Kodak’ was a leading brand for over a hundred years. Its descent into Chapter 11 bankruptcy in 2012 represented a strategic failure to reinvent itself and a missed opportunity to adopt the very digital technology that it had itself invented in 1975. Kodak was ultimately unable to take strategic risk. Internally, Kodak saw itself as a chemical film business – it saw its own invention of digital imaging technology as a threat to its very existence, rather than as the ‘disruptive technology’ that would revolutionise the photographic business.

BP plc is a major oil and gas company with a proud history dating back to 1909. Privatisation in the 1980s was followed by a series of mega-mergers in the 1990s that doubled its scale and operations. An explosion at the, previously Amoco-owned, Texas City refinery 2005 killed 15 workers and injured up to 500 others: over 40,000 nearby residents were also impacted by the resulting incident. This left the company’s reputation exposed in the lead up to the subsequent Deep Water Horizon well explosion in 2010. In the immediate aftermath of that incident, the company lost 55% of its market value with its share price plummeting from $60 to $27: negotiations to determine its ultimate liability for the disaster continue to this day, and its share price remains depressed compared with pre-incident levels. Investigations following the two incidents concluded that BP had failed to connect the ideals of its board and day-to-day operations. As the Baker Report put it, “Ultimately, that represented a failure of leadership”.

Business has always involved risk, indeed risk taking is the very essence of all business. So why do firms sometimes get it so catastrophically wrong, why is it that risk management is so very often equated with corporate governance, and what does all this mean for the role of boards, and specifically, chairmen?

One very well-accepted definition of risk is ‘the effect of uncertainty on objectives’. Every business strives to achieve its vision by making decisions, and does so in the context of both external
(market/political/economic/social/technological/legal/environmental) and internal (organisational/cultural) environments, in each of which exist uncertainty. Risk therefore has an upside, as well as an obvious downside. In other words, risk in neither inherently good nor inherently bad.

It is, rather, a simple business concept that can and should be described and managed using straightforward business language, not the huge range of acronyms beloved by some consultants.

Effective risk management should be fully integrated into business operations and processes, as well as into strategic planning and change programmes.

By contrast, corporate governance comprises the system, policies, processes, resources, skills and culture deployed to ensure a business and its people achieve both external and internal legal and regulatory compliance requirements. Governance holds organisations to account.

Both risk management and corporate governance matter tremendously but they are different disciplines requiring different focuses from boards and their chairmen.

This article focuses on the role of boards and their chairmen in risk management.

The International Standard for risk management, ISO 31000:2009, defines three key components: principles, process and framework. These describe, respectively, (1) its purpose and approach, (2) how it should be embedded, tailored and applied, and (3) the organisation, policies and processes required.

Boards should be primarily concerned with understanding the key risks, both individual and aggregated, facing the organisation, and how they are being handled. This includes upside, or opportunity, risks, as well as downside, or negative risks.

The board also has the primary role in ensuring the organisation defines its appetite for risk taking: in other words (as ISO 31000 defines it, ‘the amount and type of risk that an organisation is willing to pursue or retain’). Risk appetite and risk tolerance can often be confused. Whilst risk appetite is concerned with both the types and extent of risk the business prefers to take, risk tolerance represents an organisation’s readiness to bear risk, after risk treatment, in order to achieve its objectives.

Finally, the board is ultimately responsible for ensuring the chosen risk management framework is fit for purpose and applied appropriately.

The list below sets out fifteen key questions for the chairman to ask their board and senior management.

1. Risk Management Framework

a. How is risk management integrated with:

• development of business objectives and strategy,
• day-to-day activities and business processes,
• and, with project and programme management?

b. How are risk appetite and tolerance determined and communicated? What significant risks are the board willing or not willing to take?
c. What risk management standard and tools are used and why?
d. How is ownership of risk assigned?
e. Does the organisation have the appropriate capability, both skills and resources? What training is provided in risk management for risk owners?
f. What are the respective roles of the board, senior management, the risk office/risk manager and operational management?
g. How does risk management work with other functions such as internal audit, governance and compliance, legal, corporate treasury, purchasing, health, safety and environment, security, and information systems?
h. Does understanding of risk permeate the organisation? Are management incentivised for good risk management?
i. How does the culture of the organisation impact understanding and management of risk? How should the board influence the chosen culture?

