Board Failure (1) Risk Management
It is about planned mitigation not just avoidance
A board of directors should encourage executives to innovate and take risks. Boards should not just seek the safest route but assess risk correctly and plan for mitigation if things go poorly. Effective risk management is about reducing possible damage, not simply avoidance.
This is the first of five posts on why boards of directors fail
In reaction to pressure from regulators most boards have adopted formal processes like risk registers, risk assessments, a risk committee, risk reports even the appointment of a Chief Risk Officer. The RAG (red, amber, green chart) to manage risk is a familiar feature of many board reports. There is a danger that all this structure and formality leads to a sense of complacency on boards and makes the directors’ understanding and management of risk less effective.
In the advertising agency business, there is a common saying that “you are only one phone call away from triumph or disaster”. The implication being that winning new business or losing a major client has a significant impact on the company.
I was on the board of an agency group for a number of years and at virtually every meeting one of our directors would ask the same question: “if our largest client stopped paying us - how many days would we have before we ran out of money.” He asked it with such regularity that it became a sort of standing joke but the CFO always provided an answer and it was usually somewhere around 50 days.
For an agency business it was exactly the right question to address as it was probably the largest element of risk. And it was an astutely worded question. It was not what happens if we lose a client but what happens if their income stops flowing for any reason. That could include the client themselves going bust or having some form of trading dispute with us which meant them withholding payment.
That board did not maintain a formal risk register and we had never heard of an RAG chart but we were extremely aware of, and constantly seeking to mitigate, the biggest single risk to the business. The executives in charge of the relationship with our biggest clients were always on the watch for this risk to materialize. The mitigation was credit insurance and, more generally, keeping close to the client.
Boards can fail at risk management when the directors start to feel that risk is someone else's problem. My concern is there is a danger that boards are becoming over-reliant on formalized and over-engineered risk management processes. By creating risk committees and structures they step up the volume of reporting but maybe fail to see the wood for the trees.
The so-called “RAG” chart - Red Amber Green status markers - has a long and useful history in project management and software development. In recent years it has crept its way onto most board agendas as a method of classifying risks to the business. Risk management seems to have become an industry in and of itself.
HOW DID THIS HAPPEN ?
When things have gone wrong with public companies regulators tend to react by demanding additional rules and procedures.
The collapse of Enron in 2001 led to the Sarbanes-Oxley Act (SOX) which was a major influence on new rules from the UK’s Financial Reporting Council.
The Great Financial Crisis in 2008 ( the “GRC”) led to the Dodd-Frank Act in the USA and the Financial Services Act in the UK.
The Covid pandemic showed the fragile nature of global supply chains which led to calls for boards to do more about risk.
The new, and controversial, Provision 29 of the revised UK Corporate Governance Code calls for the board to:
Make a declaration on the effectiveness of internal controls.
Review and evaluate of risk management frameworks.
Provide enhanced transparency in reporting on risk
Have greater accountability to identify and mitigate emerging risks.
These are all laudable aims, but they are likely to involve boards instituting a further layer of formal processes and specialist appointments. They can then record in the minutes they have done something but might these actions might actually reduce active focus on risk by executives ? Process can mask performance.
All of this has produced a new board best-practice acronym “GRC” Governance, Risk and Compliance. Accountants, lawyers, consulting firms and software providers are all jumping on this bandwagon to provide GRC services. By in effect “outsourcing” and systemizing risk analysis, boards might be able to show regulator-pleasing activity but may lose direct touch with the real dangers faced by their organization.
Having been chairing boards for the last 25 years I have seen risk management activity becoming more and more consuming of board time and resources. I now have what might be regarded as a slightly heretical view that all of the process is getting in the way of boards genuinely recognizing and managing risk. But the regulators and legislators are demanding more and more. At times it feels like there are more referees on the pitch and there are players involved in the game.
All this formalized activity can lead a board to become complacent because it has so many mechanical actions in place. The delegation of risk analysis to a risk committee is it particularly worrying development as it may result in the main board itself having a sense that their job is now done for them.
The approach to risk does not need to be that complicated. In practice risks to a company fall into a number of simple categories:
Credit risk is that your customers do not pay you on time or possibly not at all. Any organization with a small number of big customers obviously needs to look very carefully at their solvency and behavior before shipping product or supplying services.
Liquidity risk is that the company may not be able to pay its own obligations such as salaries or interest charges or debt repayments. This is cash management is very much within the ability of the board to control.
Market risk is more challenging and reflects that demand for your product may slump either because your customers have found an alternative or they are switching to your competitors.
Technology risk should not be confused with IT issues. It is the possibility that new technologies come along which render your businesses product or service is redundant. An obvious example being Internet sites taking classified advertising from newspapers
Infrastructure risk reflects that your factory might burn down, or your IT system may be subject to cyber attack.
People risk. What happens if essential skilled staff leave You can get key-man insurance. But the solution is found in succession planning
The stock exchange listing documents for new companies now contain many pages of boiler-plate disclosure about risk. These are there in preparation for potential litigation but often have limited connection to the realities of the business. Boards must avoid falling into the same trap with ongoing risk analysis.
CONCLUSION
Boards should identify the risks that genuinely relate to their organization - accepting these may change over time. Limit this list to a small number. Avoid pages of generic RAG charts. Focus on the issues which make a real difference.
Do not delegate to a committee - allocate to an individual. Have a named executive associated with each significant risk and have that individual prepare a one page note on the mitigating actions if the risk comes to pass . Have them update this paper twice a year. And, ideally they do a brief report in person to the board annually as party of an annual risk session.
If a risk needs external input – typically cybersecurity issues – the named individual provide updated input from the experts in their report.
Board should discuss risk, albeit briefly, at every meeting. The chair should encourage “What if…?” questions, ask “What has changed..?” and avoid a “We’ve ticked the box” mentality”
Risk management should not be a ritual of structured reporting. It needs to be a dynamic part of every board meeting.