Risk Assurance

 

Whenever I deliver a course in corporate governance, at some stage in the delivery I will make the point that one of the key roles of a board member is to understand their role in monitoring strategic risks (risks of failing to achieve business objectives). Having done so,  they should then focus their scrutiny and challenge to ensuring that they get the required level of assurance.

 

In my opinion, the ability to identify risks before they arise and have a strategy for dealing with them is what sets great boards apart from good boards. I don’t mean just the risks associated with preventing losses, but also the risks associated with new opportunities.  As the UK Corporate Governance Code puts it; “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.”

 

High performing board members don’t just rely on sophisticated metrics, quantitative measures and historical data to manage risk; they are able to do so much more. Great boards have mastered the art of risk management as opposed to the science of risk management. They have a ‘soft approach’ as well as a ‘hard approach’. But before I explain what I mean, let’s quickly explore the basic principles of good risk management.

 

A good board will have a robust and systematic process of risk management, i.e. risk identification, risk assessment, risk planning and risk monitoring. They will spend some time determining their risk appetite and by assessing the impact and probability of risks that have been identified, they can come up with a register or action plan for dealing with risks.

 

The process may involve the TARA strategy:

1. Transfer the risk – a common example is insurance. We can also ‘share’ the risk through a joint venture for example. In this case, the TARA model would be SARA (share).

2. Avoidance (not doing the activity).

3. Reduce/Mitigate the risk (by pooling or hedging risks).

4.  Acceptance (where the adverse impact is marginal you may decide just to accept that the risk may occur and to deal with the consequences when they arise).

 

All boards should make use of the tools and techniques available to its determination and monitoring of risks. In so doing, we find the use of PESTEL analysis, Porter’s 5 Forces and the Mckinsey 7s framework.

 

The problem with all of this is that boards get caught up in the tools and underestimate the importance of their role. Non-executives sit on boards to bring an independent point of view, an understanding of the wider business environment and bring a broader perspective and insight. Although necessary, the problem with the traditional frameworks is that they can force the board to miss the bigger picture. Boards can become complacent because they have ensured that they are confident that all the significant risks have been identified and monitored and are captured on the risk map. The logic then is we must be ok. The problem with these frameworks is that they can’t deal with the unpredictable because by their nature, they focus on risk events. Having predicted the risk events we are then content to monitor, mitigate and control them. Strategic risks by their nature however, are for the most part unanticipated in that they do not fall into a simple, linear model. By focusing on specific events, boards can sometimes over simplify what can be quite complicated and interrelated circumstances. I am not suggesting that boards can predict the unpredictable but an experienced and mature board will be able to detect the clues of impending dangers which is a combination of sector or industry knowledge, organisational intelligence and depth of understanding of key issues, together with a trusting a collegiate style board. The ability to see the big picture rather than focusing on events in isolation is a skill that the best boards develop.

 

As a board you can’t be sure that you will get the balance right between risks that you can ignore and those that you need to be all over but what you must be able to do as a board member is get enough assurance in order to make the right decision. Don’t get bogged down with those colour coded, RAG rated matrices and tools. The tools can’t make the decisions for the board and good old fashioned common sense, a depth of understanding of the environment in which the organisation operates in to interpret the measures is what board need to do. When you get it right, a board will be able to determine what things to act on and what things the board should ignore.

 

In conclusion great boards don’t do risk management solely as a separate exercise that falls on the board agenda or in the cycle of board meetings. Risk management is the ‘raison d’etre’ for the meetings and every agenda item forms part of the complex decision making criteria that the board should be analysing. I sometimes use the analogy of Iron Man, the fictional super hero to describe an effective board member. If you were to imagine that the board member was armed with his own powered armour suit and the ability to use the inbuilt computer to process data from a number of sources instantaneously so that the most productive decision can be made, this is the way board members should operate. Boards should see the strategic risk management process as evaluating what they know about every area of the business and how the various reports, key performance indicators and benchmarks provide a picture for them to be able to anticipate what they need to focus on. This more rounded approach should help to counter groupthink, ill informed decisions or complacency and lead to a more holistic approach to risk and assurance.

 

Until next time…

 

Explanatory notes:

• PESTEL – Political, Economic, Social, Technological, Environmental. Legal
• 7s –  Strategy, Structure, Systems, Skills, Style, Staff, Shared Values
• Porter – Supplier Power, Threat of New Entry, Buyer Power, Threat of Substitution, Competitive Rivalry