24 March 2022
We recently ran a NED Network event which focused on how risk management can be a game changer for the Board, and specifically NEDs. As you can imagine, the conversation was wide ranging, and we inevitably touched on what happens when risk management is done badly.
We have all seen examples of poor risk management in the last decade and so it (continues) to be the responsibility of the Board to practice effective risk management, and for the NEDs on those Boards to challenge those practices.
So often risk management is a tick box exercise for Boards that addresses the bear minimum to ensure profit and success. However, a more tactile and proactive approach to risk is necessary to build a sustainable competitive advantage for organisations today.
Risk management doesn’t just have to focus on risk, it can create significant and tangible opportunity.
Some of the key points we covered during the session included:
- Strategic risk management should never be just a document that is looked at once a year. Continuous monitoring, horizon scanning and review should allow an organisation to stay on top of, and often ahead of disruptive risks
- Enable your Board to focus on the right risks, with enough time to assess them
- Ensure your risk reporting is succinct but actionable
- Encourage a culture of transparency for risk management
- Ensure you create a risk management approach that is proportionate to your organisation, enables you to focus on the right risks and articulate those risks effectively
- Analyse trends and developments so you can scrutinise what is changing
- Listen to your risk manager – they are the experts
- Establish an effective risk committee, that has the right people on it
- Determine with the Board a set of strategic risks, map out the key controls and keep these under review drawing on assurance sources – both management and independent
- Consider undertaking a risk maturity assessment to fully appreciate the effectiveness of your risk management arrangements, allowing for relevant stakeholder engagement and the identification of risk management activities that could be refined or developed further providing for continuous improvement.
- We received a number of questions during February’s session and we have addressed these below. We have produced a slide deck to accompany this article and that can be referred to for example purposes.
Please note where reference is made to “the Board” in the responses below we mean NEDs, Executives, Trustees, in fact anybody who is responsible for the strategic direction and control of a business or is charged with governance:
Do you think a risk register is an effective tool?
Risk registers are key to collating the right information and review e.g. the risks, the existing controls, the risk profile or priority, actions to be taken etc but these should be used in a dynamic way with regular review and updating by business management, with the outputs of this used to inform business decision making – more often this is not the case and in extremes the risk register is only reviewed once a year.
That said a risk register can be a somewhat “blunt instrument” and Boards need to consider how they can be used in an effective way, how they can use the information gathered via the risk register and look to integrate into Board reporting to add value to strategy setting, planning, board discussions and decision making, rather than looking at the risk register in isolation.
A risk register must be a constantly evolving and become a responsive tool that the Board can use to adjust their responses to current and future events accordingly.
We are seeing some significant fines at the moment for well known companies when it comes to regulations like Anti-Money Laundering, do you think some organisations are accepting such fines as a general business overhead because boards are focused more on the commercial benefits of such activity?
Stuff happens. An effective risk management framework, however, should ideally reduce the likelihood of negative stuff and enhance the occurrence of positive stuff.
By the risk management framework I include communication and understanding of relevant and reliable policies, regular risk assessment of activities, the completion of actions to address weaknesses in controls or compliance, the use of key performance or risk indicators as a measure to inform risk exposures, continuous staff (and board) learning and development to ensure skills and knowledge keep up with the pace of change in the business environment, examples being IT security, anti-money laundering etc and ensuring that there is effective monitoring, oversight an scrutiny of these elements, via management, the board (or sub committees) and the use of internal audit in some form. These components together are what can make up a business “licence to operate”, the fundamental building blocks that keep a business safe – and in the case of the question posed - safe from regulatory fines or imprisonment.
However, the effective application of the above are all dependent on the business culture, driven by often or not “the tone from the top” – what is acceptable and what is not? This culture will be reflected in the business risk appetite. It could be possible that a Board do pursue a commercial strategy whereby they will accommodate a level of fines etc in return for commercial benefits, however does this make it right?
Much of the laws that enshrine business, be these in the corporate of not for profit sectors, seek to ensure that Boards act lawfully and for the best interests of stakeholders. Making conscious decisions to support unlawful and or unethical behaviour are increasingly becoming exposed via whistleblowing, regulator updates and increased transparency in public reporting affecting how stakeholders perceive and want to interact with these businesses, be these investors, potential employees, customers or suppliers – all of which gets played out via social media, with often wide-spread negative reputation impacts on the business in question and in particular the Board, making for often significant remedial costs corporately and a nasty stain personally for those involved.
