Risk and The Strategic Role of Leadership

Risk and the
strategic role
of leadership
About ACCA
ACCA (the Association of Chartered Certified Accountants) is the global
body for professional accountants, offering business-relevant, first-choice
qualifications to people of application, ability and ambition around the world
who seek a rewarding career in accountancy, finance and management.
ACCA supports its 200,000 members and 486,000 students in 180 countries, helping them to
develop successful careers in accounting and business, with the skills required by employers.
ACCA works through a network of 101 offices and centres and more than 7,200 Approved
Employers worldwide, who provide high standards of employee learning and development.
Through its public interest remit, ACCA promotes appropriate regulation of accounting and
conducts relevant research to ensure accountancy continues to grow in reputation and influence.
ACCA is currently introducing major innovations to its flagship qualification to ensure its
members and future members continue to be the most valued, up to date and sought-after
accountancy professionals globally.
Founded in 1904, ACCA has consistently held unique core values: opportunity, diversity,
innovation, integrity and accountability.
More information is here: www.accaglobal.com
About this report

This report illustrates the
current practice of board
oversight of risk management,
based on in-depth interviews
with executive and non-
executive directors. It highlights
good practices but also
challenges that leaders face
and considers way forward.
© The Association of Chartered Certified Accountants

February 2018
Risk and the strategic
role of leadership
Dr Simon Ashby University of Plymouth
Dr Cormac Bryce University of Nottingham
Dr Patrick Ring Glasgow Caledonian University
Foreword
How often, as we glance through the news headlines, do we see another corporate failure and
wonder – where was the board?
Risk and risk management have always risk discussions into strategic decision We hope that this report provides
been at the heart of concerns about making, as well as the skills and useful insights for both boards and
leadership. In this report, we explore the experience they have in managing risks executives to reflect on emerging good
role of boards in the risk management of to deliver business goals, and where practice. Policy makers too may also
the organisations they lead. there may be gaps. benefit by reflecting on these findings
in the light of recent developments.
Following the global financial crisis in This report suggests there are different The next phase of our work on risk will
2007-8 the focus on risk and risk approaches to risk management in go on to consider how organisations
management has intensified. Today there practice each with their own respective embed effective risk management
is an abundance of literature as well as strengths and weaknesses. It also across the business.
legislative and regulatory requirements. suggests that there is some way to go
Risk and risk management regularly to integrating strategy and risk decisions Maggie McGhee
features on the board agenda, effectively and many conversations on Director of Professional Insights
irrespective of sector. risk appear to focus on the downside ACCA
rather than upside. Perhaps we should
Yet remarkably less is known of the reality ask a different question– how can boards
of day to day practices among executives better exploit the opportunity implicit in
and board members. We know little risk and uncertainty to drive better
about how boards are truly integrating business outcomes?
4
Executive
summary
Boards have always been involved in the management of risk. Without appropriate risk taking,
organisations cannot exploit the full range of strategic opportunities that are available to them,
nor can they hope to protect themselves from less positive outcomes.
Equally, the governance and internal The purpose of this ACCA research The project is based on:
control roles of boards are closely project was to discover what boards are
connected with risk management. talking about and doing about risk • 30 interviews with practising executive
Effective risk assessment, reporting management, and the challenges that and non-executive directors (NEDs) from
and control help to enhance a board’s they face in ensuring the effectiveness of a broad cross-section of organisations;
governance and internal control these activities. In particular, this project
explored how boards are integrating their • two focus groups consisting of a
activities, reducing the probability that
discussions about strategy and risk, along number of risk-management
an organisation may deviate from its
with how their risk-management skills and professionals; and
stated objectives and so fail to meet
the needs of its stakeholders. experience are developing. The project
• ACCA’s Global Forums, with particular
also investigated the challenges that
thanks to the Global Forum on
What is less clear is how board-level boards face in performing their risk-
Governance, Risk and Performance.
risk management discussions and management roles and how the roles of
practices are changing and developing, the executive and non-executive director
are evolving: even on an Anglo-Saxon The research shows that board-level
especially in relation to the complex conversations and practices are varied
and dynamic world that characterises style unitary board it is possible that
differences may emerge. and that this variation does not
the early 21st century. Changing necessarily reflect the nature, scale and
technology, such as the growth of cloud complexity of an organisation’s activities.
computing and social media, creates The intention is to shed light on, and
learn from, current practice, and to share It shows, however, a wide range of good
opportunities for returns as well as practice across both larger and smaller
losses as do the major political and examples of good practice where
possible. It is for organisations and their organisations in a range of for-profit and
economic changes associated with not-for-profit sectors.
events such as Brexit, the election of boards to decide which of these practices
President Trump in America, or the are relevant to them, as part of their
efforts to ensure that board level risk-
global financial crisis of 2007–8.
management conversations and practices
are as ‘future-proof’ as possible.
5
Risk and the strategic role of leadership | Executive summary
Risk may bring with

it the potential for
losses, but it also
offers the potential
for opportunity.
Key findings include the following. • Regulation and compliance remain key allows them to perform a ‘critical
drivers for board-level involvement in friend’ role, helping to restrain over-
• Board-level conversations and risk management. Nonetheless, some confident executives or encourage
practices in relation to strategy and organisations are increasingly aware of overly cautious ones. A unitary board
risk management take place along a the strategic benefits of risk should not mean that all board
spectrum, with those of many boards management in helping them to members need a single perspective.
being nearer to one end of the exploit opportunities and so exceed
spectrum or the other (although a few their stated objectives. The report also makes a series of
display features from across the recommendations for organisations, their
spectrum). The extremes of the • A high level of diversity in boards’ risk boards and for policymakers. In particular,
spectrum can be characterised as: skills, knowledge, experience, the report reflects interview participants
education and training helps to develop (hereafter ‘participants’)’ concern that risk
o the Principled approach, where a collective consciousness that allows and risk management are not always
discussions about risk are more a board to identify changes in risk viewed in a positive way. Risk may bring
likely to focus on the exploitation of exposures and respond appropriately. with it the potential for losses, but it also
upside opportunities, and connect offers the potential for opportunity.
strategy and risk in an implicit and • Factors such as lengthy risk reports Today’s board has a key role to play here,
unstructured way, potentially and insufficient time devoted to risk helping its organisation identify and exploit
leading to inconsistent risk- management at board meetings create opportunities, which is as much a part of
management decisions, and significant challenges for board-level maximising the long term sustainable
risk-management activities. performance of the organisation as well
o the Prescriptive approach, where
as overseeing the mitigation of threats.
risk-management activities are much
• NEDs walk a delicate line between
more formalised and consistent,
participation (ensuring that tasks are
but with a high degree of focus on
performed) and oversight (providing
internal control which may mean that
assurance that tasks have been
strategic opportunities are missed. Disclaimer
performed within the agreed
parameters). NEDs need to understand Though funded by ACCA, this research
• Boards are still finding it hard to project was conducted by independent
the organisations that they are a part
understand and address softer factors, university academics. The findings from
of and participate in strategic decision this project reflect the views of the
such as culture and risk appetite.
making, but their ability to step back participants and are not necessarily
Often, this is because of a lack of clear
from day-to-day pressures and their those of ACCA or its staff and members.
information and difficulties in connecting
experience in other organisations
them to organisational performance.
6
Contents
1. Introduction 8
1.1 Uncertainty and change: how are boards responding to
risk-management challenges? 8
1.2 Connecting the dots: strategy, governance, performance and
risk management 8
1.3 Research aims, objectives and approach 9
2. Findings 10
2.1 The role of the board in risk management 10
2.1.1 Strategy governance, performance and risk 10
2.1.2 The principled–prescriptive spectrum 11
2.1.3 Risk appetite and setting parameters 12
2.1.4 Culture, communication and risk 12
An SME Perspective 13
2.2 Drivers for board Involvement in risk management 14
2.2.1 Regulation and compliance – requirements and influences 14
2.2.2 Oversight: reputation and emerging risks 15
2.2.3 Strategy – value creation, risk appetite and the pursuit of opportunities 16
2.3 Board skills and experience 17
2.3.1 Board diversity – Risk skills, knowledge, experience, education and training
(RI-SKeet) 17
2.4 Barriers to board involvement in risk management 19
2.4.1 Cognitive impediments 21
2.4.2 Social obstructions 22
2.5 Executive and non-executive convergence and divergence 23
2.5.1 The role of the board 23
2.5.2 The ‘critical friend’ 23
2.5.3 Different perspectives and board dynamics 24
2.5.4 Risk discussion at board level – the critical space 24
2.5.5 Committees and risk managers 25
3. Suggestions for practice 26

