Risk management failed because of a major gap in the science of risk management, first identified in 2011, in 'Roads to Ruin' the Cass Business School report for Airmic. Two of the four authors are partners in Reputability.
The report identified and classified a series of previously unrecognised risks from individual and collective human behaviour at all levels of organisations, from the bottom to the very top including boards. We now call these risks 'behavioural' and 'organisational' risks.
Our own report, 'Deconstructing failure - Insights for boards' subsequently extended the research into the role of boards in corporate failure. The findings can be summarised in the bar chart below which shows the frequency with which we identified various root causes across 41 case studies.
|Source: 'Deconstructing failure - Insights for boards'. © Reputability 2013|
Last November, we reported that the Financial Reporting Council is tackling this dangerous but under-recognised family of risks head-on. You can read the background here.
The FRC's timetable is now becoming clear. As a result, it is now a priority for boards to gain a systematic understanding of behavioural and organisational risks.
As we explained last November the FRC has two regulatory actions in the pipeline.
The first is the ‘Draft Guidance on the Strategic Report’. A revision to the Companies Act 2006 requires boards to disclose, in the Annual Report, their company's ‘Principal Risks’. The FRC's draft guidance on how to do this states:
"Principal risks should be disclosed and described irrespective of how they are classified or whether they result from strategic decisions, operations, organisation or behaviour, or from external factors over which the board may have little or no direct control." (underlining added)Many of the Principal Risks to a company have their origins in the way its people, at all levels, behave individually and in the context of the organisation in which they work, though these origins often remain unrecognised until it is too late. Boards cannot fulfil this duty without an adequate understanding of behavioural and organisational risks.
This guidance, which seems set to be issued in September, is expected to apply to accounting periods beginning on or after 1 October 2014.
The second is the FRC’s ‘Draft Guidance on Risk Management, Internal Control and the Going Concern Basis of Accounting’. This revises the old so-called ‘Turnbull’ Guidance and implements the Sharman Report on the ‘going concern’ basis of accounting.
Laced with dozens of practical questions for boards to ask themselves about behavioural and organisational risks, the draft Guidance on Risk Management is designed to help boards oversee the practicalities of managing such risks below them and to recognise the issues that surround them. Here too, boards cannot fulfil their duties without an adequate understanding of behavioural and organisational risks.
This guidance too seems set to be issued in September, and is expected to apply to accounting periods beginning on or after 1 October 2014.
So what needs to be done? The first requirement is for boards to gain adequate knowledge to understand and supervise these newly recognised risks. The shape of the solution comes from the Corporate Governance Code, which requires boards regularly to ‘update and refresh their skills and knowledge’.
The first step is therefore for Chairmen and Company Secretaries to commission tailored board education about behavioural and organisational risks and their relationship with reputational damage. Everything else flows from that.