No longer able to leave all risk managing to the risk manager, the board is being forced to take responsibility. Neil Hodge asks how corporations will structure themselves to deal with a constantly shifting risk landscape
It is perhaps no great surprise that following the recent financial crisis, regulators around the world have ensured that effective risk management needs to be at the top of the agenda and that ultimate responsibility for all risk lies with the board.
Last year the Financial Reporting Council (FRC), the UK’s corporate reporting regulator, launched a consultation on its proposals to reform the UK’s Combined Code on Corporate Governance in the wake of the current financial crisis. The planned changes include ensuring that “the board is responsible for defining the company’s risk appetite and tolerance” and that “the board should maintain a sound system of risk management and internal control to safeguard shareholders’ investment and the company’s assets”.
The FRC also says that it wants to add a new provision based on the wording used in the Turnbull guidance, which states that “the board should satisfy itself that appropriate systems are in place to identify, evaluate and manage the significant risks faced by the company”. Added to that, the regulator also wants to emphasise that performance-related pay should be aligned to the long-term interests of the company and its policy on risk.
But recent evidence suggests that these changes may take a while to implement. According to a survey called The Convergence Challenge by accountants KPMG and the Economist Intelligence Unit, nearly half of companies are not clear about who in their organisations is in charge of governance, risk and compliance. Paul Taylor, board member of Ferma, deputy chairman of UK risk management association AIRMIC, and director of risk assurance at Morgan Crucible, says that there is a danger that the lines of responsibility between who is responsible for identifying risk and who is responsible for managing it become blurred.
“Despite the title, risk managers do not generally manage risk,” says Taylor. “The UK’s corporate governance code puts risk management firmly as the responsibility of the board. Many executives focus on strategic risk, and are less involved in operational and financial risk. That is a real mistake. The board has a responsibility for all corporate risk – not just parts of it.”
Other experts agree that boards seem reluctant to get involved in all aspects of risk management, believing that some risks do not need board level involvement. One such risk is data security. Ann Bevitt, partner at international law firm Morrison & Foerster, says that data protection will become an increasingly important issue that risk managers will have to give greater assurance on, as of April this year, the Information Commissioner, the UK data regulator, has the power to levy fines of up to £500,000 for serious breaches of data security whereas previously it had had no power to issue fines. The risk is by no means limited to the UK. Data regulators in other European countries, such as Spain where the fines levied actually help pay the information watchdog’s operating costs, have been handing out large fines for control failures for years.
“Compliance with data protection was not a high profile risk five years ago, and for most organisations it would not have even featured on their risk registers,” says Bevitt. But she warns that data leaks can have a much more catastrophic effect on organisations – they can erode customer confidence and shatter their reputation. “I think that many organisations will find that the board does not want to get involved in this kind of compliance risk, and will leave it to risk managers or someone else to manage and control,” says Bevitt. “This may be dangerous thinking, particularly as corporate governance in the UK is firmly of the belief that all risks are ultimately the board’s responsibility. While the maximum fine may not be as high as other regulatory fines, boards may not be considering the associated costs of implementing controls and procedures to protect personal data, nor the costs of clients taking their custom elsewhere,” she adds.
Recent research also suggests that board members may not appreciate the levels of risk that their organisations face, or understand sufficiently how these risks may impact the business. Pascal Macioce, Ernst & Young’s assurance leader in Europe, Middle East, India and Africa, says that the latest research carried out by the firm shows that audit chairs greatly underestimate the breadth and intensity of regulatory and compliance risks facing European companies, particularly those operating across borders. Audit committees have been repeatedly criticised for failing to understand business risks, or challenging the board on their understanding of them.
“Currently, audit chairs are being too narrow in determining the extent of the ‘regulatory risks’ facing their companies,” says Macioce. “Audit committees must think more broadly about the way that government interventions – both nationally and at G20 level – has significantly increased existing compliance risks. These risks will continue to increase until such time that new regulations bed down on both a national and global level.”
Risk managers believe that organisations need to assess what risks are likely to emerge that will affect their business over the next five to ten years, and what measures they may need to put in place to mitigate these risks or leverage the opportunities they may create. Paul Howard, head of insurance and risk management at retailer Sainsbury’s and chairman of AIRMIC, says that “when I joined Sainsbury’s 13 years ago risks that were not even on the radar ten years ago are now regarded as key. These include environmental risks and aspects of supply chain risk, in particular checking that our suppliers are sourcing ethically and that they are adhering to our set of ethical values. The board is now considering the impact of other risks that we feel may develop in the next few years, such as the problems associated with infrastructure, population growth, and natural resources.”
