Andrew Leslie reviews the morning's topics
Delegates to StrategicRisk's April conference on Risk and Opportunity assembled in the historic surroundings of London's Chiswell Street Brewery to listen to six speakers exploring different aspects of the theme. After a brief speech of welcome from Suzanne Hirst, publishing director, StrategicRISK, the podium was given over to Rachel Elnaugh, non-executive director of the Enterprise North East Trust, who also chaired the question and answer sessions following each group of speeches.
Elnaugh's theme was the role of the non-executive director in contributing to effective risk management and in improving corporate efficiency and effectiveness. As an entrepreneur and a member of the first 'Dragons' Den' team, she started by describing what she felt to be the problem of a risk-averse culture. While entrepreneurs positively enjoyed high-risk situations, the financial markets were inclined to look on them with less favour, she said. And by the time a growing business had generated momentum, the huge amounts at stake tended to make executives take conservative decisions.
It is here that the role of non-executives is so vital, said Elnaugh. They must bring a strategic direction to the board and be prepared to act as constructive critics. To their monitoring role they must also add that of communicator, creating connections to new networks and contacts. With the substantial overhaul of company legislation in the UK, directors have the duty to promote the long-term health of the company, countering the natural tendency to short-term decision making found within so many businesses.
However, the responsibilities of the non-exec were now so far-reaching that to accept a position on a board could be seen as a high-risk strategy in itself. Elnaugh's advice to those thinking of taking on a non-executive role was to make certain that suitable D&O insurance was in place, and to be absolutely scrupulous in keeping personal notes and all supporting documentation.
Jackie Cain, technical director, the Institute of Internal Auditors, then looked at the role of internal audit in enterprise risk management and at whether the two functions were likely to be collaborators or competitors. Starting with the proposition that internal audit 'is here to help', she outlined the part that internal audit should play within an organisation. Internal auditors are assurance professionals, she said, with a remit extending to governance, risk management and internal control and the ability to evaluate and improve. Internal audit should not assume a management role.
An effective organisation, she continued, depends upon effective governance, which in turn needs effective risk management. And internal audit is the cornerstone of governance, providing, as it does objective assurance on risk management processes. In the cycle whereby inherent risk is subject to responses and controls, with any residual risk being the object of further improvement until the point where the risk target is met, internal audit provides the assurance to management and hence to the board, that the process is working correctly.
Thus the role of internal audit should be complementary to, rather than compete with, risk management. It is internal audit's job to ask whether risk management processes are designed well and working properly. The assurance that this is so gives an organisation the confidence to regard its key risks with equanimity.
Summing up, Cain defined the role of internal audit in risk management:
• Let management manage
• Give independent objective assurance
• Facilitate improvements
From her list of things that internal audit should not be doing, she stressed:
• Don't undermine management accountability
• Don't manage risk on their behalf
• Don't make risk management decisions.
The core of internal audit is its independence and objectivity, so organisations should look at internal audit with a view to asking where it is positioned within the organisation. Is it free? Is it placed where it can be free from bias … and this means an unbiased mental attitude capable of making judgements without regard to questions of subordination.
Geoff Taylor, director of risk management, Nike EMEA region was next onto the platform. His topic was enterprise risk management, the theory and the practice, and ERM as a creator of value. Risk is good, said Taylor. Danger equals opportunity equals risk. They go together. We tolerate risk to get certain rewards, and stakeholders expect risks to be taken. What they want, though, is for those risks to be managed and thought about. Hope for the best, but prepare for the worst.
Developing the theme, Taylor argued that risk management had moved from being something that we had to do, to something that could provide advantage, but that it was still apt to be developed within different silos. The next phase was to shift away from the silos and bring it all together, so effectively there was just one risk report where there might have been seven or more. The object was to be able to give the risk profile of the organisation as a whole; there was no reason why an integrated framework of operational risk could not be looked at along with financial and other risks.
The important thing lay in the fact that the risk management process should be able to manage the upside as well as the traditional downside. And this was only going to be the case if it received proper support. So, boards should have a risk champion at board level and make sure that they defined the organisation's risk appetite, putting an assessment process in place and making sure they had an understanding of the probabilities and the impacts. But it was not going to be good enough if the risk champion, or chief risk officer, was going to act as a brake. Instead of taking the attitude of 'no, we can't do it', he or she should really be asking 'Are we taking enough risks?’
Drawing an analogy from the starship Enterprise, Taylor said he saw risk perception as essentially different between entrepreneurs and engineers. The entrepreneur will not address risk impacts because he sees the opportunities beckon. So he orders 'full speed ahead', while the engineer, watching the gauges can't see the bigger picture, but knows that the engines 'may not be able to take it.'
And indeed, risk appetite can't always be defined in financial terms, particularly in such organisations as hospitals or NGOs. It must include the human element – especially the aspirational goal. Hence such concepts as 'zero accidents'. And, although risk appetite is often set around the risk impact, it shouldn't forget probability.