In summing up, if a board does take this path (as suggested in the question raised) then it should do so only after waying up all the pros and cons, and if it does decide to continue down a route of law breaking for commercial gain then it does so at its own peril.
Think Volks Wagon, think Northern Rock. All high profile public failures as a result of Boards not effectively fulfilling their role, not effectively enabling and providing challenge and not reflecting on or understanding the potential consequences of their actions or in-action.
With regards to risk appetite do you recommend having a risk appetite statement for each strategic risk, or risk appetite themes of risks ie financial or regulatory.
There is no set way necessarily.
On a personal level, however, I am inclined to have a set of risk appetite themes based on the strategic risks. My rationale is that the strategic risks by their nature are areas of risk that are important to the Board – they will have a fundamental impact, on one, some or all of the business objectives and therefore it seems logical to have the business risk appetite aligned with these. In doing so the Board set the basis of the enterprise risk management framework, with the strategic risks driving the risk appetite themes, the risk scoring reflective of the risk appetite themes and levels of risk appetite, and these same themes then driving operational risk identification and reporting. As a result all of these risk management framework components are neatly aligned and integrated, they are not existing in isolation of each other – despite this often being the case in reality.
I often refer to the strategic risk management “holy trinity” being the alignment of the business objectives, the strategic risks and the risk appetite. This triumvirate all work together influencing and driving each other, it will soon become apparent if they are out of kilter as the board room conversation will not be the right one.
The risk appetite statement provides a useful way of articulating the above and thus ensuring it can be communicated across the business. In doing so it becomes part of the board psyche and point of reference for board, sub-committee and management decision making, monitoring and assurance provision.
Typically how can risks be aggregated from the ‘shop floor’/ first line to the board to gain an understanding whether the risk appetite statement is within tolerance?
Firstly, it is important to have a mechanism that enables this in an efficient manner such as a risk management information system – I referenced the RSM Insight4grc suite in the webinar, and in particular 4risk the risk management and assurance module which will do exactly what is required here. More information can be found at www.insight4grc.com
Risk management software aside, there are 2 elements to achieving this:
i. a set of defined risk management themes (or categories). These can be used to drive risk identification at the “shop floor” with each risk then being aligned to one of the risk appetite themes (or sometimes more than one).
ii. the risk appetite level being aligned with the risk scoring matrix (impact v likelihood / probability), thus it is possible to identify the boundaries on the risk matrix (or heat map as it may be referred) for low to higher risk appetites - averse, minimal, cautious, open and hungry are often used to describe risk appetite levels.
Thus, if we are able to draw together all of the risks from across the business associated with one of the risk appetite themes, then we are also then able to plot those risks on the risk matrix (or heat map) by risk appetite theme, therefore providing a picture of the volume of risks and the spread of risk i.e. level of exposure that is being carried. If we have set the risk appetite levels in the form of boundaries in the risk matrix then we can also identify what risks are within appetite and what sits outside of risk appetite.
The questions that can then be asked are whether we are comfortable with this spread of risk given our risk appetite? Will the actions we are pursuing take the risks within our risk appetite level on the matrix? What further actions should we be taking? and how confident are we that the existing risk controls are effective especially in the context of risks that sit within our risk appetite boundary? – what assurance do we have?
Do you think that risk ratings should be a mechanical calculation or judgemental?
I would suggest that businesses do create a risk scoring criteria, including both impact and likelihood / probability and that this is annotated and communicated across the business. Ideally aligned with the risk appetite themes as I have mentioned in response to question 3 above.
However, I would suggest in using the combination of impact and likelihood that this is not a multiplier, which is often the case, thus where a business is using a 5 x 5 scoring approach then an impact of 5 (usually catastrophic) with a probability of 1 (usually a very low likelihood), will result in a combined score of 5, being 5 x 1. Equally a score of 5 will also be achieved where the impact is 1 (usually very low) with the probability of 5 (usually almost certain). Despite both risks being scored as 5 they are very different in nature and would require a very different risk management approach. In the first case attention would be given to ensuring that the existing controls remain effective through obtaining appropriate assurance, if they are not the risk could materialise and potentially de-stabilise the business to its core. In the latter risk, immediate action may be required, but even if no action was taken then the business could easily withstand the effect of the risk materialisation. So very different risks, with a very different risk management approach or response yet both scored as a 5. This could easily blind side a Board and its understanding of its risk exposure and the way in which the risk should be managed.
