Rethinking risk management in the boardroom
So many risk management processes have failed in dramatic ways since the Cadbury Report and its various iterations were first published. Now the Financial Reporting Council (the “FRC”) is on the verge of setting a very high hurdle for risk management in quoted companies. This is not going to require a simple re-vamp: it is going to require a wholesale rethink of risk management and what it means to the board. The cursory review of the top-ten risks that Nigel Turnbull advocated after his guidance was first published many years ago is now long gone. Instead we are looking at something that can and ought to contribute to the strategic debate in terms of value creation and protection: a long, long way from the rather bureaucratic processes of only a few years ago.
The starting point for thinking about risk management today is that it is as much about creating value as it is about preventing bad things from impacting the company. With this in mind the FRC have developed guidance for directors (rather than for managers) that is focussed on strategic matters as opposed to the minutiae that is so often associated with risk management.
The key question is: which risks are the board willing to take in order to create value for shareholders and what is the board’s appetite for those and other risks? This in turn leads on to questions about the culture in the organisation, its ability to manage risk and in turn the ability to sustain itself as a going concern. Equally, each year, the board is expected to review the effectiveness of its risk management processes. These responsibilities are drawing on ideas and concepts that have frankly been absent from many boardrooms and many boards will struggle to turn the FRC draft guidance into a meaningful debate around the board table.
Some of the concepts that are being discussed are still in development within the profession of risk management: for example ideas about risk appetite and risk culture are still developing. How do you know whether what your management team, or your risk team are talking about are appropriate to you or not? While it remains management’s responsibility to manage the risks, it is the board’s responsibility to oversee risk appetite, agree which strategic risks should be taken and to monitor them, to oversee the risk culture and make sure the stress testing makes sense.
Key questions that board directors should be asking themselves include:
- Do we have agreement across the board as to our key strategic risks? Also how will we manage and monitor these risks going forward? where is the division between management and board responsibility?
- What do WE mean by risk appetite? And what is it? How do we set it, monitor it and make sure that it remains appropriate?
- What is OUR risk culture? How do we know whether it is right for our business? Is it consistent across our businesses? Or should it be different in different parts of the business?
- How do we know whether new risks are being spotted and escalated? Are our risk systems adequate? Do our internal audit team have enough knowledge to review this for us?
- How do we want to do our stress testing? Are we setting ourselves tests that are sensible or are they just lip-service?
- What are the smart questions that we should be asking about risk?
- Do we, as a board, have sufficient expertise to act as an appropriate challenge to our executive management? Do we know what all these new risk terms really mean in practice, after all few have seen them in real life?
- One of the non executive directors is going to have to take responsibility for risk management, whether in a committee (a risk committee or the audit committee) or in the full board. How many non executive directors have a detailed knowledge of the latest thinking in risk management?
- Consultants are all over this subject like there is no tomorrow. Where can the board get independent advice, without the risk of incurring major expenditure? Are the consultants who are advising the management team talking sense?
At AndersonRisk we are focused on working with boards to answer these and many other questions. With a team of people who have led much of the debate about these key risk management developments, we are at the forefront of thinking, but we always temper that with pragmatic realism: not everyone needs to be at the leading edge of risk management. We recognise that there maybe steps towards better practice that can be taken over a period of time.
- We can work with boards to ensure that the requirements of the new FRC guidance are properly understood by the board.
- We can review the existing processes, plans and aspirations for risk management to make sure that they will help you to discharge your governance responsibilities as well as help the management.
- We can act as independent advisors to boards, risk and audit committees.
- We can provide training to boards.
- We can facilitate workshops addressing the key questions above.