3.1 Suggestions for boards 26
3.1.1 Integrating risk and strategy 26
3.1.2 Deriving value from risk management 26
3.1.3 Delivering RI-SKEET 27
3.1.4 Managing and enhancing board risk discussions 27
3.1.5 Executive and non-executive dynamics 27
3.2 Suggestions for policymakers 27
Questions for reflection 28
4. Conclusion 29
Project methodology 31
References 32
Author biographies 33
1. Introduction
1.1 UNCERTAINTY AND CHANGE: emphasis on ‘softer’ considerations, non-executive directors, the intention
HOW ARE BOARDS RESPONDING TO such as the culture of an organisation. here is to highlight where boards have
RISK-MANAGEMENT CHALLENGES? got to in the ‘journey’ to evermore
Organisations in the 21st century are External events such as technological successful value creation.
facing high levels of complexity and developments, regulatory change or
uncertainty. Whether it is from the effects public scandals are easy to observe. It is, Finally, this report highlights areas of
of global warming, developments in however, much more difficult to see is good board-level risk-management
cloud computing, social media or political how boards are responding to the practices, and provides insights that
change and the potential for less liberal risk-management challenges presented boards can use to enhance their practice
trading environments, the number of by these events. further. The report also provides
ways in which organisations can trip up recommendations for policymakers, to
only ever seems to increase. The purpose of this research project was assist in the spreading and adoption of
to investigate how boards understand good practice as well as highlighting
In the face of this increased complexity their role in relation to risk management areas that call for more guidance.
and uncertainty, the temptation for today. Specifically, the aim was to explore
boards is to become more conservative how boards satisfy their oversight 1.2 CONNECTING THE DOTS:
and risk averse in an attempt to create responsibilities and evaluate their STRATEGY, GOVERNANCE,
certainty. In practice, boards that choose effectiveness and whether boards view risk PERFORMANCE AND RISK
to do this risk missing out on significant management simply as a tool for reducing MANAGEMENT
potential opportunities for their risk and increasing certainty, or whether risk
organisations and stakeholders. Worse management and strategic management ‘One of the greatest benefits the board
still, they risk losing ground to entities are integrated to support innovation and can bring to its management is to declare
with more innovative and entrepreneurial the pursuit of opportunities. itself open to the discussion and the
boards that are better able to steer their possibility of risk’ (consultant).
organisations towards the opportunities Another concern is how boards understand
on offer. Choosing the ‘safe’ option can concepts such as culture (including risk Risk management is often viewed as an
be a risky strategy in itself, as illustrated culture) and risk appetite. Further, the internal control activity, protecting
by companies such as IBM, which failed research explored what, if any, barriers organisations from harmful events such as
to capitalise on the personal computer, exist to prevent boards from having fires, employee misconduct or reputation-
and Kodak, which, despite developing effective risk-management conversations, damaging scandals. From this
the digital camera, chose not to market it. as well as board members’ perceptions of perspective, risk is a bad thing for
the roles of executives and non-executive organisations, something to be assessed
Corporate governance codes and directors in relation to risk management. and limited as much as possible. To the
standards are also changing. In the US a extent that risk is tolerated, it is done so
major revision of the COSO Enterprise The intention is not to find fault with or only because it is an inescapable part of
Risk Management (ERM) Guidance was criticise current risk-management ‘core’ activities such as manufacturing
completed in 2017 (COSO 2017). In the practices. The researchers know processes, marketing or service delivery.
UK, revisions to the Corporate Governance personally the challenges that board
Code were released for consultation in directors can face in navigating a path This report does not challenge this
December 2017 (FRC 2017). In both that both creates value for stakeholders perspective or existing corporate
cases, a closer relationship between the and ensures that an organisation can governance frameworks in this regard.
strategic-management and risk- remain viable into the long term. By Organisational scandals from Enron to
management roles of the board has been learning from the current practice of Barings, Barclays and VW have all
proposed. In addition, there is a greater boards, and the views of executive and highlighted the significant damage that
8
Risk and the strategic role of leadership | 1. Introduction
Risk comes with the opportunity

for returns, and even seemingly
adverse events such as regulatory
change or political uncertainty
can create opportunities that
may be exploited.
can be associated with weak governance, The specific objectives were as follows. 5. To examine whether there are areas of
culture and control. Risk management convergence and divergence in the
provides tools that organisations can use 1. To explore how boards have roles of NEDs, executives and risk
to help identify and reduce the probability developed and perform the following specialists in relation to the above.
and impact of such damage. roles in practice:
a. strategic risk management In exploring board-level risk-
On the other hand, neither does this report management activities and in providing
and decision making (seizing
endorse one particular perspective or recommendations for good practice, the
opportunities, avoiding inappropriate
another. While risk management can help a intention is not to complicate the role of
strategies, managing risks to strategic
board to control risks that may threaten the boards. What works for one board and
objectives, as well as enabling boards
achievement of the organisation’s strategic organisation may not for another. Trying
to prepare for disruptive, non-routine
objectives, it is also important to recognise to fit every board and organisation into a
and reputational issues, such as
the speculative dimension of managing specific theoretical approach can be a
‘black swan’ type risks)
risk, especially when dealing with the thankless task; best practice can vary
strategic-level risks that may occupy the b. oversight of risk-management according to the nature, scale and
attention of a board. As participants effectiveness (formal aspects of complexity of an organisation’s activities,
discussed, risk comes with the opportunity internal control) as well as its culture, competencies and
for returns, and even seemingly adverse resources. Consequently, this report does
c. communicating their approach
events such as regulatory change or not intend to replace existing theoretical
to risk management, and
political uncertainty can create frameworks by proposing any new
opportunities that may be exploited. d. managing and embedding frameworks or risk-management tools.
appropriate culture (including
Equally, highly strategic risks, such as the risk culture). Instead, the aim was to conduct the
development of a new product or market,
interviews objectively without a specific
or an acquisition or merger, very clearly 2. To understand the factors (eg
theoretical or conceptual agenda. This
combine a range of positive and negative regulation, stakeholder pressure,
report intends to find out how board
outcomes. In such situations, some boards improvements to strategic decision
members understand their risk-
and organisations may prefer to use terms making) that have encouraged boards
management role and make use of
other than ‘risk’, such as ‘volatility’ or to perform the above roles.
risk-management concepts and tools,
‘opportunities and threats’ or ‘managing
3. To determine whether boards have the and how they perceive the challenges
opportunity’. Nonetheless, the fact
skills, experience and training that they face in performing their
remains that exploiting opportunities is as
necessary to fulfil their risk- risk-management duties.
much part of risk management as
controlling downside outcomes, as management roles, in increasingly
complex risk environments. Resulting suggestions for practice
participants consistently pointed out.
(Chapter 4) are based upon what the
1.3 RESEARCH AIMS, OBJECTIVES 4. To investigate other barriers that may participants said about things that they
AND APPROACH prevent boards from performing their have done that have worked and those
risk-management roles (eg lack of skills that have not worked. It is for the readers
The aim of the project was to explore within the risk function, silo-based risk of this report to select the ideas and
current practice in board-level risk-related management, complex organisational activities that may work for them or
activities and to make recommendations to structures, lack of data). their organisation.
help improve the readiness of boards for the
strategy, risk and governance challenges.
9
2. Findings
The next five subsections the mechanism for creating value and risk Even where risk is viewed more positively,
present the findings for each management exists to help protect the there remains a danger that its significance
value-creation process from negative is underestimated or that strategic-level
of the research objectives. events. This linear approach is reflected risks are not viewed as risks:
The first of these was to in the quote below from an executive
director of a large listed company:
explore the various roles ‘...it’s very easy to say, “yes, we’re doing
this… but we don’t need to consider risk
that boards may perform in
‘I think strategy is decided at some because it is just a strategic direction
relation to risk management. point... And once you’ve agreed that, then and we know there will be risk in that”.
you say right, okay, for us to get there, Actually you do need to take that step
2.1 THE ROLE OF THE BOARD IN RISK that is not going to be easy, and yes, there back of formally considering the risk
MANAGEMENT are risks associated with that, and that in order to get the benefits of the risk
each of those risks, here is the impact, management in there.
‘The role of the board is oversight of the and here is where the impact is going to ...quite often people think, actually,
company’s strategy and performance, in be. And then it’s a question of “how do yes, we deal with risk every day, and,
general and, therefore, the question of risk you manage it?”’ (executive director). therefore, we don’t actually need to focus
is a key element of strategy. So, assessing on specific risk management; and that’s a
the risk implications of strategy, The quote highlights a potential issue bit dangerous’ (executive director).
discussing risk appetite, understanding with an overly linear approach to strategy
the elements of risk and where they sit and risk. In taking this approach, risk is In a small number of organisations strategy
in the organisation, and overseeing the generally viewed in terms of the setting and risk were integrated to a much
process by which risks are monitored probability and impact of loss, so the focus greater extent. The directors of these
and managed and mitigated through the is on the minimisation of risk associated organisations indicated that their boards
organisation’ (non-executive director). with downside possibilities. Viewing risk considered the risks associated with
as ‘bad’ means that the potential for choosing or not choosing specific strategic
2.1.1 Strategy governance, better-than-expected outcomes may be options at the strategy setting phase, as
performance and risk overlooked. It may also foster high levels of well as the organisation’s risk-management
The above quote reflects the prevailing risk aversion in boards, a problem that was competencies and capabilities.
view of the participants as to the role of identified by a number of the participants
the board in risk management. All the in both large and SME organisations. Such discussions were not necessarily
participants emphasised the oversight The consequence of this approach is structured in a formal way, nor did they
role that boards have, a role highlighted in that innovations may be missed. tend to use terms such as ‘risk’ or ‘risk
the UK Corporate Governance Code and management’. Despite the relatively
many other governance codes worldwide. unstructured nature of their approach,
‘In some areas there should be a
these boards were more likely to exploit
willingness to proactively take risk and
The quote also highlights that although opportunities even when faced with
indeed that to take no risk is potentially
strategy and risk are connected, the seemingly adverse events, such as the
the biggest risk of all because there’s a
relationship may sometimes be a linear economic consequences of the EU
possibility that people innovate around
one: the desired strategy is determined referendum, the election of President
you, you’re left standing, and as time
first, and then the risks that may arise Trump and his America First agenda or
goes by you become the dinosaur in
from this strategy and its implementation government welfare changes.
comparison to the rest of the sector’
are considered. In this context, strategy is (non-executive director).
10
Risk and the strategic role of leadership | 2. Findings
Each approach has strengths

and weaknesses, especially
in organisations whose
boards are close to one of
the ends of the spectrum.
2.1.2 The principled–prescriptive of regulation and the size or purpose