The problem with judgemental scoring is that it can create inconsistency. What one individuals view of a risk might be could be very different to another. This can become even more greatly exaggerated across a whole business between functions and operations. That said there is always an element of judgement, even where scoring criteria are defined, however, the use of scoring criteria allows for a more informed assessment of the risk and provides for a basis of comparison between risks and reasonable challenge i.e. can you explain why this risk was scored in this way (referencing the scoring criteria)?
Is there a risk that terminology and labelling could cause confusion?
Yes in some cases there can be. Many business will use different terminology for the same thing. It is important for each business to define its risk management terminology as part of its risk management framework and guidance and ensure this is communicated and understood across the business.
Regarding strategic risks - should these go to the board of trustees or to one of the sub committees, like audit and assurance committee?
The Board are ultimately accountable for the management of risk, however in practice the responsibility for ensuring the effectiveness of risk management is a main stay of the Audit Committee (or equivalent ie. Audit & Assurance, Audit, Risk & Assurance etc etc). The Audit Committee will then be able to advise the Board on matters.
With regards to the physical management of the strategic risks then this responsibility will in practice fall with the business management.
It is not uncommon for individual strategic risks to fall within the sphere of responsibility of a sub-committee where this is appropriate. The sub-committee can then instigate its own risk management deep dives in respect of these risks, however the physical management of the strategic risks will still likely lay with the business management. If a sub committee was to get involved in the actual physical management of strategic risk then this would in many ways mean the members of the sub committee had stepped into an operational management role therefore undermining the governance of the business, merging accountability and responsibility, as well as creating some practical difficulties as to who is actually then managing the business.
The Audit Committee in fulfilling its role would need to take the above into account when advising the Board.
With this in mind, the Board should receive a report on the management of strategic risk, recognising that the Audit and Assurance Committee will have or should have undertaken a more in-depth examination. Thus, a report from the Chair of the Audit and Risk Committee would be appropriate for this purpose. The Board should not repeat the exercise but should be allowed to challenge any item that is reported and refer it back to the Audit and Assurance Committee.
Consideration should also be given to forming a risk committee (or group) which acts as a mechanism whereby all aspects of risk can be considered from across the business, the management of strategic risks, emerging risk and high operational risks. This committee or group should be appropriately sponsored and include membership of the right individuals, far too often although great in principle they are weak in reality as they are attended by staff too low in the business without sufficient knowledge and experience or authority to achieve what is expected. The risk committee or group can act as a risk management engine room, with the outputs then going on to the Audit and Assurance Committee for their review and challenge.
The Board however should engage with the strategic risks and risk appetite in a number of ways:
- As a minimum annually a review of the business strategic risk and risk appetite. I say as a minimum as it should be an exercise that is undertaken more frequently, either as part of an in-year cycle and or when driven by significant events that may drive a review, the most recent examples being BREXIT, Covid, inflation and cost of availability of resources, ESG factors and now potentially war in Europe, these are not necessarily risks in their own right that the business can always manage but the Board must be alive to the fact that they can play through into their understanding of the strategic risks and how they are managed, potentially driving further actions to be taken to mitigate the new version of the strategic risk.
- Inclusion of the strategic risks in the board pack as a point of reference i.e. on the agenda accompanied by a heat map with the risks plotted, these can be at head- line level but the aim being to keep these in the mind of the board when discussing items for decision making.
- Similarly the reports for decision making themselves should reference how the outcome might play through into the strategic risks and their management and should always explain the implications of the decision in the context of risk appetite.
Do you see operational risks ever being reported to Board of Trustees or any sub committees or is this not best practice?
See my response to question 7 above.
