Why your business needs a good risk management strategy
Without risk, there's no reward. But a failure to manage risk adequately can have catastrophic consequences, from a major fall in stock prices to product recalls or hefty fines. Rachel Wilcox reports.
Corporate negligence and shady practices placed FIFA, Volkswagen and Uber at the top of RepRisk’s 'Most Controversial Companies of 2015' report, one league table you really don’t want to be on.
What’s also true is that since the 2008 Lehman crash and subsequent financial crisis, the number of chief risk officers (CROs) is higher than ever, particularly across the financial services sector and other regulated industries; and the influence they now exert at board level continues to grow.
Doing business is not necessarily any riskier than it was a decade ago, says ICAS executive director David Wood. He adds that despite a tendency to focus on risk avoidance rather than taking profitable and calculated risks, this growing focus on risk is a good thing.
He said: “Investors want to know what the directors of a business think the key risks are, that they are being thought about and mitigated.”
What counts as a 'risk'?
Your audit committee and internal audit team might have a good handle on operational and compliance risks, legal, health and safety.
But what is far harder to manage and predict are strategic risks – your ability to understand your customers, for example, and how your market is evolving. And despite being historically underestimated and undermanaged, the impact of political instability on investment and credit decisions is potentially massive.
The CRO of one bank told The CA: “Brexit, Grexit, Russian revanchism, Donald Trump … all have one common denominator in terms of risk: they threaten the global rules-based system which has underpinned free trade and expansion for the past 30 years.”
Another issue giving board members sleepless nights is digital risk – from the threat of being sidelined by an innovative competitor to cyber risks and malicious attacks on data.
“We need a radical and different approach to this,” said Mandy Haeburn-Little, Chief Executive of the Scottish Business Resilience Centre.
“We should be starting every business meeting with the fact that ‘today someone is going to have a go at breaching your data - what have you done to protect it?’”
What is becoming evident, Mandy argues, is the disconnect between companies understanding that they are at risk from breach and a lack of activity to address that risk.
She added: “Scotland is doing really great work in this area on the back of the Scottish Government’s Cyber Resilience Strategy and we need clarity, commonality of messaging and a core resource for business, a business hub which will link to the National Cyber Security Centre.”
Six key risk messages
- Don’t let your risk register gather dust – it should be a living, breathing document.
- Consider whether reputational risk may now be the biggest threat your organisation faces.
- Be aware of emerging digital threats – from competitors using disruptive technology to hackers mounting attacks on your data.
- Think about how better risk management could reduce your insurance premiums.
- Make sure the information you provide to insurers complies with the 2015 Insurance Act.
- Don’t succumb to “paralysis by analysis”: a degree of risk is probably necessary for your business.
How should you respond?
The processes in place, and the resources being devoted to managing risk, vary wildly says Catherine Burnet CA, Audit Partner with KPMG and incoming head of the firm’s operations in Scotland.
Many companies set up a risk register to record details of the main risks they face and an action plan for how they will be dealt with. But in order to be effective, this needs to be a living, breathing document that is regularly updated to take into account new threats.
Speed of change is a challenge, as is the need to be agile, Burnet warns: “How quickly does risk change and how can you respond to that risk?”
Even so, too many risk registers are little more than “shelfware”, gathering dust and becoming less and less relevant to the business over time.
David Wood agrees that all too many companies see the compilation of a risk matrix as a 'fait accompli'.
“They rely on it too much and stop thinking,” he warned. “Make some time on a regular basis to have a brainstorm starting with a blank sheet of paper, to think about key risks.”
"How quickly does risk change and how can you respond to that risk?"
Catherine added: “If it’s too long – 30 pages with 80 risks – it’s not that useful,” she says. “It’s about striking the right balance between which risks are at the top of the agenda and those risks that you just need to monitor.”
Similarly, employing a large department of risk people isn’t necessarily a good strategy.
Michael Power, Professor of Accounting at the London School of Economics (LSE), said: “You need a small group of people who think about risk in an intelligent way. It’s important that you don’t create a risk bureaucracy.”