Case studies: Turning spectrum of an organisation. For example, all
adversity into opportunity There is a spectrum of practice as to the boards of the financial services
An SME component manufacturer was how structured or unstructured a board’s organisations in the sample tended to be
concerned about the election of Donald Trump approach is to risk management. prescriptive in their approach, primarily
as president and the potential for increased This spectrum also goes beyond the because of high levels of regulation.
tariffs on goods imported to the US. As a result, structural nature of a board’s approach, In contrast, the SME boards tended to
the firm created a US subsidiary to manufacture and includes factors like: how risk is be more principled in approach.
components for its American customers.
perceived (as an opportunity or a
A Housing Association was concerned about compliance matter); board level and Each approach has strengths and
the implications of the UK government’s Welfare organisational cultures in relation to weaknesses, especially in organisations
Reform Act 2016 on its financial sustainability. In risk; and the board’s approach to whose boards are close to one of the
response, the board created a strategic planning communication. Figure 2.1 explains ends of the spectrum. For example,
forum led by NEDs with executive input. The the two extremes of this spectrum. there were claims that an extremely
revised strategy led to a major restructuring prescriptive risk-management approach
and the development of new housing products A number of the participants discussed may cause board-level risk-management
and markets, all with the aim of meeting the elements of the two approaches. It is activities to become static and reactive,
needs of both existing and future tenants.
important to stress that one approach with board members getting lost in
is not necessarily better than the other. operational detail (a potential problem
The appropriate approach may be made worse by lengthy risk registers) and
influenced by industry sector, the level taking an overly negative view of risk.
FIGURE 2.1: Principled–Prescriptive spectrum1
PRINCIPLED PRESCRIPTIVE
APPROACH APPROACH
Com
Holist
ic outlook pliance outlook
ite
Lik
yt p
et
O ut th
el
ward looking wi
om Inward looking ap
Wh l e eas r i sk
at is t r t ab ure e
xposure in relation
to
he board comfo ’ In ss
Risk as I do fo
rm
Ris
k c ay ’ oce
communication = ‘do o m m uni I s r
ion ed
thro cation = ‘do as gp
Risk i s c uss ugh a p o rtin
integrate ’ d granular bottom-up r e
d in a ‘bigger m
Less
e n d a it e
likely t Risk is
hat risk is a formal ag a formal agenda item
1 The terms ‘principled approach’ and ‘prescriptive approach’ came from the study participants. At its extreme, the prescriptive approach is intended to capture an approach focused exclusively on
risk compliance and procedures. On the other hand, the principled approach is intended to reflect an approach that, at its extreme, focuses on the ‘in-principle’ business objectives of a board to
the exclusion of explicit risk-management compliance and procedures.
11
An organisation’s culture
can have a significant effect
on how people within the
organisation behave and
communicate with each other.
In contrast, participants warned that statement, for example. In contrast, ‘So the classic thing, zero harm – we’ve
boards following an extremely principled prescriptive approach boards should got no appetite for something – it’s a
approach may make inconsistent decisions avoid focusing too closely on internal complete misunderstanding of what risk
and may pursue upside opportunities at controls, as this may cause excessive risk appetite is. There is a wealth of metrics
any cost, exposing an organisation to aversion and a failure to exploit value- and information out there that you can
excessive amounts of risk. There is also the enhancing strategic opportunities. tap into to articulate statements in a
danger that boards that appear to adopt way which will actually add practical
a principled approach are not actually 2.1.3 Risk appetite and setting guidance to a business, and you’d be able
discussing risk and risk management in a parameters to measure whether you’re operating
sufficiently explicit way. It suggests that One concept that can help to improve within those parameters. But a lot of
an appropriate balance must be struck. the decision-making consistency of more companies are just nowhere… they’re still
principle-oriented boards, and help to doing the sort of high, medium and low,
‘When you start to scratch away from overcome the negativity associated with hungry-averse-type scales, which are just
the surface, you hear, “actually, no, the prescriptive approach, is risk appetite. worthless’ (Focus group).
that did go wrong”, or “actually, yes, Most of the participants used the concept
in their organisations to some degree, 2.1.4 Culture, communication and risk
we didn’t consider how these risks link
although it appeared that there was little An organisation’s culture can have a
together”… there’s almost like a sort
agreement on how to express this in a significant effect on how people within the
of bravado that you often hear about:
quantitative way. Often risk appetite organisation behave and communicate
“of course, we do this stuff”. But it’s the
might be expressed qualitatively in with each other. This can influence the
question of when should you have more
terms of risks that organisations might tendency for misconduct as well as how
explicit and formal consideration of risk:
want to take or avoid, or less explicitly risk and risk management are perceived
at what junctures will that add value?’
in terms of organisational values and (eg whether risk management is seen as a
(Focus group member).
ethics (eg attitudes towards compliance business enabler or bureaucratic red-
breaches, misconduct). tape) and reported. Events such as the
It should be emphasised that while boards
Barclays LIBOR scandal clearly illustrate
following a principled approach were
Participants said that a key benefit of such connections (Salz 2013).
more likely to make connections between
strategy and risk, this does not guarantee thinking about risk appetite was to help
On organisational culture and the specific
that they will make successful connections. boards set the parameters within which
aspects of culture related to risk taking
Equally boards following a prescriptive the executive directors and wider senior
and control (so called ‘risk culture’),
approach may be just as capable of management team could operate on a
participants claimed that culture was not
connecting strategy and risk and when they day-to-day basis. This approach provides
discussed in an explicit way by most of
do so are likely to make more considered clarity about the risks that may be taken and
the boards in the sample, and risk culture
and consistent decisions. Each type of those that should be treated with caution,
was hardly ever discussed or understood
organisation has to work to overcome its as well as how risk-management activities
as a discrete concept. Outside financial
own limitations in this regard. ‘Principled and processes should be conducted across
services, only two boards regularly
approach’ boards should guard against the organisation. Setting parameters is hard
discussed culture in relation to risk and
excessive opportunism and inconsistent if there are no clearly defined quantitative
this was because one was in a people-
risk-management decisions, and find limits: but the following comment
focused business and the other had a
ways to anchor their discussions, linking indicates that there is readily available
risk director responsible for focusing on
back to the organisation’s risk appetite information to support the process.
culture, and risk culture in particular.
12
Those with a top-down

approach put a greater
emphasis on maintaining
board independence and the
avoidance of it becoming
overly operational.
Other non-financial services organisations Opinion was split on how communication communicated directly with a range of
only discussed culture at board level on between the board and the wider people, not just the executive, and
an ad hoc basis, for example in relation to business should be achieved. In some communication was more integrated.
major change projects, or the appointment organisations, boards communicated via Those with a top-down approach put a
of a new CEO or chair. Risk culture was the executive team and communication greater emphasis on maintaining board
not generally discussed by non-financial tended to be top-down. In others, independence and the avoidance of it
organisation. In contrast the boards of all non-executive members of the board becoming overly operational.
the financial services organisations in the
sample looked at culture and explicitly at
risk culture. Regulation was cited as the
main reason for this. An SME Perspective
Investigating the role of the board in
Outside financial services, attempts to strategy governance, performance and risk
assess culture formally may have been identified some findings specific to SMEs
rare, but the value of doing so was that are worth highlighting.
recognised by some of the participants:
A number of participants had executive and
non-executive director experience with SMEs.
‘…you’ve got to have a definition of These directors commented that SME boards
what you think the culture is. And then tend to be more innovation-focused and will get
you’ve got to have metrics which help involved in entrepreneurial activities. They said
you determine whether that culture, in that this is driven in part by the need for SMEs
fact, exists. And those…might involve to innovate to survive in highly competitive
employees’ feedback surveys, discussions marketplaces (as they often have less financial
with focus groups of employees... There security or brand reputation to fall back on than
are practical steps that boards and larger organisations), but it was also a consequence of increased agility and the closer
proximity of the board to the wider business. SME boards appeared to be able to make
management take to determine whether
strategic decisions to exploit new opportunities that could be implemented quickly.
… the culture they aspire to is, in fact, the
culture that is operating in the business.’ Nonetheless, it was also observed that SME boards can be more short-term and reactive in
(Non-executive director) their approach, primarily because of their higher risk of failure. Formal risk management
conversations were comparatively rare in participant SMEs, suggesting a more principled
On the subject of communication many approach (in the sense used in section 2.1.2 above). In general, risk management was
of the participants did make links considered formally only once or twice a year, in relation to topics of regulatory significance
between this and culture, and in particular such as health and safety.
the importance of an appropriate ‘tone SME board members were also much more likely to have closer communication with the
from the top’ in relation to risk taking and wider business, and some of the SME participants with risk-management expertise were
control. Several of the participants also helping their organisations to drive significant improvements in practice. Participants
emphasised the importance of the explained that the smaller size of SMEs made it easier for board members to get to know
board’s ‘talking the talk’ and ‘walking the the wider management team of their organisation. In addition, board members may
walk’ to ensure that people within the possess skills that are not present anywhere else in the organisation (eg specialist
organisation would believe that the board knowledge of risk management) and that enable the business to be driven forward.
took the management of risk seriously.
13
Significantly, there
appeared to be an
increasing recognition of
the importance of board-
level risk discussions.
2.2 DRIVERS FOR BOARD Nonetheless, some also recognised that about not taking risks at all’ (executive
INVOLVEMENT IN RISK MANAGEMENT adopting a ‘compliance mind-set’ director). It was also clear that many saw
reflected the more prescriptive approach the influence of regulation and regulators
This section is concerned with key
to risk management outlined in section at work directly in day-to-day risk-
drivers that participants believed were
2.1.2, a situation that may foster excessive management practice in areas of risk such
prompting risk discussions and activities
risk aversion: ‘it’s the mind-set of actually, as governance, culture and strategy.
in boardrooms. The responses may be, to
rather than helping us take risks better it’s Specific examples are set out in Table 2.1.
some degree, regarded as reflecting the
spectrum identified in section 2.1.2. On
the one hand, a number of the motivations
identified could be considered to fall TABLE 2.1: Examples of regulatory influence on boardroom decision making
within a strategic, or value creation, AREA OF REGULATORY EXAMPLE
perspective. On the other hand, another INFLUENCE
set of motivations might be regarded as
Risk appetite ‘The risk-appetite framework and risk-appetite statements
inclining more towards a regulatory
Boards are more conscious of are very much something that the board seems to feed into.
governance, or value preservation,
their role in risk oversight We are seeing,… through regulatory pressure, to evidence
perspective. Significantly, there appeared
more what the board are actually doing in the oversight piece’
to be an increasing recognition of the
(executive director)
importance of board-level risk discussions.
Committee structure ‘If the regulator wants the board to be more collectively involved
The themes presented below are ordered Board members may not be in everything,.. why make us have separate committees?’
according to the importance assigned to clear as to the responsibilities (executive director)
them by the participants. Regulatory drivers of the committee versus
were by far the most cited reasons for the board
board-level risk discussions and activities. Board member responsibility ‘There’s a prescribed responsibility for culture within the
The role of chairman in setting organisation that resides with the chairman. And our
2.2.1 Regulation and compliance – the culture is clear in the chairman is fairly conscious of ensuring that he can fulfil that...’
requirements and influences current regulatory framework (executive director)
The direct impact of regulation Horizon scanning and ‘There’s some really good external publications that are put out
Legislation, regulatory requirements, scenario planning by the regulator…they’ll do a review themselves of all of the
corporate codes and professional codes Some boards are actively using concerns and risks that they’ve identified through the course of
of conduct were regarded by many horizon scanning and scenario the year…[and]…more broadly looking forward as well and
participants as having a direct effect on planning in fulfilling their thinking, what are the things that are keeping the regulator
attitudes and practices in relation to risk oversight responsibilities. awake at night?…that’s a key document really for any kind of …
management. There was an acceptance This may include the use of audit and risk committee to be poring through and saying, right,
that sometimes this might lead to a ‘tick internally generated scans and here are the 10 risks the regulator has identified as being really
box’ approach: external resources, such as risk key and on its mind.
reports by regulators.
‘Where do we sit against these 10 risks? What are we doing
‘..I do think there are times when you in relation to these 10 risks? Are these risks we’re aware of?
We do that exercise proactively…cross-check or cross-reference
do need to tick some boxes, by the way,
to say…these are the key risks, these are the ones that appear on
because you have lists of compliance
our register, these are the ones that don’t appear on our strategic
matrices that you have to follow, and
risk register, and these are the reasons why. This is one that…
you have to show that you’ve followed
we didn’t have previously as a risk. We’ve rated it here. It’s not
them, and the best way of doing that is
on a strategic, [but] it’s on an operational risk register’
to tick a box to say that you’ve done it.’ (executive director)
(non-executive director)
14
Non-executives need to be
assured that executives have
ensured there is an appropriate
risk-management framework
that is operating effectively.
Regulatory requirements and statements Embedding regulatory impact ‘First of all, the tone has to come
influence the strategy, structures, within organisations from the top so if your…board thinks
practices and behaviours of organisations Participants spoke of the increasing about risk management in terms of...a
in more or less subtle ways. This is also recognition and importance of risk, and compliance exercise, it will always
having an effect on risk-management risk management practices, at board remain a parallel process. It will never
practices among organisations operating level. This attitude, and the pervasiveness be embedded in the day-to-day work,
within less-regulated sectors. Firstly, of the influence of regulation discussed in the day-to-day operating model of
board members who have worked in above, was reflected by a number of the the company. And therefore it will never
regulated environments appear to see participants in discussing the relevance of be part of discussion at board level’
the benefit of transposing these risk culture, or their role in embedding (executive director).
regulation-driven, risk-management risk awareness, in their organisation.
practice into other organisations. The report will further discuss the
‘One of the things that… is generally importance of the board’s understanding
‘I joined the board…and we also had accepted [is] that boards need to be of what is happening on the ground in
a new chairman at the same time and involved in…agreeing … what the overall the wider organisation in section 2.3.
we both come from working in a highly risk appetite of the business is. How
regulated environment…and we were a can you do that if you don’t understand 2.2.2 Oversight: reputation and
little surprised at the lack of risk expertise the concepts of the culture in which emerging risks
and focus on risk that we found when we risk appetite is articulated and agreed, Governance and oversight of their
joined the business so I think it’s probably because they’re entwined with each other. organisations was often mentioned by
fair to say that the impetus [for changing They’re part of the same thing’ (non- participants when discussing the
things] was driven by the chairman and executive director). importance of risk at board level. This
then myself with the recognition that was often associated with compliance.
really we have to get the organisation up From a board perspective, this is important Non-executives need to be assured that
to speed ... around risk’ (consultant). for two reasons. Firstly, and as has been executives have ensured there is an
a key theme of financial regulators appropriate risk-management framework
Secondly, there is also recognition that (FSB 2014), if the ‘right’ risk culture is that is operating effectively. In this context
even in less regulated environments embedded in an organisation then this of governance and oversight, two specific
boards are nevertheless being held provides additional assurance to a board drivers were mentioned consistently:
more accountable for their decisions about the effective operation of the reputation and emerging risks.
by stakeholders. organisation’s risk framework. Secondly, it
explains the importance that many of the Board role in protecting and
participants placed upon ‘tone at the top’ enhancing reputation
‘In a non-regulated organisation the risk
has always been there, but … I’m seeing and the non-executive board members’
in some of the stuff I’ve done more of a understanding of what was happening on ‘Reputation is kind of an interesting one,
move towards, not the level of stuff that’s the ground and checking this against because it tends to be an underestimated
expected by the FCA from a regulated their experience at board level. risk by management, I think, and yet
body, but it’s a move towards that you can point to examples in the public
direction, a greater scrutiny, a greater… domain where people have suffered quite
assessment. … The concept of holding to badly from reputational risk or having
account of directors by shareholders is out a bad reputation for something...’
there and it’s coming with a bit of a force’ (non-executive director).
(non-executive director).
15
What was stressed by a number