Where operational risks are aligned with strategic risks and providing the operational risks have been appropriately risk assessed then the level of strategic risk exposure will be informed by these. Of course it could be possible that there is a operational risk that has been identified that is of such magnitude that it warrants reporting to the Board. In my experience the reporting of such risks is often done late in the day and so the risk is probably very near occurrence – and often due to a control failure or weakness that has gone unidentified or unreported and as such unrectified. Think Barings Bank.
I would not always recommend reporting of high operational risks to the Board, unless the situation is as described above. It can draw the Board into management matters. That said where a risk is of sufficient magnitude then it is appropriate to do so, coupled with the arrangements that are being put in place to counter and manage the risk.
That said, there is no right or wrong here and it very much depends on the risk management framework objectives and the accompanying governance and management structures in place to manage risk across the business.
"Assurance" as a term is used a lot in the NHS, but in the sense of reassurance by management that risks are being managed. I am interested in receiving externally provided assurance but there is far less of that. Has the panel experience of balancing management and external assurances, and of expecting there to be more external assurance?
I always define assurance as a level of confidence that an outcome will be achieved, in the case of managing a risk that the existing controls are effective and that any actions being pursued will be achieved and have the desired effect. To obtain this confidence there has to also be an appropriate form of evidence. However, that doesn’t mean that the Board need to see this – unless they wish to do so, but I refer to my response to question 7 where I have identified the ways in which various committees can be used for this purpose.
Assurance is a key component of risk management, though still too little is understood in businesses as to what this means or the role that management should play in providing this or how a board should go about obtaining this. Hence there is a lot of “reassurance”.
That said I actually encourage Boards to work with management to create an effective assurance framework, after all this first line (1st) of assurance being the risk and controls owner directly involved in the activity itself should be easily available. Moreover, when coupled with the use of what might be a second line (2nd) of assurance – a further layer of assurance provision from within the business though not directly involved in the management of the risk can become a very effective and economic mechanism for providing challenge to the 1st line and / or substantiating via triangulation the 1st line of assurance.
At RSM we have created a risk management deep dive guide, this identifies the key considerations that should be given to obtaining assurance around the management of strategic risks, making use of internal assurance mechanisms, as well as independent.
We also have our Board Assurance Toolkits which are there to help businesses in various sectors develop their ways and means of gathering, mapping and monitoring assurances.
The common factor in both publications is that they all reiterate the need for assurance energy and resources to be committed to the management of strategic risks – those risks of most importance to the Board.
Independent assurance is by its nature often considered the most reliable, however, this is also probably the more costly, furthermore it is often provided at a point in time, whereas the 1st and 2nd line of assurances that exist within a business can be accessed and used more frequently. There is no rule as to how much independent assurance should be obtained, it is very much the decision of the Board, though most businesses will have a combination, the majority coming from 1st line, then a combination of 1st and 2nd line, with then 3rd line / independent assurance provision being very focussed on certain areas of risk.
If the Board has a set of strategic risks and understands its risk appetite then this will provide the basis of the Board Assurance Framework, as it often referred, enabling the Board to determine the type and level of assurance it may require.
Is there a RSM Risk Appetite Template that could be circulated?
Yes – happy to share, but you will need to contact me.
Summing up the Boredom in the Boardroom event proves that the management of risk sits firmly and highly on the Board agenda, with all Boards wanting to ensure that their risk management arrangements are evolving and improving.
I touched on “The Great British Risk Management Reset” as I like to call it – my point is that all businesses should be taking time out (especially now) to reflect on the effectiveness of their risk management arrangements and strengthen them. Never in my own lifetime has there been so many events and challenges converge, both nationally and internationally, all of which are impacting in some way on business as we know it. Thus, we need to ensure that the key control environment remains fit for purpose and is effectively managing the business as usual risk, that the action we are taking in connection with the exceptional risks is appropriate and will lead to reducing or containing the risk exposure and we need to ensure that we are watching out for emerging risks and considering how these might play through – be these negative or positive impacts, along with what we can do to prepare for these risks.
As a final comment all Boards should continually ask themselves:
- How do we know that we are focussed on the right risks? and what are the priorities?
- How do we know that the controls that manage the risks are effective – the controls exist, are consistently applied and do what they are meant to do?
- What further actions do we need to take (if at all) to better manage the risks? who will do this? and when?
- What mechanisms exist to enable useful reporting and monitoring of the above by management and the Board?