New research has shown that some of the most serious risks a business can face originate from poor management practices and communication failures within the company itself
Not all risks can be managed. In fact, it turns out that there are quite a few business issues that risk managers themselves have absolutely no influence over and yet pose a serious threat to their organisations. In many cases, these are problems created or exacerbated by the senior leadership within a business … and are therefore completely outside the remit of the average risk manager.
This is one of the principal findings of a major piece of research commissioned by Airmic and carried out by the Cass Business School earlier this year. The research, which looked at over 20 major crises to strike companies around the world in the past 10 years, throws a spotlight on corporate governance problems and how senior executives oversee their companies. “It sounds obvious that the leaders of a business should have the skills that are necessary to understand and run it,” said the report. “But some of our studies suggested that the leaders did not.”
It draws attention to seven risk areas that pose survival threats to companies and that are beyond the realm of the traditional risk management process, but which the report recommends should be drawn within its scope.
These issues arise from the board’s ineffective oversight of risks, poor company cultures and inadequate risk communication (see the full list of threats in the box below). The paper also warns boardrooms that without listening to views from outside they are blindfolding themselves to risks within the business – and uses examples to demonstrate this.
In the report’s words: “The studies contain a valuable and extensive opportunity to learn painlessly from the misfortune of others.” In this feature we’ve highlighted some of the lessons learnt from three of the case studies used in the report. Don’t make the same mistakes.
BP Texas refinery explosion
In March 2005, an explosion and fire at BP’s Texas City Refinery killed 15 people and injured many more. The compensation bill came to over $1.6bn (€1.1bn). It was one of the most prominent safety failures to hit BP in North America, trashing its reputation even before the Deepwater Horizon disaster in 2010.
1 Rapid growth led to too much complexity: BP doubled in size during 1998-2000, resulting in a complex management structure.
2 Walk the walk, don’t just talk the talk: While the board talked up BP’s safety measures, outside consultants said cost-cutting was prioritised over safety.
3 Heed the warning signs: Before the Texas explosion, there had been 23 deaths at the refinery, four since BP had taken over.
4 Listen to your staff: Chief executive Tony Hayward has since written on BP’s internal website: “The top of the organisation doesn’t listen hard enough to what the bottom of the organisation is saying.”
5 It’s more than just compliance: The Baker report, commissioned after the accident, said that the main focus of BP’s safety audits was on satisfying legal requirements, not on improving overall safety performance.
6 Act on reviews: The same report claimed that BP repeatedly failed to “follow through” with improvements following the safety reviews.
Maclaren pushchair recall
Problems were spotted in the design of Maclaren’s pushchairs in the USA after 12 children lost the tips of their fingers when their parents folded or unfolded the pushchairs. The company issued repair kits in the USA to prevent the problem but failed to do the same for its customers in Europe and the UK. This decision provoked strong reaction from the UK media and customers, with accusations of applying double standards and trying to save money.
1 Reputational damage is more likely when it involves a core competence: People appreciate that even the best organisations have problems from time to time but they are less tolerant when the problem arises from a perceived ‘core competency’.
2 Consider how actions are perceived from the outside: In the modern world, events no longer happen in isolation. People will be unimpressed if they believe that different standards are being applied to different parts of the world.
3 Social media is a powerful communication channel: Maclaren had benefited from positive testimonials about its products on social networks before the event but it also suffered from complaints afterwards.
4 Recalls are difficult to manage: Maclaren underestimated the volume of telephone and internet traffic that would be generated by its recall.
Société Générale rogue trader
In 2008, one of Société Générale’s French traders, Jérôme Kerviel, engaged in high levels of unauthorised derivative trading, making bets that were larger than the bank’s total market capitalisation.
Société Générale eventually managed to close out the trades at a cost of around €5m.
The rogue trader has been widely accused of being a dominant factor in the bank’s credit rating downgrade.
These lessons are drawn from the findings of an internal preliminary report by a panel of three non-executive directors, published on 20 February 2008:
1 Don’t ignore the warning signs: A report after the event noted that 75 alerts, which should have warned managers about the unauthorised trading, were ignored.
2 Follow procedures and escalate problems if it is necessary: The same report found that control procedures weren’t being followed properly and that compliance officers weren’t informing their bosses about anomalies, even when huge sums of money were involved.
3 Beware the lone fraudster: Formal investigations after the event found no evidence of embezzlement or external complicity. Some bank officials had claimed that Kerviel could not have managed his thousands of trades without assistance. SR
Seven survival threats
Many of the seven over-arching risk areas highlighted by the Airmic/Cass report are almost taboo because they touch on the behaviour, decisions, performance and perceptions of the senior echelons. They are:
1. Board skills and non-executive control: Risks arising from limitations of board skills and competence and an inability in the non-executive directors (NEDs) to effectively monitor and, as necessary, control the executive arm of the company.
2. Board risk blindness: Risks from board failure to recognise and engage with risks inherent in the business - including those to business models, reputation and ‘licence to operate’ - to the same degree that they engage with reward and opportunity.
3. Inadequate leadership on culture: Risks from a failure of board leadership and implementation on ethos and culture.
4. Defective internal communication: Risks from the defective flow of important information within the organisation, including up to board level.
5. Risks from organisational complexity: This includes risks following acquisitions.
6. Risks from incentives: This includes effects on behaviour that result from both explicit and implicit incentives.
7. Risk ‘glass ceiling’: Risks arising from the inability of risk management and internal audit teams to report to and discuss, with both leaders and NEDs, the risks emanating from higher levels of their organisation’s hierarchy.
Airmic believes the scope of risk management needs to be “re-thought” in order to capture some of these risks not addressed by current techniques. It says that at least some risk professionals need to extend their skills so that they feel comfortable identifying risks that extend from their company’s ethos and their leaders’ behaviour.