Friday, 6 July 2012
New guide aims to break glass ceiling between board and risk management
Airmic and the Institute of Directors (IoD) have published a new guide in a joint effort to break the glass ceiling that restricts risk information from reaching boards of directors and to help facilitate better risk governance across all organisations.
John Hurrell, Airmic Chief Executive
Primarily aimed at non-executive directors to enhance their risk oversight, the Business Risk: A practical guide for board members says that risk should be at the heart of corporate strategy and its management tone set from the top levels of an organisation.
It attempts to change boards’ perceptions of risk as a purely negative force and show that managing both its up and downsides can help them set and drive strategy for growth. Reputational risk management should be the key focus for IoD members, it stresses.
The new guide was conceived last year following Airmic’s widely applauded Roads to Ruin, A Study of Major Risk Events: Their Origins Impact and Implications report written by the Cass Business School on behalf of the UK risk management association.
The Roads to Ruin report studied 18 of the biggest corporate and risk management failures in history and found seven common risks that can pose a real threat to any organisation, regardless of size, if not properly managed. Several of these risks relate to board deficiencies.
The seven key risks are:
- Inadequate board skills and an inability of NEDs to exercise control
- Board risk blindness—board failure to recognise risks inherent in the business, including risks to business models and reputation
- Inadequate leadership on ethos and culture—risks from a failure of board leadership and implementation on ethos and culture
- Defective internal communication—risks from the defective flow of important information within the organisations, including up to board level
- Risk from organisational complexity and change
- Risks from incentives, including effects on behaviours resulting from both explicit and implicit incentives
- Risk glass ceiling—risks arising from the inability of risk management and internal audit teams to report and discuss, with both C-suite executives and NEDs, potential dangers emanating from higher levels of their organisation’s hierarchy, involving, for instance, ethos, behaviours, strategy and perceptions.
“Risk governance is not as effective as business would like it to be. This carries the danger of risk blindness. Effective risk management should be at the heart of strategy to ensure sustainable growth,” said Airmic on the report’s findings.
The IoD guide attempts to address these issues. “The challenge we set out to address with the IoD project was how can we manage the risk glass ceiling and how can boards be more effective in risk governance,” said John Hurrell, Airmic’s Chief Executive, at the guide’s launch in London.
Encouragingly, Dr Roger Barker, Head of Corporate Governance at the IoD, said that Airmic was ‘pushing against an open door’ when it approached his institute to address some of their concerns.
“We at the IoD shared the fear that, particularly in the period leading up to the financial crisis, risk management as an activity had increasingly developed in a rather specialist direction and become an activity that tended to be the responsibility of particular individuals or departments within an organisation and, as a result, was becoming more and more removed from the more strategic deliberations of the board. This was not a development that we welcomed. There is nothing wrong with building risk management expertise at all levels of an organisation, but our view was that the board itself has a distinctive role to play in the risk management process and that risk management needed to become a more explicit part of the board’s activities.”
Contributions to the guide from sponsors Willis, PwC and Chartis, and other leading experts in their field, has produced a ‘very powerful end product’, continued Dr Barker.
“Overall we hope that this publication, which provides insights from a range of independent experts, will provide directors with both practical ideas and tools and increase their level of confidence in fulfilling their crucial risk management role,” he added.
The IoD’s Director General, Simon Walker, was equally effusive about the guide and said its key message is the importance of acknowledging the positive outcomes of risk management.
“We live in an age when the concept of risk is misunderstood and misrepresented. Risk is seen purely in negative terms and we have to expel that notion, which is, in itself, a risk,” he said.
Risk management is not only crucial to help organisations avoid disaster but is critical for driving growth, he continued.
“The guide is designed as a practical companion to navigate those complex waters. Risk is not the cartoon villain that it is sometimes made out to be and we hope that this new guide will help board members across the country in every sector to gain a real understanding of how to control risk properly in order to shield their companies against problems and unlock great opportunity,” he explained.
