The raft of risks facing a business are more complex, interrelated, and fast-moving than ever before. Good risk management, therefore, is key to helping organisations thrive – not just survive. We examine how boards can help their organisations manage risk more effectively and foster resilience in such uncertain times.
Board members and managers have all had to be risk managers these past three years. From the COVID-19 pandemic and the Russian invasion of Ukraine to the energy crisis and the soaring cost of doing business, organisations have been pushed to not only manage and mitigate a confusing welter of risks, but to consider whether they still have the right approach to risk management.
Peter van Veen, Director of Corporate Governance and Stewardship at ICAEW, believes the traditional approach to risk management is still useful to control known risks, but is not sufficient in helping organisations prepare for the unknown. “Often the classic approach of risk management is to focus on the things that are in risk’s control and how these can be remediated,” he states.
“For example, a typical risk report to an audit and risk committee may flag internal fraud as a key risk and detail that it is managed through policies and controls. This is all fine and it is important that boards know there is a plan, but every company should be doing these things and, unless there are significant deficiencies, it only really necessitates an annual conversation at board level to check that all the business processes are robust. What is much more interesting, however, is how businesses are identifying and managing the risks to their business that aren’t within their control.”
Focus, focus, focus – the role of the risk function
Most organisations operate a risk function in some shape or format. In some sectors, notably financial services, risk management divisions can be extensive, with different teams focused on very specific types of risk, such as market risk. However, successful risk management is not typically determined by having a large team or lots of dedicated resources, but is about ensuring that the right risks are being identified and that they are being managed effectively by the business.
Caroline Wehrle, former Global Head of Risk and Compliance of a FTSE 100 company and a non-executive director on multiple boards, says: “Good risk management comes down to a combination of curiosity and intelligence to really think about what's going on in the world and how it impacts your organisation. You also need the communication skills to really partner with business managers across all the functions to understand what is happening across the business.“Armies of people aren’t necessary to do a good job – I think such armies just create very long lists of risks. What you want is the list to have the right risks, and to have the right conversations so that they get owned and managed by the business. It's not the risk management function’s job to manage these things for the business – it’s about making sure that the business takes adequate ownership.”
Stefan Gershater, Director of Risk at Burberry, also warns against “a long list of scary things that might happen”. Instead, his view is that the purpose of the risk function is to help create and protect value and that, instead of leading with the ‘language of risk’, risk functions need to lead with the ‘language of business’ when they are dealing with the rest of their organisation.
“The reason that lists of scary things are not a good strategy when you're leading a function like risk is because people get bored,” he states. “We have to think about ‘Why does the P&L leader get out of bed each day and put in an 18-hour day?’ Clue: it’s not to do with risk; it’s to do with all the things that get them excited in their core work. So, risk needs to start talking that same language and be much more commercially driven.
“By the same stroke, we also need to understand the other desires of a business. We want to understand the environmental, social and governance commitments that we've made or the reputational capital that we need to generate in order to have a brand that people believe in and want to buy from. The challenge that I lay at the door of my risk team is: ‘How have we added value? How have we understood what the business is doing and what is getting them excited?’ So that when we come along and apply a risk lens, which is essential, the risks identified are now problems that we need to fix in order to generate that value.”
Organising risk at board level
Ultimately, the responsibility for strong risk management lies with the board. The approach taken to functionally managing risk at board level varies depending on the type of organisation. “There is no one size fits all,” states David Buckley, a former European CFO of a US investment bank and a non-executive director on multiple boards. “You have to put something together that is appropriate for the organisation and structured so that you have the necessary skills in place in the relevant committees to manage those risks.”
One of the most common approaches is to manage risk through an audit and risk committee, but it can vary by sector. In financial services, for example, it is standard practice to have a specific risk committee separate from audit to focus on the very set risks faced by financial institutions, such as failing counterparties. Buckley adds: “In financial services, for large firms, the need to have a risk committee with a dedicated Chair and a separate Audit Committee is important. Other organisations, for example in the arts world, would tend to combine the two because they're not facing very substantial market risk or credit risk in the course of their work.”
However, finding time to give risk an appropriate weighting can be a challenge for some audit and risk committees. As Van Veen explains: “Often audit and risk committees are up to their eyeballs with audits, financial and internal controls, preventing fraud and so forth. Risk can struggle to get the time in the diary, as it already stands. So, when you bring new and emerging risk topics to the table, how much bandwidth is there really in the audit and risk committee to even think about that?”