He adds: “If the past decade has taught us anything, it’s that you constantly need to think ahead. Every strategic decision has a risk behind it and it is our job to identify these risks and suggest ways of mitigating them if necessary. Our risk registers are likely to look very different in ten years time compared to the way they look now.”
One industry sector has already reprioritised its risk registers – the financial services sector. Bankers are complaining that political interference is now the biggest risk facing the banking industry and that the "politicisation" of banks as a result of bailouts and takeovers now poses a "major threat" to their financial health, according to the annual Banking Banana Skins report from professional services firm PricewaterhouseCoopers (PwC) and the Centre for Financial Innovation. It is the first time in 15 years of the study that "political interference" has even featured as a significant risk, let alone coming top. The top risk is closely related to the third – "too much regulation" – and the concern that banks will be further damaged by an over-reaction to the crisis. Other dangers on the list include credit risk (at number two) and the economy (at number four). Poor risk management quality also made the list of top ten risks.
The fall-out from the current banking crisis has forced risk managers in general to re-assess how they evaluate, report and manage risk, and what skills they may need to buy in or develop to ensure that they can provide adequate assurance to the board. Phil Ellis, CEO of Willis’ structured risk solutions practice, says that the approach to risk in organisations will become a lot more scientific and there will be a much greater emphasis on ensuring value for money from the risk management function. “Over the next ten years we will see a heavy investment in catastrophe experts, actuaries and mathematicians as the C-suite demands greater assurance in more technical areas of operational, strategic and financial risk. We will also see the rise of the chief risk officer and he will have a seat in the C-suite,” he says.
Richard Waterer, senior vice president at Marsh Risk Consulting, says that there will be greater convergence both within the risk management team and with other risk-focused departments, such as internal audit. “We are also seeing a convergence of risk functions in organisations. If you look at a typical plc, you will see within the risk function an insurance team, a health and safety team, a business continuity team, a risk management team, and so on. There needs to be greater convergence between all these aspects of corporate risk to avoid gaps and overlaps in coverage, as well as to reduce costs,” he says.
Some experts believe that risk management can lead the changes that are likely to affect the profession. Mike Morley-Fletcher, director in the risk practice for professional services firm Ernst & Young, says that with boards being charged with defining risk appetites and tolerances, risk managers can help identify key risk indicators (KRIs) for all major initiatives and decision points in the business model and then facilitate management's discussion on where the tipping point between an acceptable and unacceptable level of risk lies. This definition of risk appetite, whether quantitative or qualitative, can then be codified in policies or other corporate documents and communicated to those that need to use them.
He also says that risk managers can then help management integrate KRI into an organisation's KPI-orientated reporting dashboards. He uses the analogy of Formula 1 motor-racing to explain his point. “A racing driver will pay some attention to the speedometer and milometer on his car dashboard, but he also needs to know the level of fuel left, the engine temperature and braking ability as it is these variables that provide leading indications of how much harder the car can be pushed to win the race or how much nurturing will be needed to make sure it simply finishes. The driver's dashboard combines performance and risk indicators, but does the company CEO's?”
“Risk managers should look to help their business colleagues understand how key risk indicators, risk appetites and risk dashboards can be used as effective leading indicators of what could happen and how they can be used as vital tools for assessing how robust their strategic initiatives are and how successful they might be,” he says.
But some risk managers fear that their duties, responsibilities and focus may be shaped by other factors that are beyond their control. Dieter Berger, head of insurance at Swiss-based power generating company Alpiq and president of the Swiss Association of Insurance and Risk Managers (SIRM), says that the future of risk management will be affected by increased regulation and standards on corporate governance, and – more worryingly – the increased desire to sue organisations and individuals for perceived wrongdoing.
“There is a real danger that risk management will be led backwards and become a ‘box-ticking’ compliance function rather than a value-adding part of the business because of over-prescriptive regulations,” says Berger. “The front end of every organisation wants to create strategic opportunities for the business and the last thing they want is for somebody to come up and continuously say that these things can’t be done. Risk managers are going to be very unpopular if they are always perceived to undermine business plans. The function needs to be value-adding, but there is a real possibility that it could be seen as stamping on business plans if compliance issues take too much priority.”
Neil Hodge is a freelance writer