Key to this appears to be the dismantling of the glass ceiling effect that prevents boards accessing risk information from within their organisations.
The Roads to Ruin study found that even where boards consider risk, vital risk information often fails to get through the glass ceiling.
In other words, boards have discussions without the benefit of information already circulating lower down the organisation that would enable them to make better informed decisions and potentially avoid disaster or set better strategy.
The question arises as to whether this is due to risk managers not being heard or boards not listening?
“We are talking about both situations, ie information not getting to the board and if it does, being ignored,” Mr Hurrell told Commercial Risk Europe.
“But frankly, I'm not sure the failure is a process failure, it is a leadership failure” he went on. “The CEO and the board set the tone for the organisation and, in the Roads to Ruin case studies, the catastrophic failures were either directly the result of board level actions or strategies or the result of operational activities in the pursuit of the strategic objectives set by the board and reinforced by the remuneration structure,” he said.
“The IOD publication seeks to remind directors that there are risk implications to their strategies and to be prepared to ask questions and to challenge assumptions in order to create a more risk robust organisation,” he added.
The IoD’s Dr Barker told CRE that the glass ceiling effect, or gap in communication, is often due to language differences and organisational structures, processes and culture.
“Part of it might be that risk managers are speaking a slightly different language to directors, it is often more technical, somewhat less strategic and for that reason directors perhaps aren’t thinking about issues in the same way,” he argued.
“The second reason could be simply that there haven’t been links established between the board and people in these risk areas for various reasons. In a worst case situation it could be that the executive of a company doesn't encourage it, that they believe there should be reporting through them and it is for them to tell the board. Or it could occur simply because the board itself hasn't actively sought out these people and established the right links and established who might be the relevant people to talk to, be that a risk manager or whoever.”
In what is music to risk managers’ ears, he called for more direct links between the board and those that hold risk information.
“Directors and the executive need to come to a clear and explicit understanding that the board is going to have direct links with certain individuals within the company and that that is acceptable and to be encouraged. We need to think about how that is undertaken, it needs some care, but it should be accepted as a part of good governance. The board should feel perfectly happy to pick up the phone and ask ‘is there anything I should know about?” he said.
Speaking at a Tomorrow’s Value Lecture Series event entitled ‘From Ruin to Resilience Building Value, Breaking the Risk Glass Ceiling’, experts agreed that changing boards’ attitude to risk and dealing with the reporting barrier will not be easy.
James Duckworth, Director, Control Risks was critical of boards’ approach to risk, going as far as to suggest they are receiving information but are choosing to ignore it.
“In my experience that is the most difficult area of risk. Most of the board members, and particularly CEOs, tend to know what is going on with the risks but they do not want to address it for whatever reason—it may hit their turnover, their profits or whatever,” he said.
“You will only increase the frustration of risk managers by increasing their skill and ability to know what the risks are if they get the same defence mechanisms from the board members,” he warned.
Richard Sykes, Governance Risk and Compliance Leader at PwC, said that too often boards are still discussing strategy without actually considering risk.
“The key is for boards to link strategy and risk together as opposed to considering risk in a different light. This is where I think the guide helps to show risk is not something to be scared of, but rather to be taken in the confidence that we understand what the risks are, understand how to manage those risks and therefore have the confidence to drive the strategy. There is certainly much more willingness to engage in that discussion than before,” he argued.
For risk management to finally break through to board level, Airmic’s Technical Director, Paul Hopkin, believes education is key and that the new guide is a good first step.
“Partly it’s education and particularly for non executive directors. They need to really understand risk management and get it. One of the problems is that these people are very busy and so need clear, simple presentations and the right kind of information to absorb. The book that Airmic has just published with the Institute of Directors is a starting point. To learn something new, most people need some training. And of course companies should have people on the board who can have risk management knowledge, if not risk managers themselves,” he said.