The FRC's "Guidance on the Strategic Report" ("the Guidance") provides:
"The Strategic Report should include a description of the principal risks and uncertainties facing the entity together with an explanation of how they are managed or mitigated."This explicitly includes risks with their origins in behaviour and organisation and risks to reputation.
The 'principal risks' which boards should now disclose and describe are defined to include risks and risk combinations that could seriously affect the performance, future prospects, reputation or business model of the entity. Boards should disclose principal risks with their origins in various sources including behaviour or organisation. This ruling encourages boards to fix the gap in current risk analysis practice that leaves behavioural and organisatinal risks unrecognised and therefore unmanaged.
It follows that boards should disclose and describe behavioural and organisational risks that could cause serious reputational or other damage were they to materialise as well as how those risks are mitigated. Descriptions should be sufficiently specific that a shareholder can understand their potential impact and any mitigation applied.
Current analytical approaches identify some reputational risks but the most widely used are unsystematic and miss important areas of reputational risk. There are no widely used techniques to identify behavioural and organisational risks. Few even endeavour systematically identify the reputational and other consequences of behavioural and organisational risks. These gaps must be filled if boards are to be able to follow this FRC guidance.
Given that specific guidance on reporting such risks has been given, there may be legal consequences for boards that report inadequately. We would hope that courts will in practice allow boards a reasonable period of grace to bring behavioural, organisational and reputational risks under systematic management.
Since the FRC's revised draft guidance to boards on risk, including behavioural and organisational risks, is already available, we believe that boards should start work in this area without delay.
Action for Chairmen and Company Secretaries
Boards cannot report on these risks until they have systematically identified and evaluated behavioural, organisational and reputational risks.
However, boards cannot insightfully specify the work they require to be done, let alone monitor its progress and consider its conclusions or report on 'principal risks', unless they understand the recently identified family of behavioural and organisational risks.
This is an exceptionally acute problem. One of the findings of 'Roads to Ruin' was that even classically trained risk professionals lack both the necessary skills and the authority needed to find risks of these kinds. The most astute Chief Risk Officers are starting to tackle the issue, but many face difficulties in engaging their boards and gaining their authority. Some also see personal risks in raising the subject with their boards because many of these risks have their root cause at board level. This confirms the conclusion in 'Roads to Ruin' that board leadership is essential to bringing this family of risks under control within organisations.
How can boards gain adequate knowledge to understand and deal with these newly recognised risks? The first step is for Chairmen and Company Secretaries to commission tailored board education about behavioural and organisational risks and their relationship with reputational damage.
Armed with that education, boards can re-brief and empower their risk and internal audit teams. The aim will be to put boards into a position where they can meet both the guidance on risk disclosure and the forthcoming FRC guidance on the management of behavioural and organisational risks.
Boards that initiate prompt action should have little difficulty in meeting the new guidance.