2. Risk Management Process

a. How is risk identified, assessed, prioritised, treated and communicated? Good risk management can also help identify business opportunities and be a powerful aid to innovation.
b. How is aggregation of risk managed? Do we understand the risk implications of our extended supply chain – suppliers, customers, regulators, media etc.?
c. Are we managing risk fast enough so we can act quickly, both in terms of operational activity and business strategy? Is there an ‘early warning system’ so that pre-emptive action can be taken?
d. How are risk management, disaster recovery and business continuity integrated to ensure organisational resilience?
e. What information about risk is shared with the board and how? ‘Lists of risks’ aren’t always the most effective means. ‘Box ticking’ definitely isn’t.
f. How do we ensure the risk management process is working as it should? Is there a commitment to continually learn and improve across the organisation at a fundamental level?

Firms sometimes express a concern that establishing an effective risk culture means suppressing the entrepreneurial spark within their business. Evidence from across the world tends to indicate the opposite: cultures that drive long-term value for customers, long-term profit for shareholders and motivate staff to work with the company, are those that are most effective at managing risk (“Blue Ocean Strategy” – W Chan Kim and Renée Mauborgne).

In Gulf Cooperation Council countries, with so many migrants from different countries, organisational culture is influenced by a range of different national, religious and cultural factors. It can be argued that, in this context, risk culture is even more important than it is more mono-cultural parts of the world.

The board, and especially the chairman, play a pivotal role in developing the risk culture of an organisation. The Institute of Risk Management (IRM) Risk Culture Aspects Model defines eight aspects of risk culture, grouped into four themes – key indicators of the ‘health’ of a risk culture, aligned to an organisation’s business model.

1. Tone at the top

• Risk leadership
• Dealing with bad news

2. Governance

• Accountability
• Transparency

3. Decisions

• Informed risk decisions
• Reward

4. Competency

• Risk resources
• Risk skills

It is vital to recognise that culture cannot be changed quickly. It is a journey that requires consistent leadership from the top. “The bottom line for leaders is that if they do not become conscious of the cultures in which they are embedded, those cultures will manage them. Cultural understanding is desirable for all of us, but it is essential to leaders if they are to lead” – Edgar Schein PhD – Professor at MIT and a recognised authority on organisational culture and leadership.

So where do organisations often get it wrong? Here are five trends that chairmen could do well to keep under constant review:

1. Don’t just focus on ‘flavour of the month’ risk. Experts in one area of risk tend to overlook the importance of others, or indeed those of most importance to a specific business. There is a specific role here for the board here to ensure a balanced approach. Remember, risk is as much upside (opportunity) as it is downside.

2. Information risk. Cyber crime is with us to stay, permanently, yet the skills to manage it remain in short supply. It’s a broadly based area, with nation states, terrorist organisations, competing firms, disgruntled employees and bedroom-based hackers all active. Faced with two identical cars, which would you steal – the locked or the unlocked one? Simple countermeasures are often the best.

3. Supply chains and the ‘extended enterprise’. In today’s globally uber-connected world, risks flow not just from customers or suppliers, but from customers’ customers and suppliers’ suppliers. Many of the commercial victims of the Rana Plaza building collapse in Dhaka were commercial customers of customers of those firms based in the building.

4. Think beyond tomorrow. “It is tough to make predictions, especially about the future”, as Danish physicist Niels Bohr famously said. Boards must keep an eye on long-term trends: risks don’t tend to materialise overnight. So-called ‘black swan events’ can quickly unravel the best-laid plans of any business. By contrast, better responders to disruptive technologies, firms that aren’t hung up on one idea, tend to be more resilient in terms of commercial survival and growth. Toyota’s recognition and subsequent adoption of hybrid power technology, is a good example. The annual Global Risks Report from the World Economic Forum is a further invaluable resource for boards.

5. Communicate clearly about risk and avoid jargon. Risk jargon is totally unnecessary in business today and tends to obfuscate rather than clarify. Boards must be prepared to move quickly and honestly when an incident does happen: social media allows a small incident or badly worded comment to quickly become a major crisis, impacting both the firm’s value and its reputation. Reputation is much more than brand: perception is everything, and size is no protection when things go wrong.

Author

Steve Fowler

Steve is the Founder and Managing Director of Amarreurs Consulting Ltd. He can be contacted on steve@amarreurs.com. Amarreurs are global advisors on business strategy, risk and change. Our advisory and training services are tailored to the needs of your organisation – and we will never ever use jargon.