of participants was the need for
discussion of risk at a strategic
level ... in order to be able to
take advantage of opportunities.
This was emphasised particularly by ‘Boards don’t know what they don’t ‘What really could unseat the strategic
organisations that were customer facing, know. So, if something happens outside objectives of the business? What
focused on ensuring they had the trust that you believe will have a substantial really are those opportunities that the
and confidence of their customers. For impact on the business, the board then business might be missing because it’s
example, the significance of this issue for has to have a conversation about it’ too conservative in its risk appetite. And
oversight and governance is apparent in (non-executive director). then real discussions are not so much
the experience of the financial services risks, but they are issues that affect
sector and its efforts to gain or regain the In turn, this echoed participants’ the risk and the environment in which
trust of the general public after the discussion of the importance of the the organisation is trading. And it’s
financial crisis of 2007–8. diversity of the board in bringing a range absolutely vital that the board has the
of (‘outside’) expertise and experience to opportunity and the education to allow
While discussions about reputation often risk discussions (see section 2.3.1 for them to have those kinds of discussions’
took place in the context of protecting further discussion of board diversity); (non-executive director).
value – perhaps the more customary of scenario planning as a tool for
‘defensive’ risk governance perspective anticipating new or developing risks (such In having these discussions, participants
– it was also recognised that effective as cyber risk); and of horizon scanning in emphasised how important it is that a
management of risks to reputation could actively researching and examining the clear understanding of the organisation’s
also enhance reputation: implications of what is happening to risk appetite is embedded in strategic
competitors and similar organisations, as decision making. It was also suggested by
‘And we’ve seen some of that in the last well as in the socio-economic environment some participants that this is key to acting
five years, I would suggest in some of in which the business is operating. strategically in a fast-moving environment:
the cyberattacks that have happened to
major organisations. Some have handled 2.2.3 Strategy – value creation, risk ‘in order for the board to achieve their
them very badly and have upset their appetite and the pursuit of strategy, people needed to be doing things
customers and had their reputation opportunities differently, faster and making different
damaged. Others have managed it really In addition to regulation and compliance decisions. So that was actually key about
well, really transparently and have done as a driver of board-level risk discussions, making sure that the risk appetite in the
a great deal to enhance reputation, and in participants also emphasised strategic business or the definition of risk in the
fact their share price’ (consultant). drivers. This echoes again the business underpins the strategy. They
prescriptive-principled spectrum couldn’t do the strategy without that
Emerging risks and incidents discussed in section 2.1.2. right risk appetite’ (executive director).
A wide range of external events (eg
sectoral risk events, political and socio- What was stressed by a number of This reflects back to the discussion in
economic events, media reports) were participants was the need for discussion section 2.1.1 concerning the relevance of
reported as common drivers for board- of risk at a strategic level – not at a level of risk in strategy setting.
level discussions about risk: governance and oversight that dwells on
risk registers and frameworks – in order to
be able to take advantage of opportunities.
16
Throughout the interviews

and subsequent focus groups,
it became apparent that
diversity was central to a
board’s ability to manage risk.
2.3 BOARD SKILLS AND EXPERIENCE FIGURE 2.2: RI-SKeet

This section considers the skills and
experience that are brought to bear on
strategic decision making within the
boardroom in relation to risk management.
‘Understanding risk management,

the risk–reward equation, is
fundamental to the role of the board’
(non-executive director). Training Skills
2.3.1 Board diversity – Risk skills,

knowledge, experience, education
and training (RI-SKeet)
Throughout the interviews and subsequent
focus groups, it became apparent that
diversity was central to a board’s ability to
Risk Intelligence
Technical and ethical
manage risk. This concept of diversity (in competencies (TEQ)
its broadest sense) was especially
pronounced when discussing the Education Knowledge
composition of NEDs required to enable
the board to understand the ‘risk-reward
equation’. This diversity came in various
guises throughout the interviews,
summarised here as Risk Intelligence,
Skills, Knowledge, Experience, Education,
and Training (RI-SKeet, Figure 2.2). The Experience
enrichment and enhancement of strategic
decision making brought about through
RI-SKeet ensures a collective board
intelligence that is balanced, allowing it ‘If you have an organisation, for example, that’s had a board composed
to understand fully the dynamics of the of people who’ve come up through the ranks, understand the culture of the
risk–reward equation. organisation and understand what really makes it tick and how things,
how politics work, and how communication really works in practice,
Diversity was also seen by some and you have non-execs who all come from the same industry, then you
participants as a way of ‘de-risking’ the have a board that is very good at understanding what I would describe
board, broadening opinion and enabling as internal risk…[But] if they lack true exec and non-exec members
non-executives to pool their RI-SKeet. who have come from outside of the organisation and ideally outside the
In addition, RI-SKeet was regarded as industry, then they will lack that external perspective and there will be a
a source of competitive advantage lens around the board room table that is missing’ (consultant).
for organisations.
17
The ability of a board to

anticipate risk and identify
opportunities underlines
how strategic decisions
may be enhanced by a
diverse RI-Skeet board.
The ability of a board to anticipate risk when bringing non-executives on to the

