are not as attuned to risk issues as the chair and CEO – or perhaps they are more astute judges of the real situation? Certainly I have found that conducting board sessions on risk assessment and management can greatly improve this discrepancy of views. My board evaluation tools (www.directorevaluation.com) indicate that these discrepancies exist in both small not-for-profits as well as in some of this country’s largest and best-run corporates.
In 2005, Lloyds and the Economist Intelligence Unit undertook survey of 112 board members around the world on business risk and their conclusions are still relevant.
1. Risk is being taken much more seriously. The survey suggested that one in five companies suffered significant damage from failed risk in the past 12 months and nearly half had “near miss”. Boards were spending more time on risk management with four-fold increase in three years.
2. Board are only slowly incorporating the full range of risks into decision making. Changes in the business environment had resulted in two thirds of the companies reassessing their risk management strategies, but less than half had reviewed the threat of terrorism, and only one in four climatic and natural hazard risks.
3. More needs to be done to embed risk management culture. Only half of the companies surveyed had risk management overseen by the board; and less than quarter included risk management element in staff job descriptions.
4. Additional training is required on risk management for boards. Less than third of directors felt that technical risk management skills were important and only 18 percent had received training in how to implement risk management across organisations.
5. The full benefits of risk management are not yet realised. Only one in four boards saw greater shareholder value as benefit of better risk management.
6. The key source of risk management information is the insurance industry. Half the companies surveyed believed that they should be getting risk advice from insurers. This may be an over-reliance on single source of expertise.
The key steps in effective board-level risk management are:
1. Identify the context of the risks The background and objectives of the organisation, the stakeholders, the current circumstances relevant to the risk.
2. Recognise the risks What can happen and how?
3. Analyse the risks In terms of level of risk, consequence and likelihood, review the risk controls.
4. Evaluate the risks Rank order their importance to the organisation.
5. Treat or mitigate the risks What are the options to deal with the risk, what are the best responses, what is our risk management plan and who will implement it.
When identifying the context of the risks, the following questions may be of relevance: What are the main strengths and weaknesses of the organisation? What are the main opportunities and threats to the business? What are the core values? Who are your primary stakeholders? Is your environment stable or volatile?
When recognising the risks, consider the following key elements:
•Externally driven events such as: financial risk including credit availability, interest rates, foreign exchange volatility; strategic business risks such as industry and technology changes, competition, customer changes and demand levels.
•Internally driven events such as: operational risk including changes in organisational culture, government regulation impacting on business processes and unexpected changes in board composition; hazard risks including climate and natural calamities, contract breaches, supplier bankruptcy, or environmental impacts.
Boards then often use matrix to map the consequence against the likelihood scores and so produce an initial chart of priorities for risk management. This is then used to prioritise the resources to manage the most important risks.
When evaluating the risks the board might list risks under the following categories: commercial and legal relationships; education and training; financial marketing activities; human resources and individual behaviour; interfaces and communication; management activities; natural events; operational activities and controls; political events; processes and procedures; regulatory environment; reporting/accountability requirements; security; technology and technical issues.
The board may then have members of the management team document what is currently being done in each category above to control or mitigate the risks. prioritised list of risks to be tackled can then be developed.
Once the risk list has been drawn up range of techniques can be used to manage these.
Risk avoidance or elimination may involve not undertaking some work for high-risk customers, or not using high-risk chemicals or manufacturing processes. It may involve reducing borrowing or not undertaking certain building projects. Clearly avoiding all risks is poor strategy for any business as it is likely to lead to poor returns for the company.
Risk reduction or mitigation involves ways of reducing either the likelihood or the consequence of the risk. It may include the use of techniques such as prototyping before starting production runs, simulations to train staff or develop processes, developing alternative designs to increase the likelihood of success or evolutionary development so that progress is built upon small successful steps.
Risk transfer, outsource or insurance often involves moving the risk or the liability for risk to third party. Outsourcing information management functions may reduce the risks of failure but it may also reduce the level of control the organisation has over its own information processing. Clearly outsourcing in itself will not reduce risks unless highly reliable contractor can be found. Insurance purchase does not actually transfer the ri
