The change is long overdue. The recent financial and banking crises happenned despite the labours of tens, probably hundreds of thousands of risk professionals. The episode probably reflects the largest ever failure of risk management and internal control by boards, risk managers, internal auditors and regulators. It was system-wide and it continues.
The same chasm in risk management, the failure systematically to find and deal with risks from people, affects virtually all organisations worldwide with few exceptions, notably pockets of activity in the aviation and nuclear sectors.
The New Regulatory Approach
A series of recent rulings from the Financial Reporting Council provides authoritative recognition that this approach outdated and untenable. (Since this article was written, Andrew Bailey, then Chief Executive of the Bank of England's Prudential Regulation Authority, put this robustly in his speech on 9 May 2016.)
The FRC's recent Guidance on the Strategic Report requires boards to report annually on ‘Principal Risks’ whether they have their origins in “strategic decisions, operations, organisation or behaviour, or from external factors over which the board may have little or no direct control”. The board’s description of Principal Risks should be “sufficiently specific that a shareholder can understand why they are important to the company”.
In going down this route, the FRC has applied the lessons from the post mortem on the banking crisis and research such as ‘Roads to Ruin’, the 2011 Cass Business School report for Airmic, which found that the root causes of most crises lie in human behaviour and in the way that organisations are led, structured and managed.
Because the field is relatively new, few risk professionals outside aviation or nuclear safety, let alone board members, have that know-how. Fewer have the authority or inclination to delve into these areas, which rapidly lead to the personal danger zone of dissecting leadership behaviour and decisions.
The latest FRC Guidance on Risk Management should overturn any reluctance by stating that board responsibilities for risk include:
“financial, operational, reputational, behavioural, organisational, third party, or external risks, such as market or regulatory risk, over which the board may have little or no direct control”.The Risk Guidance goes on to state that the board should consider:
“whether it, and any committee or management group to which it delegates activities, has the necessary skills, knowledge, experience, authority and support to enable it to assess the risks the company faces and exercise its responsibilities effectively. Boards should consider specifically assessing this as part of their regular evaluations of their effectiveness”The FRC recommends that the board should:
"satisfy itself that [its] sources of assurance [on risk] have sufficient authority, independence and expertise to enable them to provide objective information and advice to the board."(Since this was originally written, the Basel Committee on Banking Supervision has issued draft guidelines that point in a similar direction.)
Given that behavioural and organisational risks are not included in classical risk management schemes and that the root causes of reputational damage are not widely understood, this presents a series of problems for boards. They have to extend risk management systems to include behavioural and organisational risks wherever it is found in the firm; yet they lack knowledge of the field as do their risk teams. And in our experience even board members can be reluctant to explore behavioural and organisational risks for fear of what they may find or whom they may upset.
So how should boards extend risk management systems to include management of behavioural and organisational risks and their reputational consequences?
Boards cannot expect to succeed until they have an adequate understanding the subject. Board members cannot be criticised – yet – for an inadequate understanding of these risks. But the FRC’s suggestion that boards should evaluate their skills as to risk as part of the annual board evaluation process means that ignorance is rapidly ceasing to be an excuse.
Competent board evaluators will wish to ensure that sufficient board members have adequate skills across the whole range of “financial, operational, reputational, behavioural, organisational, third party risks”. Boards are expected to report and act on the results of board evaluation. Board deficiencies as to risk will have to be remedied rapidly, by education tailored to their needs. This will, in virtually all cases, include specialist education as to behavioural and organisational risks and their relation to reputational damage.
Thus educated, boards will be able to integrate risk into their discussions and decision-making. They can also make a good start on specifying how to extend the scope of their existing risk management system.
Long term delivery is a different matter. Boards will have to develop their risk team’s competence so that it includes behavioural and organisational risks and their reputational consequences. Few risk professionals yet have adequate knowledge, skill and/or aptitude in the field. Careful recruitment and education are likely to be needed.
However, having a competent risk team is not sufficient. As the Risk Guidance makes clear, boards should ensure that both they and their risk teams have the:
“authority and support to enable [them] to assess the risks the company faces and exercise [their] responsibilities effectively”.Only Chairmen and Chief Executives can ensure that board members and risk teams can explore and report on these risk areas without fear that they are putting their careers at risk. Culture may have to change.
Practicalities: Tackling Behavioural and Organisational Risks
Tackling behavioural and organisational risks is a new frontier. Self assessments are not the answer because cognitive biases and behavioural and organisational risks prevent companies, their risk teams and their boards from seeing what outsiders can see.
The first step is to explain these unrecognised but destructive risks to boards and alert them to the dangers of cognitive biases. Tailored board education will achieve both.
The second step is to provide boards with a tool to find and deal with these risks. Our boardroom tool, ‘Board Vulnerability Evaluation’ is designed to help boards to find and tackle these risks in a way that minimises the effects of cognitive biases. Its cousin, Corporate Vulnerability Evaluation helps risk teams to find these risks elsewhere in the organisation. Both kinds of evaluation are designed to help our clients to prioritise and deal with issues identified before they cause harm.
The risk management profession has been highly successful in dealing with whole families of risk, to the great benefit of their companies and of society in general.
With support from Chairmen and Chief Executives, there is no reason to suppose that this family of risks cannot be tamed and its management made routine. On the contrary both the transformation of aviation safety over recent decades and our own research and experience show that - and how - success can be achieved.
Should you wish for advice on this subject, please contact Anthony Fitzsimmons via our website below.
Note: Since this blog was first published, we have written "Rethinking Reputational Risk: How to Manage the Risks that can Ruin Your Business, Your Reputation and You". This provides a comprehensive explanation of reputational risks and their behavioural and organisational risk drivers, eight case studies and an introduction to how to deal with them.