and identify opportunities underlines board, as this is seen as an opportunity for Case study: RI-SKeet in
how strategic decisions may be enhanced ensuring that the board remains risk- the boardroom
by a diverse RI-Skeet board. Such relevant while ‘future proofing’ against An SME third-sector investment
opportunities may not be as apparent to the ever-changing business environment company with credit risk ratings higher
executives owing to their involvement in in which the organisation finds itself. than would be found among commercial
the day-to-day workings of the lenders was required to develop a risk
organisation. A highly functioning board Board transition arrangements are not the register and robust business strategy as
with good RI-SKeet can provide an only means of ensuring that a board part of its funder’s conditions of
accelerator and a brake when considering remains diverse in RI-SKeet. A number of business. In order to do so, the board
the risk-reward equation as part of its participants, both executive directors and went on an away day to determine the
principal risks to the business and
strategic decision making. NEDs, highlighted the importance of
discuss how they fitted within the
ensuring that the board knows the company’s strategy and mission. In doing
Ensuring boards remain risk-relevant business, is aware of its idiosyncrasies, so, the board was then able to use its
Organisations within the study have, and understands the culture of the RI-SKeet matrix to determine the most
through a number of mechanisms, business on the shop floor, as outlined appropriate director to take ownership
actively sought to increase RI-SKeet in section 2.1 below. This process of of that risk on the risk register, thus
within their boardrooms in an attempt to ‘kicking the tyres’ by getting out of the providing accountability and leadership
ensure that consideration of risk is boardroom and into the business itself of those risks from within the boardroom.
embedded in strategic decision making. was seen by some as a process that allows
the board to ensure they are risk-relevant,
A large proportion of organisations in the getting a sense of the ‘qualitative’ that is A qualitative understanding of the
sample employed board skills matrices so often lost in risk registers. business also allows NEDs to obtain
and audits to evaluate areas of perceived assurances about what they are hearing
overlap or insufficiency on their board. ‘I know the chairman of one company… within the boardroom.
As one participant stated: they [sic] always have their lunch with
the employees, they never go and sit in ‘What you don’t want to happen is
‘one of the things we do is a skills audit, a separate dining room. And when they that the chief executive is telling you
or skills review every now and again, to say you can come and have a chat with everything’s rosy in the garden, but when
say what are we missing, what skills are me and tell me what you think they you go out in the field, you find that all
we missing. We type [sic.] that into our mean it…I think it’s something that a the things that you’ve been
strategy as well’ (non-executive director). lot more boards are doing now than they told are rosy aren’t really happening’
ever did before. They cannot hide away (non-executive director).
The organisation referred to in the above in an ivory tower, they need to actually
quote was a relatively small SME understand the business. If you’re The presence of gaps in board RI-SKeet
operating in the third sector, yet it still going to govern something you must was not uncommon throughout the study,
recognised the importance of aligning have a decent level of understanding, with a particular emphasis on emerging
the board’s RI-SKeet to the organisation’s otherwise how on earth can you govern?’ areas of potential exposure. For example,
mission and business model. Matrices (non-executive director). the effects of merger and acquisition on
and subsequent audits of board skills in the risk-relevance of the board and the
RI-SKeet become particularly important prevalence of cyber risk in organisations
were seen as particularly pertinent by
18
Risk specialists also enhance the

risk-relevance of a board through
facilitating the explicit discussion
of risk at away-days, in which
time is dedicated to strategic
‘deep dives’ of risk issues.
some participants, with the latter being was not enough board training was
related on multiple occasions to a Case study: using external because it is generally assumed that risk
well-known large-scale hacking event in specialists to enhance management is something anyone can do,
a telecommunications company. RI-SKeet because they do it unconsciously every day.
In the aftermath of two publicly reported
This event provided boards with a near-miss hacking incidents it was acknowledged 2.4 BARRIERS TO BOARD
scenario that placed cyber risk as a focal by a manufacturing company that its INVOLVEMENT IN RISK
point of discussions within the boardroom. board’s RI-SKeet regarding the cyber MANAGEMENT
It was apparent that potential near misses domain was weak. The board
This section examines the barriers that
(proactive) and actual losses (reactive) supplemented the relevant RI-SKeet by
prevent a board from managing risk
were extremely important in prompting bringing in an external specialist to
advise the members; during this audit, effectively. The research objective was to
explicit and strategic risk discussions in
the company actually came under attack identify common barriers that can impede
the boardroom. This emphasises the
by a foreign entity attempting to steal the functioning of a risk-sensitive board.
significance of such events as a driver for
intellectual property. It was
risk discussion (as outlined in section 2.2).
acknowledged that had the board not ‘The problem with risk is that if
been proactive in obtaining this expertise
It was also clear that boards use the you don’t keep it alive it will die’
it would have been a ‘disaster’ for the
expertise of external and internal risk (executive director).
company as its products could have
specialists in an attempt to provide been made available on the grey market.
RI-SKeet in areas in which they have a Many participants made it clear
particular lack of expertise. While this is throughout the interviews that, in order
especially common in relation to financial to be able to consider risk strategically,
misstatement risk, via the use of external These discussions are further supported boards need to be aware of, and
auditors (the risk specialists for financial through the use of scenario exercises that understand, how risk ‘lives’ in their
misstatement risks), it was suggested that allow the board to understand its organisation. Risk needs to be alive and
the use of other types of risk specialists (eg members’ strengths and weaknesses in visible at board level to enable meaningful
cyber risk or health and safety specialists) prevention of and responsiveness to risk, discussion. Yet, the process of making risk
was just as relevant for other areas. as well as the pressure points around more visible to the board is fraught with
RI-SKeet, risk ownership, and risk appetite difficulties as there are multiple barriers
that require attention. that inhibit this from occurring.
‘Having finances misstated is a risk,
and therefore [external] auditing is
In order to ensure that boards remain It is evident from the interviews that
well known [as a means of mitigating
risk-relevant, and taking into account the the majority of these barriers fall within
financial misstatement risk] and
findings of skills matrices, audits and two categories; these are ‘cognitive
everybody assumes it’s there. But doing
scenarios, there was an understanding impediments’, which reduce a board’s
the same on health and safety or on IT is
from participants that training is beneficial, ability to make risk-sensitive strategic
also, to me, a logical step, if that’s one of
particularly for ‘killer issues’. Even so, this decisions, and ‘social obstructions’,
your risks’ (non-executive director).
attitude was not unanimous, especially which suppress risk-relevant dialogue in
among participants in the SME sector, the boardroom. As shown in Figure 2.3,
Risk specialists also enhance the risk-
where risk training (whether in-house or the board’s-eye view of the organisation
relevance of a board through facilitating
external) at board level is less prevalent. becomes blurred because these
the explicit discussion of risk at away-
This was articulated by one executive barriers filter out a holistic view of the
days, in which time is dedicated to
director, who stated that the reason there organisation. It is also important to note
strategic ‘deep dives’ of risk issues.
19
To bring risk back into focus,

the board may make use of various
committees and specialists as
lenses through which to see the
organisation closely.
FIGURE 2.3: A boards eye view of the organisation
BOARDS EYE VIEW
STATIC RISK DATA

ORGANISATIONAL COMPLEXITY
NO SAFE-ZONE
TIME PRESSURE
1 Risk Committee
2 Risk Specialists 1 2 3
3 Audit committee
THE ORGANISATION
n Cognitive filters (2.4.1)

n Social filters (2.4.2)
20
As explained by the
participants, the ability
of a board to make risk
visible is hampered by
organisational complexity.
that the presence of ‘social obstruction’ on ‘emerging’ and ‘moving’ risks. This
may facilitate the creation of a ‘cognitive approach has three benefits. Firstly, it Case study: when static
impediment’ and vice versa. ensures that information going to the data (unfortunately)
board remains relevant and forward- becomes reality
To bring risk back into focus, the board looking. Secondly, it ensures that the
may make use of various committees and A company was considering a large-
board does not become overly involved
specialists as lenses through which to see scale IT reconfiguration project
in operational issues arising from the risk throughout its business operations.
the organisation closely. However, our register, as highlighted by one executive During this process, a crucial strategic
participants observed that the existence director: ‘If they start talking about the decision on whether to proceed with the
of these risk focal-lenses does not 99th risk on the register, they’re getting project was brought to the board for
sufficiently compensate the loss of vision too much into the operational’. Thirdly, consideration. Given the time it had
caused by these barriers. Therefore, providing information on developing risk taken to implement the project, by the
participants considered it important to situations enables risk conversations that time the end-to-end system was fully
reduce the internal barriers to increase help to mitigate potential losses and implemented the business had changed
the ability of the board to obtain a holistic exploit strategic opportunities. its strategic direction and the system
view of the organisation that is grounded was no longer fit for purpose.
in knowledge and understanding. The ability to provide a bottom-up It turned out subsequently that the
synthesis of information that makes the report presented to the board contained
2.4.1 Cognitive impediments invisible visible, while reducing the many technological terms, and detailed
Cognitive impediment 1: Static risk data overburdening amount of risk information a combination of risks associated with
The majority of respondents, regardless the board receives, can improve general the functionality that was being
of industry or scale of operations, enquiry and strategic decision-making designed and their relevance to the
emphasised that the single largest within the boardroom. changes of business strategy. When an
impediment to a functioning, risk-sensitive investigation as to the cause of delay
board is the inability to obtain an adequate Cognitive impediment 2: had been completed, it turned out that
Organisational complexity the board had found the report difficult
view of the health of the company through
As explained by the participants, the to understand owing to the volume of
the board papers. The ability to move technical terms contained. As a result,
away from vast static risk registers that are ability of a board to make risk visible is
the board had been unable to consider
essentially backward looking, towards a hampered by organisational complexity.
the issues effectively and efficiently when
dynamic view of the real-world impact of This complexity makes the setting of considering the viability of the project.
risks on the activities of the organisation, decision-making parameters difficult for
was something that many have aspired boards. This is further accentuated by
to, but few have actually achieved, in their static risk data that is backward looking
board’s approach to risk registers. All too and potentially irrelevant to challenges Further, in the context of the ‘prescriptive’
often, and much to the disappointment the business currently faces internally and ‘principled’ approaches to making
of some participants, the use of risk and within its environment. As outlined decisions on strategic risks outlined in
registers was seen as a ‘tick-box’ exercise by one participant: section 2.1.2, it was suggested that more
characterised as compliance, as opposed complex ‘principled’ organisations should
to one of many sources of information ‘the big complex ERM systems, which have visible anchors to ensure that
pertinent to strategic decision making. take an enormous amount of time to business critical issues are not missed,
gather [information on], and information for example risk metrics and currently
In an attempt to ensure that standing is providing a picture of what was, significant risks from the risk register.
items on risk registers do not lead to as opposed to…what is currently
complacency, some participants pulsing around you in the organisation’
highlighted the importance of focusing (executive director).
21
Participants also noted

that the time made
available for effective risk-
management discussions
may not be adequate.
debate and challenge, a number of Social obstruction 2: Board sensitivity