To overcome this, organisations should at least consider splitting out risk management to ensure sufficient focus. Wehrle details the approach one of her boards has taken: “My housing association board has separated audit from risk and formed a risk and compliance committee to enable us to spend more time on risk topics because they weren't getting the airtime needed by the time we had gone through the audit and control agenda.”
Another approach can be to hold additional meetings for deep dives outside of the standard quarterly meeting agenda. “Certainly, in the financial services sector, it’s become the norm now for risk committees to gather from time to time on an ad-hoc basis. Sometimes it’s because we've got a large regulatory submission to make or because the committee needs to do a deep dive into a specific topic,” states Buckley. Holding such ad-hoc meetings can also be useful in driving a more agile, responsive approach as and when specific problems emerge, rather than being beholden to the established schedule of meetings for the year.
Of course, the approach can evolve depending on the needs of the organisation. Wehrle explains, “We’re going through a review at the housing association at the moment and, while we have not yet made a decision, we may decide that it's a good time to bring audit and risk back together. We knew we had a lot of work to do on the maturity of our risk and compliance programme and we’ve made progress on that. Certainly, I think there's value for organisations that are early on in their risk journeys to have a separate risk committee to really get enough time into it.”
Casting a wider net
Aside from time, another key challenge faced by boards is developing the knowledge and the expertise to keep pace with the growing volume and variety of risks faced by organisations today. Increasingly, boards are taking a much more formal approach to ‘horizon scanning’ to ensure they are identifying potential risks to their organisation. “On all my boards now, a lot of work goes into considering what is going on in the world and how that applies to us,” says Wehrle. “We look at sources such as the World Economic Forum’s annual risk review and consider how the issues may play out and whether we need to add them to our risk system.”
In this context, it is worth noting that the most successful boards tend to have a strong, diverse board composition that draws on a variety of experiences. “Board composition is key. You have to have the right skills sitting around the table to understand the implications,” states Buckley, “although for smaller organisations in particular that can be a challenge, so they need to be creative in finding that breadth of experience.”
On occasion, it can be useful to call on external expertise to provide additional support. Van Veen states: “It's good to bring that external expert in because it means you can have an in-depth conversation on that topic. Otherwise, it is a case of reading a paper that someone internally has prepared on a given topic, but that paper may be the sum total of their knowledge on the subject.”
Asking the right questions
Ultimately, the role of the board is not to know all of the answers, but to ensure that it is asking the right questions of the business to understand the risks faced in order to manage them appropriately. To aid this, it is essential that the risk management team supports the relevant people in the business to present to the board their own view on key risks. “I don't often really want to see the risk function presenting at the board,” states Wehrle. “They should absolutely be there, but I want to hear from the person who's ultimately going to be managing that risk. So, if it's a potential risk in the supply chain or logistics, I want the head of procurement or the head of supply chain to talk about it.”
Furthermore, in holding these conversations with the business, boards need to be sure they are probing sufficiently to unearth the real concerns of business leaders. Marta Phillips, chair of a number of audit and risk committees, talks through how she achieves this: “I have invited senior leadership to come to talk about how risk is managed in their area. I ask: ‘What keeps you awake at night?’ I don't want them to present a paper – they may bring three or four PowerPoint slides – but this is about having a discussion on how they manage risk, how they know that staff are doing what is expected of them and how emerging problems are spotted. It’s these discussions that really enable a board and an audit committee to not only understand the business, but to take that information and our own collective experience to think: ‘What are the risks that could affect this organisation and how do we need to position ourselves so that we don't end up in trouble?’”
Fundamental to successful risk management, though, is the need to encourage collective responsibility across an organisation. Indeed, just as with health and safety, many risks are best managed and mitigated by the relevant individuals in all parts of the organisation, and so a risk management culture needs to be ingrained in all colleagues for best risk practices to prevail.
“Risk management is a collective responsibility for the whole organisation, but clearly the board needs to be a leader,” summarises Phillips.
CPD courses for boards
ICAEW offers virtual CPD courses to support those considering becoming a board member and those who have recently joined a board, as well as those looking to develop their skills as a board director.