The present wave of changes in corporate governance requirements, together with the constraints of a hard insurance market, provide an increasing challenge for both corporations and individuals responsible for risk, says Tony Cherry
In order to meet a challenge, the first task is to define it. At the time of writing, we do not yet know how the recommendations of the Higgs report will be incorporated into the Combined Code. However the Government continues to make it clear that no substantial dilution of the principles will be permitted.
In mid April, the UK Trade and Industry Secretary, Patricia Hewitt, sought to mobilise investor opinion behind improving accountability through the reforms. It appears, however, that sensible concessions may be made in two areas.
First, the case for delayed implementation appears to be prevailing. No one wants to replicate the problems experienced in the USA through the hurried introduction of Sarbanes-Oxley, and a postponement from early summer 2003 to the New Year is beginning to look likely.
Second, the challenge to the merits of the individual reforms, which was making little headway, has shifted subtly to a debate about the degree of prescription which would be appropriate. While Derek Higgs described the principle behind his report as 'comply or explain', there was a concern that activism by institutional investors might translate this into 'comply or else'.
Against that background, the way in which the task of the Financial Reporting Council is described has also moved slightly but significantly. Originally, it was charged simply with eradicating fatal flaws in the proposals before incorporating them into the Combined Code. In the same April speech, Hewitt said the FRC was "listening carefully to all comments, not just on points of detail."
Then, after Easter, Derek Higgs himself contributed further to the debate. He indicated that his recommendation concerning the nominations committee had been a marginal one, which he would be prepared to see diluted. This story appeared in the press on the same day that institutional investors at the British Gas AGM were mustering votes against Giordano, on the basis that he ought not to control the remuneration committee.
Further institutional rumblings concerning board remuneration have been heard at a number of subsequent AGMs, and it is believed that others have been avoided only by negotiation behind the scenes.
Challenge to established corporate governance practice is not confined to the UK. In Germany, where it has been perfectly common for the CEO to 'retire' to the supervisory board, one major financial institution ran into significant criticism over precisely that transformation at its April AGM.
Frankly, therefore, I have (indeed can have) only an imperfect idea of what the Combined Code will look like when this issue of StrategicRISK is published in June. Happily, however, that does not stop us trying to identify the challenge, because it does not necessarily alter according to the precise wording of the Code.
From the point of view of a board committed to maximising shareholder value through the informed and constructive management of risk, it should not matter whether the rules are prescriptive or 'principles based', nor whether a particular corporate structure is permitted.
If there is a risk attaching to the presence of the chairman on a given committee, or to a lack of adequate non-executive directors, then that risk should be evaluated like any other.
So far as 'comply or explain' is concerned, in a risk-based corporate governance model it is not possible to explain non-compliance, without having assessed the risks of failing to comply.
Therefore, properly explaining non-compliance is, paradoxically a form of compliance. It seems likely that in some corporations, considerable resource, imagination, and, I fear, legal expertise, will be devoted to attempts to circumnavigate this truism, by constructing 'explanations' which do not in fact explain anything.
Advocates of a corporate governance approach based on a risk model need to divert that energy into constructive compliance.
Thus, I think we can define the challenge like this:
'The challenge for corporations is genuinely to adopt a risk-based model for their governance, and for individuals charged with managing risk to encourage that aspiration'.
The scale of this challenge should not be underestimated. The interesting question is whether it can be achieved by incremental change to existing structures and culture, or whether a new model is required, including at the most senior levels.
Boards have become very comfortable with change as a remedy for issues within their businesses. It is the stock management consultancy recommendation, understandably, because it is a truth universally acknowledged that an old business that has done something successfully for years must do things completely differently in order to achieve a future level of profitability which will be acceptable to the markets.
However, that change has, generally, been something imposed by boards on other people, rather than one which affected them directly. But these new changes will need to include the board, because it is doubtful that a chief risk officer (and I will be discussing this role in more detail) can discharge his or her duties without board status, or at least a position on the committee immediately below board level.
Impact of the hard market
So far I have focused on the definition of the challenge by reference to corporate governance changes. How important is the hard insurance market?