‘If somebody is doing a good job…they
participants recommended creating a to time pressure
are smartly and honestly saying ‘here are
‘safe-zone’ atmosphere for risk-
the three things we are most worried about
management discussions, where ‘I think time is a big factor; do they
at the moment’ (executive director).
constructive dissent and disagreement is spend enough time specifically talking
encouraged within a non-judgemental about risk [rather] than talking about
By contrast, more complex ‘prescriptive’
and supportive environment. strategy? I think that’s an issue’
organisations may get lost in the detail
(executive director).
and become overly risk averse in their
This creation of a safe-zone in which
approach to strategic decision making. Irrespective of the development of a safe
concerns around risk at board level can
Given the effect of static risk data and zone, the nature of the risk data, or the
be expressed freely and without
organisational complexity on decision complexity of the business, if a board does
discrimination allows RI-SKeet to be used
making within the boardroom, not have adequate resources and time to
more resourcefully. This resourcefulness
participants emphasised that audit and/or undertake risk-management activities it will
arises from improved transparency and
risk committees create a vital conduit struggle to carry out its role satisfactorily.
increased trust within the board because
through which to ensure the timely flow Participants noted that, without the time
it allows non-executives to speak ‘truth to
and filtering of relevant information to the to employ RI-SKeet effectively within the
power’ (executive director), while
board. It was unfortunate in the above boardroom, the natural tendency would be
respecting the insights of the executive
static data case study that this practice was to focus on the downside while supressing
(see also section 2.5.2). This ability to
not conducted sufficiently thoroughly, and upside considerations. This places more
create an open and transparent arena for
the consequences of this were sizeable emphasis on the importance of away-
discussion alleviates the psychological
for the organisation in question. The days, for example, to allow the board to
burden of challenge:
ability of these committees, along with give undivided time and attention to
the support of risk specialists, to reduce focus on risk, as outlined in section 2.3.
the cognitive burden on board members ‘in a really deep personal level it’s really
allows the board to focus its RI-SKeet on tiring to consistently put yourself in the Participants also noted that the time made
making better decisions on strategic risks. way of asking the difficult questions’ available for effective risk-management
(executive director). discussions may not be adequate. One of
2.4.2 Social obstructions the key reasons why this is so, is that it can
Social obstruction 1: Risk safe zone It was acknowledged by one of the be perceived as a bureaucratic hindrance,
participants that the creation of a ‘safe getting in the way of what are perceived to
‘The fact that challenge is there zone’ can be taken a step further by be more immediate board-level concerns.
makes the executive work harder’ holding separate non-executive ‘in- Among the participants’ firms, this was
(non-executive director). camera’ sessions. The specific function particularly common in environments that
of these is to allow for the candid and are dynamic and fast-paced, especially
Turning to the social obstructions to transparent discussion of risk without the where boards are reacting to events rather
board involvement in risk management, presence of the executive team. This is than taking more proactive control. This
participants noted the difficulties particularly effective in mitigating the bureaucratic hindrance perspective was
associated with enabling debate and effect of dominant executive personalities, explained as follows: ‘I think risk gets a
challenge in the boardroom, especially when a ‘command and control’ dictatorial bad press, a bad name, because it’s seen
when discussing sensitive risk- approach to strategic risk in the as a box ticking, very routine, that doesn’t
management issues (for example, ‘bad boardroom may run contrary to the add value’ (non-executive director).
news’ events such as major fraud or board’s effective performance of its
reputational damage). To help facilitate assurance function.
22
Some participants argued

that executives are the risk
owners, with the board
setting the parameters and
assessing the risk controls.
2.5 EXECUTIVE AND NON-EXECUTIVE Nevertheless, some participants argued

‘one of the things that is really difficult…
CONVERGENCE AND DIVERGENCE that executives are the risk owners, with
is that there are no distinguishing elements
the board setting the parameters and
The participants generally accepted the between direction and management…
assessing the risk controls. On this role of
importance of risk management in board So that distinguishing between what is
the board, participants emphasised the
deliberations. This section considers strategy and what is operational is quite
importance of non-executives, and the
divergence and convergence in the roles blurred…and always the operational
following statement is typical:
of executive and non-executive directors imperative will trump the strategic
when managing risk at board level, as perspective’ (non-executive director).
well as the role of other risk specialists in ‘the big difference is that they… [are]
supporting them. able to take that more independent, 2.5.2 The ‘critical friend’
strategic view as a non-executive, that’s When discussing governance and the
2.5.1 The role of the board harder to do as an executive. And I think management of risk, some participants did
There is no distinction in law between the the lines should be very clearly drawn so in the context of a board’s relationship
executive and non-executive directors on between the two, because if it starts, to the managers in the business.
the board of a company (although there that blurring of lines then that can be
can be a distinction in not-for-profit and difficult for the executive. But also when
‘But I think the board can step aside
charity organisations). When describing non-executives do have to take that step
and see the bigger picture and identify
the role of the board in relation to risk, back and exercise some independent
more global risks, maybe, that could
unity of purpose was reflected by various judgement, that can be very hard, if [they
have an impact on the business that the
participants, and centred on the issue of are] too involved in the day-to-day or too
executives at the lower level [non-board
(risk) governance. close to the day-to-day management of
senior management] wouldn’t be able to
the business’ (non-executive director).
see’ (executive director).
‘So absolutely, there’s a very important
The blurring of responsibilities may arise
role for the board to play, but they are not Nonetheless, the majority of participants
where non-executives have been brought
the executive. They are the governance. discussed this supportive and inquisitive
onto the board specifically because of
And I do think sometimes people get a bit relationship in the context of the
their expertise:
mixed up about what the role is. And the relationship between executives and
role is not to manage the company. The non-executives at board level. Thus
role is to govern the organisation… ‘what you find happening is that non- participants variously referred to non-
executives are brought in because of a executives bringing to the board:
‘If you have a crisis, it is not the role
specific area of expertise and they spend
of the board to jump in and manage • an external perspective (non-executive
their life second guessing the executives,
the crisis, that’s an executive role. The director)
which of course leads to enormous
board’s role is to make sure that the
frustration’ (executive director). • positive challenge and holding to
business has a crisis team, that they’re
properly resourced, properly rehearsed, account (non-executive director)
and can give comfort to the board that if Participants indicated that smaller,
particularly owner/manager, organisations • objectivity (executive director)
something goes wrong, they know that
the organisation is prepared and will cope can experience particular problems in • an ‘additive’ input (non-executive
with it’ (non-executive director). maintaining this divide: director)
23
Participants were also clear

about the effect that different
personalities can have on
board dynamics and resultant
risk-management outcomes.
• support and the right parameters of these decisions. Participants were also Overall, participants observed that
(non-executive director) clear about the effect that different managing the mix of characters, in what
personalities can have on board dynamics one participant referred to as the ‘theatre
• oversight (executive director)
and resultant risk-management outcomes: of the board’ (executive director) was
• influence (non-executive director) regarded as key in enabling the
‘if you’ve got some people that are really discussion of risk at board level. The same
• critical friend (non-executive director).
passionate about it and have the trust of participant also noted how this extended
the board then [they] can revolutionise to the management of board meetings
The ‘critical friend’ concept captures both
the way a board looks at risk. If you themselves, especially when agendas are
the support and the rigorous examination
haven’t got somebody [who is] passionate large, limiting discussion and challenge
that participants expected NEDs to bring
and [who] doesn’t really get it, then it (see also section 2.4).
to an organisation and to the executive
directors in their running of that becomes fairly piecemeal and fairly,
sort of, part of what happens’ (non- 2.5.4 Risk discussion at board level –
organisation, to ensure the effectiveness
executive director). the critical space
of the board.
A theme emphasised by a number of
It was also noted that the stability of a participants was the distinction between
2.5.3 Different perspectives and
particular business or industry can have ‘ensurance’ and assurance – where the
board dynamics
an effect on the board’s approach to risk. role of the executive directors is to ensure
The participants drew attention to the
A key concern expressed by some that the organisation’s strategy is
different perspectives that executives and
participants was that ‘cosy club’ type implemented, and NEDs assure that the
non-executives bring to the operation
cultures can emerge in benign risk implementation is performed effectively
and decisions of the board.
environments, leading to complacency and is consistent with the agreed strategy.
and a lack of challenge in the board room.
‘… the execs bring experience, detail,
‘We very often think about the role of
track record, you name it from the business.
‘In some businesses, where things tend the board being fundamentally about
The non-executives bring dispassion …
to be very, very stable, the non-execs the assurance in terms of safety of the
without emotional investment … the
tend to be a little club, they just come in overall organisation – reputation, cost
execs bring depth, then the non-executives
and they meet, and they go through the of return on capital, all of those issues;
should bring breadth and bring … to bear
motions, but because the environment is and the executive is responsible for the
their experience they had from other areas’
stable, then they tend to be fairly tame “ensurance” of the way in which assets
(non-executive director).
at meetings. We’ve got completely the are deployed in the organisation, and
opposite, where they come in, they aren’t how you have as a board a sensible,
Participants went on to suggest that the meaningful conversation about that
NED’s job is to provide support through aggressive, but very challenging, simply
because they recognise transformation interrelationship seems to me to be
constructive input and suggestions for absolutely critical – it’s a critical space …’
optimising risk-management decisions, puts the business at enormous risk’
(executive director). (executive director).
while it is the executive’s job to think of the
practical solutions for the implementation
24
The risk and/or audit

committee was seen to act
as a filter for the board, with
a more succinct discussion
taking place at board level.
A distinction was also made between Within this critical space, the importance
‘It’s a very fine filter, if you like, in that
executives and non-executives’ roles in of the safe-zone atmosphere discussed in
the discussions that take place in the
the management of risk. Outside the section 2.4.2 becomes even more obvious.
committees, it’s really down to the chair
board, executives were responsible for
of that committee then to distil the key
day-to-day risk taking across the 2.5.5 Committees and risk managers
points from the committee discussion to
organisation, while the board itself, and The discussion by participants of the
the board’ (executive director).
in particular NEDs, kept a degree of relationship between the board and audit
separation from this activity: committee, risk committee, or audit and
Nonetheless, participants noted the
risk committee, as well as risk managers,
possibility of duplication, especially if
‘there’s a dichotomy that exists reflected the issues already mentioned
there is both a risk committee and an audit
between the board table and the above. Participants noted the difficulty of
committee and reporting lines are not
executives, because the executives drilling down into detailed risk issues
clear. Outside formal reporting, established
actually are taking the risk [whereas] the within time-pressured board meetings,
lines of communication between executive
board very rarely takes the risk; it’s the and the important role of the audit and/
and non-executive board members, as
executives themselves who are taking or risk committee:
well as between board members and
that risk’ (non-executive director). sub-committees, were therefore regarded
‘the Board meeting was three hours as important in enhancing the risk
The reason for this separation was to … he [the risk manager] should really discussion at board level. Key one-to-one
allow the board to operate as a ‘critical have had an hour out of that three hours, relationships that were identified included
space’ within which both executives and in my view, to really get to the bottom the board chair and CEO and the audit
non-executives can debate and challenge of some of these [risk] areas, [but] he committee chair and CFO.
at a strategic level. The ‘critical’ nature of was granted 10 minutes or so...So that
the ‘critical space’ arises because the bit there said, okay, so things aren’t Participants also mentioned the importance
interactions between board members are happening correctly at [the] board, where of the board’s, especially non-executives’,
crucial for effective risk governance. In should they then happen? So the audit relationship with senior risk managers in the
turn, it is this space that encourages and committee, in my view, is the place where organisation. These relationships helped
nurtures a relationship where each scrutiny of the [risk] areas takes place’ ensure that discussions at board level
non-executive can be both a ‘critical’ (non-executive director). were supported with all necessary data, as
and a ‘supportive’ friend. well as allowing NEDs to metaphorically
The risk and/or audit committee was ‘kick the tyres’ (executive director) of the
‘Their main role is to hold [me] and seen to act as a filter for the board, with organisation in relation to its risk policies.
the group chief executive to account, a more succinct discussion taking place
and to make sure that we have got at board level.
the processes and procedures in place
to manage the risks that we…as the
executive, …think we face. And to
challenge us on our assessment of
those risks’ (executive director).
25
3. Suggestions
for practice
This section provides some suggestions that boards and policymakers