Jean-Charles Sevet, principal and head of the ERM programme at the European Central Bank, spoke about ERM within the ECB. The early years of the ECB, he said, had all been about introducing the Euro, and it was only recently that the bank had started looking carefully at risk, and to promote ERM. It had to take risk seriously; apart from anything else, the bank had to be in a position where it could respond to criticism.
Sevet said that the ECB was an institution which does not like risk at all. The objective of its ERM programme was to manage the uncertainty of business operations in an explicit manner, in order to increase confidence in the achievement of the bank's objectives, protect its reputation and minimise its financial losses. To do this, it had to provide management with a consolidated view of current and potential risks in current business operations, help achieve a sound balance between expected benefits, costs and risks, build resilience and promote risk awareness in the bank's culture and values. Development of the ERM framework was made all the more challenging by the fact that 25 nationalities were involved in one way or another.
The framework had at its heart an understanding of the components of enterprise risk, defined as root causes, risk events and risk impacts, and analysis of the mitigating measures applicable to each. Thereafter a risk tolerance policy evolved, in which there were five pre-defined levels of impact in the three risk areas of business objectives, reputation and financial assets. The lowest levels of impact could be monitored, and the cost of controls limited. Level four risks required investment in enhanced controls to significantly reduce them. Level five risks were to be given priority and additional resources with a view to excluding them where feasible.
Sevet was sceptical about the value of conventional risk matrices, which, he said, are inclined to encourage you to work to avoid risks which are highly unlikely. Instead, he argued, you should place more emphasis on plausibility. The ECB works on plausible worst-case scenarios, which reflect external facts and evidence. At the end of the day, the board focuses on fewer than 70 risks, of which fewer than ten have 'red' status
Richard Mowthorpe, director, European compliance officer, Jones Lang LaSalle, spoke to the conference on managing the risks of growth. To achieve the firm's vision of being the chosen real estate expert and strategic adviser to the leading occupiers and investors around the world, Jones Lang LaSalle relies on global and diversified growth: acquisitions, new business lines and new countries.
Mowthorpe identified the key risks of acquisition as centring around losing the team and integrating the acquired business. When one company acquires another, he argued, as often as not they are looking to buy the people as much as the physical assets. But during the negotiations, it is easy to lose people, either because they walk out of the door, or because they become mentally alienated. This risk is best countered by ensuring that the negotiating team closes the deal rapidly and efficiently. Integrating the people into the new business is a related risk. They may come on board and then drift, never finding their feet in their new home. His proposed solution to this was to establish a multi-disciplinary integration team, covering everything from housekeeping through IT to training, working in such a way that they were not imposing a new culture from above and setting it in stone, but allowing good practices in the acquired business to be fed back.
In new business lines, the risk was apt to centre around the desire for innovation against the need for control. The important thing, he said, was to find a way whereby the innovators didn't lose energy by feeling they were running up against a brick wall, but could blend with the control framework without feeling stifled. This, he admitted, depended heavily on relationships, with having a feel for what people would, or would not, accept, and on knowing which were the right buttons to press.
When it comes to operating in new countries, the risks are likely to be found in the country culture and in ensuring that corporate alignment can be established. The means by which this is done is through a code of business ethics, laying out what the firm expects and what it desires the new business to achieve. Emphasis is also placed on training. Additionally, senior managers are rotated into new countries, to establish a presence and help the integration into the firm's culture.
A common theme in all of these areas was people. Integration into the corporate culture, establishing and building relationships and winning hearts and minds were what was most important.
To round off the conference, Ella Brown, global head of equity research, ABN Amro Asset Management, spoke on Socially Responsible Investment. Her thesis was that the growing trend towards SRI was something that boardrooms could not afford to ignore. Currently 'dark green' funds were growing at around 1% per annum, and were not likely to have a significant impact. However, more broadly defined SRI had €1.033 trillion under management – about 12% of the total market. In essence, she said, SRI was making the transition from conceptual to practical. It was no longer a niche topic: the concept was broadening out to embrace environmental, social, and corporate governance issues. Effectively this means that companies are increasingly being scrutinised for SRI credentials, including their track record and transparency. The trend towards increasing SRI also had implications for the investing of an organisation's pension fund. Belgium, for example, was considering tax breaks for pension fund investment in SRI.
Part of the solution to dealing with the growing trend towards SRI lay in engagement. Brown defined this as investors entering into discussion with a company, with the objective of influencing that company's environmental, governance and social activities in order to increase investment returns.
She said that at ABN Amro, SRI was currently a separate department within the organisation, but is likely to make a natural transition into the mainstream. The big question was whether investing in squeaky clean concerns was a winning formula, and whether an SRI product was compatible with mainstream products. Part of the problem lay in the lack of precise delineation: "We're all grappling with it."
Andrew Leslie is deputy editor, StrategicRISK