Risk management is more than compliance and box-ticking
Risk management is high on the agenda of boards of directors (and should also apply to Sri Lanka) but boards may be blind to some key risks or do not understand them as deeply as perhaps they should.
This was the central discussion at the CIMA CFO Forum held in Colombo recently. “There has been a steep change in the focus on risk by boards in the last few years but, with an ever more complex business environment coupled with increasing expectations of corporate behavior, we believe the board’s risk agenda still needs to evolve,” Dr. Noel Tagoe, Executive Director – Education, CIMA said, addressing the Chief Financial Officers (CFO) at the Reputational risk: Impact on business integrity last week.
There is powerful evidence to suggest that there is a serious gap in the way that many boards identify and address significant risk issues, he said, adding that new research points the way forward for boards to achieve a greater understanding and control over strategically important risk exposures to achieve greater resilience as an organization. It has identified a clear leadership role for the board in determining a strategy towards risk which harnesses the power of the totality of expertise and knowledge within the organization to support the board and to keep it informed.
“Creating and constantly refreshing a ‘board mandate’ and ensuring that boardroom conversations are effective in seeking full information and asking challenging questions, play a key role in developing this strategy,” he said, adding that risk remains in the spotlight for boards – more strongly illuminated by every corporate crisis and catastrophe that occurs.
But are all the key risks that a business faces as strongly illuminated within the organization? Or are some boards still blind to certain key risks that are potentially catastrophic to their business?
No business can operate effectively without risk and managing and governing risk is about more than compliance and box-ticking – it is about building a resilient organization to achieve long-term sustainable business success, according to Dr. Tagoe.
“The risk landscape is changing. The complexity of risks is growing in line with the complexity of the business environment.” Boards are well practiced in understanding and managing strategic risks such as those relating to finance, systems and hazards and there has been a step change in the focus on risk over the last few years.
“However there are a key group of risks that go beyond traditional risk management analysis and management techniques – including the potential risk that the functioning of the board itself can pose. Boards are both mitigates of risk and a potential source of risk. Boards can also be caught out by a failure to understand the strategic consequences from catastrophic operational failures.”
A survey undertaken by PricewaterhouseCoopers of more than 1,500 executives in 64 countries found that as the risk landscape continues to evolve and shift, less than half (45 per cent) of those surveyed were comfortable with how well their most critical risks are being managed.
‘Roads to Ruin’, a research on this subject had studied crises affecting twenty-one organizations with pre-crisis assets of over US$6 trillion. According to this study, most institutions were well regarded and many had good reputations. Only a few firms emerged without obvious immediate damage. Six firms collapsed and, while three of these were revived, this was achieved only through a state rescue and or what amounted to nationalization. Most suffered large, uninsurable losses and their reputations were damaged, sometimes severely. The position of most chief executives and chairmen was put into question. It identified about 20 who subsequently lost their jobs, at least partly as a result of the crisis.
“Boards own the risk agenda because they own the strategy. Risk and strategy are inherently intertwined. But boards cannot and should not be involved in the detail of risk management. Their role is to set the agenda, drive the culture for risk and oversee implementation throughout the organization,” Dr. Tagoe said.
Effective risk oversight requires robust information and effective conversations and effective conversations involve deep probing and constructive challenge, he said, adding that a vital part of a CFO’s role is to constructively challenge management – to ask the questions that ensure that the CEO and executives are fully engaged in managing risk. Through their probing they can illuminate risks that management may be blind to, or see as less relevant, given their close day-to-day involvement in the business. “They can bring a different perspective and see new risks and new opportunities,” Dr. Tagoe said.