may wish to consider so as to improve their practice. All the
suggestions have come from the participants and reflect practices
that they have put into place and which have been proved to work.
3.1 SUGGESTIONS FOR BOARDS 3. Boards should recognise that, in managing significant risk
events, it is possible to enhance, not just preserve, the value
3.1.1 Integrating risk and strategy
of the organisation, for example in managing reputational
1. Place risk in a positive context. Consider the potential for risk. Significant events, mishaps and failures can also be
outcomes to be better, as well as worse, than expected, used as prompts for testing the risk appetite, and the
making it clear when you are talking about opportunities resilience of the risk framework and governance structures,
and risks. If necessary, avoid using words such as risk if they of an organisation.
have a negative meaning in your organisation; eg consider
alternatives such as ‘volatility’ and ‘uncertainty’. 4. Boards are being held more accountable by a wider range
of stakeholders than in the recent past. Being clear and
2. Integrate your strategy and risk decisions. When setting your transparent about how the board manages risk, and
strategy and business objectives, consider the potential for communicating this externally, is important for every
better or worse-than-expected outcomes from the outset. organisation, including those in less-regulated sectors.
3. Boards should adopt the 75:25 rule. Spend 75% of board 3.1.3 Delivering RI-SKEET
meetings looking outwards and forwards. This will help the
1. Identify gaps in RI-SKeet by employing board reviews that
board to identify external and future threats and
align strategic risks with the output of those reviews, and
opportunities. Spend the remaining 25% of board meetings
where necessary include annual training that ensures that
looking inwards and backwards. This will help the board to
members of the board remain risk-relevant with bespoke
understand the organisation’s capabilities and competencies
training for each of the members of the board.
in areas such as finance and risk management.
2. ‘Kick the tyres’. All NEDs should get out into the business to
4. It may be instructive for boards to reflect on the relationship
understand it. Think about spending time in social
between risk appetite and strategy when reaching decisions
environments within the business – the tea room, the
about both. Section 2.2 indicated that it is often unclear
canteen – where much more can be picked up qualitatively
whether risk appetite should come before or after strategy
than is presented to boards in their meeting packs.
(a ‘chicken and egg’ situation). Consider whether the board’s
risk appetite determines strategy, or whether decisions about 3. Use awaydays in order to improve RI-Skeet. They should be
strategy lead to how the organisation frames its risk appetite. an impetus within the boardroom for the development and
improvement of understanding of organisational risk
3.1.2 Deriving value from risk management
exposure. The use of scenarios that are facilitated
1. Compliance and a ‘tick box’ approach may be the correct independently from the board, and executed with the
approach to take to certain elements of risk governance. business strategy and current strategic exposures in mind,
Nonetheless, boards should be aware of the limitations that will focus attention on exposures much more than a
a ‘compliance mind-set’ may place upon their ability to monthly RAG (Red, Amber, and Green) traffic-light rating.
exploit opportunities by taking risks.
4. The owner-manager, as the ‘Swiss army knife of risk’ within
2. Boards should be mindful of the interrelationship between their SME business, should identify the ‘killer issues’ to their
the embeddedness of risk in the discussions and decisions business and ensure that they actively acquire appropriate
of the board, and its embeddedness in the organisation RI-SKeet to address these issues. This may include using
itself. This emphasises the importance of the ‘tone at the external risk specialists to support them.
top’ set by the board and of efforts of board members to
‘test the temperature’ of what is happening in practice in
the organisation.
26
Risk and the strategic role of leadership | 3. Suggestions for practice
3.1.4 Managing and enhancing board 3.1.5 Executive and non-executive 3.2 SUGGESTIONS FOR POLICYMAKERS
risk discussions dynamics
The participants showed that policymakers
1. NEDs should consider the adoption of 1. Create a critical space for risk debate can have a significant influence on
an ‘in camera’ session before and/or by encouraging constructive board-level risk-management
after board meetings. These sessions challenge. Boards should be aware of conversations and practices. Often this
allow NEDs to meet without the the possibility of apparently benign influence is positive, but care is needed to
presence and influence of the risk environments leading to move board activities in the right direction.
executive team to create a safe zone complacency in the boardroom.
for the candid discussion of risk. This
1. Policymakers should revisit their risk
can be enhanced further by allowing 2. Unified responsibility does not mind-set: risk is not bad in itself and
NEDs to meet with representatives of necessarily mean unified roles at board opportunities are never certain. Rather
the risk and independent oversight level. NEDs should maintain a degree than considering risk management as a
functions during ‘in camera’ sessions, of separation from day-to-day risk device for increasing certainty, it
to ensure that the tone at the top taking activities, enabling them to carry should be considered as a means for
reflects the tune on the shop floor. out their role as ‘critical friends’ to the achieving ever more positive
executive and senior management. outcomes. Risk management should
2. All papers going to the board should help an organisation to create value, as
have a dedicated risk section within 3. Boards should ensure they structure, well as to protect it.
the executive summary, highlighting and make use of, their committees (eg
their risk implications for the strategic risk, audit) in a way that best supports 2. Always encourage boards to make links
objectives of the business. This provides the board’s decision making on between strategy and risk. Potential
visible anchor points for discussion of strategic risks while not delegating risk exposures, along with the ability of
the strategic risk-reward equation. their accountability. Established lines an organisation to manage these
of communication between the board, exposures, should be considered as part
3. In the process of horizon scanning, the its committees, and the risk specialists of strategy setting. Risk management
board should consider requesting a supporting those committees, should should not be a bolt-on activity after
‘deep dive’ analysis of a number of the be clear and transparent. the strategy has been determined.
key strategic risks for scrutiny during
away days with a dedicated risk focus.
3. Recognise the difference between
This will reduce the information
separation and segregation. Boards,
burden on the board while ensuring
and especially non-executives, need to
that the reporting of information is
maintain a degree of independence,
tailored to the needs of the decision
but that does not mean they should be
makers. ‘Deep-dive’ analysis can also
kept apart from the people within the
be performed through audit and/or
organisation. Boards should understand
risk committees.
27
Risk and the strategic role of leadership | 3. Suggestions for practice
and steer the culture of an organisation

so that it promotes an appropriate
Questions for reflection
balance between risk and control. Organisations and their boards may wish to reflect on the following questions,
which may help benchmark their board-level risk-management activities.
4. Culture, including risk culture, is still an
1. How often does your board review and enhance its risk-management activities?
ambiguous concept for many.
Policymakers may wish to facilitate 2. Does your board consider, from the outset, the risk implications of different
best practice sharing as well as provide strategic options, ie as a key component of strategy creation? How are these
more guidance on what culture means options and their associated risks presented to the board?
in the context of risk management and
how boards may lead in setting the 3. Where is your board on the principled–prescriptive spectrum? What are the
right risk culture. strengths and weaknesses associated with your board’s position and do you
need to consider becoming either more principled or more prescriptive?
5. Policymakers should be mindful of the 4. How do you review the diversity of risk intelligence, skills, knowledge,
effect (and potential benefits) that the experience, education and training (RI-SKeet) across the board? How do you
work they do in more regulated sectors address any gaps in RI-SKeet?
can have on (and for) the behaviour of
boards in less regulated sectors. 5. How often do you consider the composition of the board, and its RI-Skeet?
Do you review composition and RI-SKeet when changes, or proposed
6. Use failures as feedback. Help changes, to the strategic direction of the organisation are being considered?
organisations to learn the lessons from
6. Do you create a safe-zone atmosphere for the discussion of risk-management
past failures. Use this information as
issues? Are board members encouraged to challenge the status quo?
feedback to assist organisations in
improving their approach to 7. Are board members, and NEDs in particular, encouraged to get out into the
understanding and dealing with risk. organisation and to understand its people and culture?
8. Do NEDs act as critical friends to the executive and wider senior management
team – helping them to exploit opportunities and avoid losses?
9. How much time do you devote to risk management at board meetings?

Are opportunities to discuss risk management provided outside formal
board meetings?
10. H
ow effective are the board’s subcommittees in enabling the board to focus
on strategic risk-management issues?
28
4. Conclusion
‘Boards are responsible for setting practices, to a degree, via what is termed uncertainty that may exist to the
strategy and fundamental to that is this above the ‘principled–prescriptive advantage of the organisation and its
understanding of risk versus reward. spectrum’ (see section 2.1.2 above) stakeholders. Risk-management tools
So, if we sit in this direction, what are such as risk reports, risk appetite
the potential risks? What’s the reward? • Organisations and boards that adopt a statements and managing the cultural
Obviously in formulating that kind of more principled approach are likely to aspects of risk taking can be used to help
cohesive strategy you need to have a make more connections between support this, as much as they can be used
really good grasp of that. So, to me it’s strategy and risk, but these connections to mitigate losses.
kind of fundamental to the core function may not be very explicit and are often
of a board for it to have… a good unstructured. Failure to make such Perhaps unsurprisingly, this research also
appreciation and understanding of risk connections can lead to inconsistent shows that the primary driver for much
management. That’s kind of response decision making and the pursuit of board-level risk-management activity is
number one’ (executive director). opportunities without the proper compliance. Legislation, regulatory
consideration of downside outcomes. requirements, corporate codes and
The effective governance of organisations professional codes of conduct were
requires boards to fulfil a wide range of • Organisations and boards that adopt a regarded by many participants as having
responsibilities and it is often hard to more prescriptive approach tend to a direct effect on attitudes and practices
balance these during time-limited board view risk management as a device for in relation to risk management. This may
meetings. One solution is to recognise internal control and, to the extent that be a doubled-edged sword; on the one
the fact that many of these connections are made between hand ensuring that boards are engaged
responsibilities are connected, especially strategy and risk, their focus is on risks in risk management, but on the other
those related to strategy and risk, as to objectives. This can make it harder promoting a tick-box approach. What
indicated by the above participant. to exploit opportunities, but risk- may help here is a greater emphasis on
management activity is more the other benefits of risk management,
The research shows that while many structured, meaning that ‘downside’ for example in mitigating reputational
boards are taking steps to connect their outcomes may be better controlled. effects, improving efficiency or the
strategic and risk-management exploitation of opportunities.
responsibilities, there does not appear to Whichever approach is adopted between
be one best way to achieve this. Rather, a the two extremes, effective strategic-level As regards the mix and composition of
diversity of practices exists, each with leadership is not necessarily about board skills, having board members who
different strengths and weaknesses. It is achieving greater levels of certainty; it is are risk-management professionals can
possible, however, to situate these about being able to exploit any be helpful, as are internal and external
29
Risk and the strategic role of leadership | 4. Conclusion
From this research it is clear