Also, a combination of risks can propel something seemingly small and inconsequential far higher up the list.
Catherine explained: “Risk events rarely happen in isolation. Three issues that are relatively low down on the radar in combination can become more important than a risk higher up the agenda.”
Is there a formula to insuring against risk?
Where boards lose sleep, there’s a market opportunity. No surprise, then, that a whole industry has emerged devoted to the identification and escalation of risks.
A former head of innovation at Microsoft, James Lawn is co-founder and CEO of risk intelligence firm Polecat.Its risk intelligence platform uses artificial intelligence and “big data” technology to analyse online media, including mainstream and social media postings, to pinpoint risks.
“In a world of social capital, it’s about how you audit the intangible assets that don’t fit into an audit today. Within the decade, they will be part of an audit,” James said.
There is a financial imperative to formalising risk management approaches. Originally an insurance broker, Aon’s business has evolved over the last decade to also offer risk advisory services.
Client Management Director Ross MacKay said: “We’re expanding our discussions about risk to anyone who can influence risk management within the business.
"We want to ensure that our clients do everything they can to stop claims happening in the first place."
"We work with clients on claims defensibility and procedures around risk assessment and training. We want to ensure that our clients do everything they can to stop claims happening in the first place."
Aon's Area Director for Scotland Steve Young added: “If you can demonstrate clients have a risk register that’s actively managed, effective business continuity plans in place and fleet drivers with appropriate training, it builds up a very positive picture and helps us negotiate good terms with an insurer.”
Insurance policies starting after 12 August this year will also be affected by the introduction of the Insurance Act 2015, which means that the range of information that businesses must disclose to insurers is much broader, and presented in a clear and accessible way.
It’s partly a response to “data dumping” of huge volumes of information on insurers. Insured parties will now be expected to know what is known to senior management; what is known to individuals responsible for insurance, such as brokers; and what should reasonably have been revealed by a reasonable search, including relevant external third parties.
Despite the increased workload this presents, Steve is adamant the introduction of the Insurance Act 2015 is good news for clients.
He said: “Insurance companies will understand more about the risks they are underwriting and, as a result, there will be less debate around the payment of claims.”
Risk taking or risk avoidance?
Internal audit has an important role to play in ensuring there are adequate controls in place to mitigate risks but ultimately risk needs to sit with the CEO and the executive team.
Juicy scandals have helped to highlight the importance of good risk management. Catherine believes risk attracts attention but it’s not always fully embedded into the day-to-day running of businesses. “If you create a process it can become a tick-box approach,” she warned.
At the same time, assessing “black swans” – unpredictable or unforeseen events – isn’t always easy, or cheap.
David said: “It’s not difficult to justify in financial services because there’s a regulatory requirement but in other industries it can be tougher because it’s not viewed as profit generating, although it’s risky to do business without having a good process in place.”
Despite huge progress over the years in propelling risk to a board-level consideration, significant challenges remain, not least the difficulty of linking strategy and risk, an objective which continues to elude many boards.
“Risk management may be on the verge of becoming counterproductive."
Only half of the directors and senior directors questioned by KPMG’s Audit Committee Institute said they were satisfied that strategy and risk are effectively linked in boardroom discussions.
One in three of the 1,000 respondents to the survey said greater consideration of the “upside” of risk taking (versus risk avoidance) would most improve the company’s risk-related decision making.
Good risk management is fundamental to the success of a business, but there is a balance to be struck, the bank CRO says, and it could be that risk management has reached a tipping point where the disadvantages of avoiding risks outweigh the benefits of taking them.
“Risk management may be on the verge of becoming counterproductive as boards may spend too much time and energy on the form, and ignore the substance: that we have to take risks to grow.”
After all, there is only so much risk management that you can do, he said. “Sometimes those risks that crystallise drive the business forward as a lot of creative energy is unleashed.”
Rachel Wilcox is a freelance business journalist.
The full version of this article appears in the July/August 2016 edition of CA magazine.