From shop floor to boardroom: the changing face of risk management
Management of risk is increasingly becoming a focus for boardroom action and behavioural science rather than a 'tick box' process carried out lower down the organisation.
The past decade has seen some spectacular business meltdowns, from energy company Enron through retailer Woolworths Group PLC to the recent leadership troubles at the Co-operative Bank. At the other end of the scale, half of the start up businesses in the UK fold within the first two years. The financial and human cost when companies and projects fail is enormous. Yet risk still has to be taken as without it there will be no growth, no profit and no progress. Corporate governance requirements are becoming more prescriptive in requiring risk management arrangements to be clearly in place. Even for smaller businesses, evidence of effective risk management is increasingly being demanded by suppliers, investors, insurers and other stakeholders. Legal developments in the field of corporate manslaughter hold out the prospect of criminal prosecutions for company directors if a fatal accident occurs and they cannot demonstrate that their risk and safety management systems are robust and at least up to industry best practice. Similarly robust sanctions for directors are in prospect in relation to bribery and data protection.
The stakes are high. Not only must you have 'risk management' but more importantly you must have risk management that works.
The Financial Reporting Council recently released their draft guidance on how companies should approach the requirements in the UK's corporate governance code in relation to risk management, internal control and the going concern basis of accounting. These proposals, with which all UK listed companies are going to have to comply (and which are also likely to be highly influential in shaping corporate governance developments in other sectors) will seriously raise the bar for risk management at board level.
In future boards will be required to carry out a robust assessment of the principal risks facing the company and explain, in the annual report, how these are being measured and mitigated. The guidance also, for the first time, requires firms to give serious consideration to such matters as the extent to which the company is willing to take on risk - its risk appetite - and also to ensure that sufficient attention is paid to complex but important human factors like risk culture, behaviours, incentives and rewards. The past 15 - 20 years have seen the development of increasingly sophisticated systems of risk management, alongside more codes, regulations and processes. But the various enquiries and analyses that take place when things go wrong usually tell the same story - on paper the organisation appeared to have the right processes but these are applied by complicated and fallible human beings who may not always behave the way they are expected to in relation to risk.
The complexity of modern business also complicates the picture further - the extended and interconnected nature of today's supply chains, partnership working, outsourcing (including 'cloud computing') and new ways of delivering public services mean that the old 'command and control' model is not going to work in the new, fluid and networked environment. The problems last year with the appearance of horsemeat in various supply chains for beef products highlights the difficulties in managing risks across these extended enterprises (a subject on which a group of IRM members is currently preparing some practical guidance).
We have come a long way from the rigid 'silo' based approach to risk management of a couple of decades ago, where task based activity like health and safety was dealt with in one part of the organisation, insurance purchase in another, computer disaster recovery in another, legal compliance in another and so on, with none of these departments really talking to each other, let alone co-ordinating their risk activities. Enterprise risk management approaches have done a lot to focus attention on the broad range of threats to corporate objectives and the need for risk management to be embedded consistently across the organisation's processes, breaking down the old silos. This has included, in many organisations, the development of sophisticated quantitative techniques to measure risk. Yet, as we have seen when looking at the real life examples of corporate collapse, at the end of the day actions are taken (or not taken) and decisions made (well or poorly) by people. Understanding why people do what they do, and applying this knowledge to risk management, is going to be the hot topic of the next decade.
The Institute of Risk Management