that there is already much
good risk-management
practice, but this practice needs
to be shared more widely and
in an open-minded way.
risk management specialists who support Finding ways to explore risk-management Are boards ready for the challenges of
boards. Nonetheless, it would seem that issues outside time-pressured board today, as the strategic environment
even more important is fostering a meetings can also be important, for becomes ever more complex and
diverse range of risk intelligence, skills, example by organising board away days. interconnected and regulation only ever
knowledge, experience, education and seems to increase? Can they exploit the
training (RI-SKeet) across the board. Finally, it was plain that, while boards may opportunities that come with change,
Boards operate as a collective intelligence: have shared responsibilities, this does not while at the same time mitigating any
no one board member can possibly know mean that board members all share the associated potential loss events? From
everything there is to know about risk same roles. Participants explained that this research it is clear that there is
management or the various risks and the role of the executive is to ensure that already much good risk-management
opportunities that may affect the strategy the organisation’s strategy is practice, but this practice needs to be
and governance of an organisation. The implemented and that the board, and shared more widely and in an open-
more diverse the types of RI-SKeet among NEDs in particular, assure that the minded way. It is for organisations to
the board members, the better prepared implementation is effective and select the practices that best suit their
organisations will be both to avoid and consistent with the agreed strategy. In needs. It is hoped that this report will
mitigate the downside of risk events and this context, the board provides a critical help boards to learn from the experiences
to exploit potential opportunities. space for discussions about strategy and of a wide range of organisations to
risk, with the NEDs acting as critical enable them to continue to future-proof
It is therefore important to ensure that a friends to the executive and wider senior their activities.
board maximises its RI-SKeet potential. management team. In performing this
Backward looking, static and/or lengthy critical friend role, NEDs are able to step
risk reports do not help here, but equally back and see a bigger picture. As a result,
significant is the creation of a safe-zone they are better able to use their RI-SKeet
atmosphere where boards are free to to ‘horizon scan’ for emerging
discuss risk issues in an open and opportunities or losses and so guide
constructive way. This may include executives/management in the most
encouraging board members to ask ‘dumb’ appropriate way. They may also help to
questions, challenging the status quo by constrain both over-exuberant and
playing devil’s advocate or considering too-timid risk taking.
extreme risk events or control failures.
30
Project
methodology
The findings from this report were drawn from 30 semi-structured interviews conducted
with non-executive and executive board members from a wide range of organisations.
Table 2.1 provides an overview of the interviews were conducted by two, FSE 250, 350 and AIM) companies.
14 executive and 14 non-executive occasionally three, of the researchers to In addition a total of 17 private, 8
participants in this project, plus two help control for interviewer bias and to partnership and 15 not-for-profit entities
board-level consultants. Participants ensure that each interview was as were represented. The remainder were
came from both large quoted (eg FTSE complete as possible. a variety of other organisational forms
100 and 250) companies and SMEs and (eg networks, members’ associations
included people from both for-profit and To improve robustness further, the draft and employee-owned firms).
not-for-profit organisations, including findings from the interviews were
charities and social enterprises. A presented to two focus groups in To manage the effects of cross-cultural
significant number of the participants, November and December 2017. These biases and different regimes for
especially the non-executives, had focus groups consisted of risk- corporate governance and risk-
current experience of multiple management experts and industry management regulation, the research
organisations, so in fact information on association representatives. focused on UK-based organisations
experience of board-level risk- (though a number were multinational in
management activities in approximately Data limitations, especially for private focus). The researchers would
60 different organisations was collected. companies, make the precise calculation encourage organisations, boards and
of the split between SME and larger researchers in other countries to build
All interviews were conducted on the organisations complex. A search based on this research and explore the
phone via conference call facilities and on publicly available information risk-management activities of boards
were recorded, allowing for each indicated that the participants have based in their countries. The expansion
interview to be transcribed for been involved in, approximately, a total of this research would create further
subsequent analysis. In most cases of 7 FTSE 100 and 10 other quoted (eg opportunities for sharing good practice.
TABLE 2.1: Overview of participants

ROLE NUMBER SECTORS LARGE/SME SPLIT n CEO n Other non-executive
(Approximate) n Other executive n Board consultants
and NEDs
CEO 5 Banking; Consulting; Housing; 40%/60%
n Non-Executive
Investment; Trade Association
Other executive 9 Consulting; Financial services; 70%/30% 7%
17%
Hotel; IT; Manufacturing; Property;
Public services; Retail
Non-Executive 7 Aerospace; Charity and voluntary; 60%/40% 23%
(including one or Commercial property;
more appointments Government advisory; Hospital;
as board chair) Investment; IT; Housing;
Insurance; Legal services;
Other non- 7 30%
Manufacturing; Pensions;
executive (including
Religious; Retail; Social Enterprise;
one trustee)
Telecommunication; Transport
23%
Board consultants 2 Board advisory services; 0%/100%
and NEDs Education; Insurance
31
References
COSO (Committee of Sponsoring Organizations of the Treadway FSB (Financial Stability Board) (2014), Guidance on Supervisory
Commission) (2017), Enterprise Risk Management: Integrating with Interaction with Financial Institutions on Risk Culture: A Framework for
Strategy and Performance, Committee of Sponsoring Organisations of Assessing Risk Culture <http://www.fsb.org/wp-content/uploads/140407.
the Treadway Commission, <https://www.coso.org/Pages/erm.aspx>, pdf>, accessed 19January 2018.
accessed 19 January 2018.
Salz, A. (2013), Salz Review: An Independent Review of Barclays Business
FRC (Financial Reporting Council) (2017), Consulting on a Revised UK Practices <https://online.wsj.com/public/resources/documents/
Corporate Governance Code, Financial Reporting Council, <https:// SalzReview04032013.pdf>, accessed 19 January 2018.
www.frc.org.uk/consultation-list/2017/consulting-on-a-revised-uk-
corporate-governance-co>, accessed 19 January 2018.
32
Author biographies
Dr Simon Ashby is Associate Professor of Financial Services at the Plymouth Business School
(www.plymouth.ac.uk/schools/plymouth-business-school). Prior to this he worked as a
financial regulator for the UK Financial Services Authority (writing policy on risk management)
and a senior risk manager in a number of UK financial institutions (covering both credit and
operational risk).
Simon has a PhD in corporate risk management and has published many academic papers
and industry reports in the discipline. His current research interests include board-level risk
management and risk governance; cyber risk management; risk culture; and the reputational
effects of operational risk events.
Simon is a fellow and former chairman of the Institute of Operational Risk (www.ior-institute.
org) and a non-executive director and audit and risk committee chair of Plymouth Community
Homes (www.plymouthcommunityhomes.co.uk).
Dr Cormac Bryce is an assistant professor of risk at the University of Nottingham within its
Business School, and is a member of the Centre for Risk, Banking, and Financial Services. His
multi-method research spans from human behaviour in financial organisations to the effect of
regulation on organisational behaviour within the aviation and financial services industry.
Cormac’s recent research focus has been grounded in the areas of error-reporting climate and
the effects of risk events on the market sentiment of financial services organisations.
Dr Patrick Ring is a qualified solicitor who, before entering academia, worked in the
corporate area of private practice, later working as a lawyer with a large life assurer for a
number of years. He is currently a senior lecturer in financial services in the Glasgow School
for Business and Society at Glasgow Caledonian University. Patrick is a member of both the
Chartered Institute of Securities and Investment and the Chartered Insurance Institute, as well
as an associate of the Pensions Management Institute.
Patrick’s teaching and research interests include financial regulation and compliance;
operational risk management and culture in financial services; trust in financial services;
pension policy and reform; and the retail financial advice sector.
33
PI-RISK-STRATEGIC-LEADERSHIP
ACCA The Adelphi 1/11 John Adam Street London WC2N 6AU United Kingdom / +44 (0)20 7059 5000 / www.accaglobal.com

Risk and The Strategic Role of Leadership

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk and The Strategic Role of Leadership

Uploaded by

Copyright:

Available Formats

Risk and the

More information is here: www.accaglobal.com

About this report

© The Association of Chartered Certified Accountants

Risk may bring with

3. Suggestions for practice 26

Risk comes with the opportunity

Each approach has strengths

2.1.2 The principled–prescriptive of regulation and the size or purpose

FIGURE 2.1: Principled–Prescriptive spectrum1

Those with a top-down

What was stressed by a number

Throughout the interviews

2.3 BOARD SKILLS AND EXPERIENCE FIGURE 2.2: RI-SKeet

‘Understanding risk management,

2.3.1 Board diversity – Risk skills,

The ability of a board to

The ability of a board to anticipate risk when bringing non-executives on to the

Risk specialists also enhance the

To bring risk back into focus,

FIGURE 2.3: A boards eye view of the organisation

BOARDS EYE VIEW

STATIC RISK DATA

n Cognitive filters (2.4.1)

Participants also noted

debate and challenge, a number of Social obstruction 2: Board sensitivity

Some participants argued

2.5 EXECUTIVE AND NON-EXECUTIVE Nevertheless, some participants argued

Participants were also clear

The risk and/or audit

This section provides some suggestions that boards and policymakers

and steer the culture of an organisation

9. How much time do you devote to risk management at board meetings?

From this research it is clear

TABLE 2.1: Overview of participants

You might also like

9. How much time do you devote to risk management at board meetings?