So far as insurable risk is concerned, temporarily at least, it is very important. For many years a number of factors have protected businesses from the true cost of failing to control insurable risk.
High investment returns meant that it was possible for insurers to accept a loss on the underwriting account in order to enhance market share. Quite often, therefore premiums failed to reflect the true cost of claims.
That is no longer the case, and in large sections of the business community and, especially, in classes of cover which are not compulsory, there is far greater retention of risk. Thus, whether in order to avoid the direct cost of claims or to reduce future adverse impacts on premium, there is far greater incentive to avoid losses.
It is not clear, however, that this in any way alters the challenge which we have defined; the effect is merely on the extent to which financial arguments can be used to influence a board in favour of a risk-based approach to running the business.
While current market conditions may make it appear hopelessly optimistic, the great probability is that, in the medium term, investment returns will have recovered sufficiently, and balance sheets will have been sufficiently rebuilt, to allow more aggressive price competition to resume.
Moreover, new capital has already moved into the market in response to enhanced returns. At present it does not appear that this capital is being extensively deployed to provide increased capacity in the liability markets most affected, but the laws of supply and demand suggest that in due course it will have an impact.
Finally, while the difficulties in the market have meant that a great deal of attention has been paid to insurable risks, it remains the case that most of the events which have destroyed companies in the recent past were not insurable in the first place. Unfortunately, there is sufficient litigation pending, over, for example, Enron, Marconi and Equitable Life, to discourage detailed comment. However, in each of these cases cultural issues can be identified which created risks incapable of being insured and which led directly to their downfall.
It follows that the chief risk officer (CRO) of the future must have meaningful control over both insurable and uninsurable risk. Under the CRO there must be systems and structures which support an integrated approach to risk. However, that immediately and fundamentally alters the significance of the post within the company.
The CRO's role
It is necessary to evolve a model which clearly defines the interaction of the CRO with the chief executive officer, the finance director and general counsel, who may each perceive a degree of overlap with their own traditional responsibilities. This model must be more complex than one which gives the CEO power to say yes and the CRO power to say no, for that would stifle invention and progress.
However, once it is acknowledged that there are positive and negative aspects to risk, and that the role of the CRO should reflect this, issues arise as to when and in what circumstances the usual primacy of the CEO should be subordinated to the CRO. Those circumstances will be limited yet crucial, but I suggest that if the answer to 'under what circumstances?' is 'never', the challenge will not be met.
Interestingly, there may be some scope in revisiting a model which disappeared from big business in the early part of the twentieth century. Partnership between a limited group of individuals (as opposed to the leviathans now common in the accountancy and legal professions) may offer some insights into managing this difficult new relationship.
It may also be that non-executive directors, if the role develops under the new Combined Code as Higgs has suggested, will hold part of the answer to placing the CRO within the governance structure.
There is, however, a more fundamental problem to be addressed, which is who these new CROs are going to be. If they are from an insurance background, there will be a steep learning curve for broader business risks, such as culture and reputation. If they are from a financial background then large sections of operational and hazard risk will be areas of knowledge deficit. Thinking across the enterprise as a whole in order to integrate the risk strategy of the corporation requires the type of skills which are already likely to have taken the possible candidates into positions of seniority.
Reverting then, to the question of how the challenge can be met and the choice between incremental change or a more fundamental remodelling, there are arguments either way.
Incremental change may be incapable of injecting sufficient shock to the system to empower the CRO to move into the type of new relationship with the CEO which appears necessary. On the other hand, if the right candidate is not available to fill the post then the appointment will fail, and a step by step approach may be the only option.
The answer is going to vary from business to business, but there should be an opportunity for risk managers to progress in an incremental change process to fill the CRO role. The design and implementation of that process will be key, and external input may well be required to gain acceptance for it. However, the potential personal and corporate rewards for meeting the challenge are substantial.
Tony Cherry is head of risk counsel, Beachcroft Wansbroughs, Tel: 0117 918 2181, E-mail: email@example.com