Many organisations seem to have insufficient evaluated knowledge about the wide-ranging risks they face, says Andy Shaw
The demise of Farepak has probably been the source of as many newspaper column inches as previous high profile business failures, such as Barings Bank and Independent Insurance.
The Farepak fiasco, it might be argued, highlights the Government’s error in withdrawing the proposed Operating and Financial Review Regulations before they became law, and therefore before they could positively influence business thinking. Had they gone ahead, companies would have been required to give a fair review of their business in a directors’ report, covering:
• The company's development and performance during the year
• The company's position at the end of the year
• The main trends and factors underlying the development, performance and position of the company which were likely to affect it in the future
Clearly, this would have required information about business strategy and objectives and would have needed to include forward-looking information, particularly about the risks the company faced in order to ensure both achievement of business objectives and no surprises.
Traditionally, the health of an enterprise has been gauged from its financial information. Many would now accept that such information gives precious little reliable knowledge about the future prosperity of a company. Financial information is enlightening only about where the business has been and not about where it is going. Past profit does not guarantee future profit.
The problem is that few companies seem to be equipped with the depth of knowledge and expertise needed to effectively identify, evaluate and subsequently manage the risks they face, in order to ensure that there are no surprises. Failure to see approaching unpleasant surprises, such as a major financial loss, reputational damage or failure to achieve business objectives, is usually due to insufficient knowledge of, and action on, risk. Of course, many businesses have a plethora of risk assessments, but they seem often to be health and safety related, have been conducted primarily to ensure a tick in the compliance box, and are now neatly filed away.
In my experience, many organisations appear to lack sufficient evaluated knowledge of the wider risks they face. Risk management, if undertaken effectively, is a simple value adding business discipline that informs decision-making, rather than being a bureaucratic exercise. It is a positive contributor to increased profits, fewer losses, and error free performance, and it should be embraced by a company’s directors if they are to manage, direct and enjoy a successful and resilient operation.
Yet many companies lack formally evaluated appreciation of the key business risks they face. If an organisation does not understand its key risks, it may be argued that it is a rudderless ship, ignorant of what business surprises are approaching to hinder or perhaps completely arrest, its growth, profitability and very future. It is critical that an effective risk management approach is used to provide assurance.
Many companies therefore manage themselves without a thorough knowledge and understanding of the risks that might prevent them achieving their business objectives. Of course, many are successful but perhaps not as successful as they might be. Others will collapse, or have to endure an embarrassing and damaging failure. Farepak is as fatally wounded, as Townsend Thoreson was. Perhaps it will never recover. Its reputation is forever tarnished and public confidence is lost.
To avoid such events and to achieve the success and longevity they desperately want, CEOs and their boards must be able to confidently answer the following questions:
• What are the top risks your organisation faces in the correct prioritised order?
• Can you show they are the right risks, that there is quality and competence in determining their importance to the organisation, and that they are correctly evaluated? Effectively evaluated risks are calculated using data rather than gut feelings, which are often wrong.
• Is there a comprehensive management plan to deal with your top risks, and is your management of them effective? For example, have potentially negative exposures been closed and have positive growth-providing opportunities been capitalised upon? Risk can be positive or negative, – in other words something negative (value sapping) that might occur, or something positive (value adding) that might not occur.
Sadly, I would be surprised if many companies, and certainly not those with a compliance mindset, could get past my first question, if they were being entirely honest. While an organisation might argue that it knows the answers, all too many compile their risk profiles from the opinion of those around the boardroom table, from the CEO's dominant view, or from some other meaningless method. In place of such ways of working, they need to understand the real key risks that affect the earning capacity of the business without resorting to guesses or risk 'scans' that have little to underpin their assumptions.
In my experience, risk management as practised in many undertakings is little more than a bureaucratic exercise, adding no value whatsoever. An effective risk management function should be a profit centre because of its ability to maximise profit and minimise loss. It should not be a cost centre that makes no contribution to business profitability
Until recently I fulfilled the role of director of risk and safety for a major UK airline where the managing director and I, together with our board colleagues worked to deliver our stated objectives and to grow the business and protect it from unwanted surprises. We wanted to be in a position where we could authoritatively affirm to our stakeholders: “We know and can confidently state what the key risks are to achieving our business success. We are not likely to fall foul of a damaging occurrence and we are not going to miss a valuable business opportunity. There will be no surprises.”
Andy Shaw is an independent risk and safety consultant, a director and fellow of the Institute of Risk Management (IRM), E-mail: firstname.lastname@example.org