Professional Documents
Culture Documents
strategic role
of leadership
About ACCA
ACCA (the Association of Chartered Certified Accountants) is the global
body for professional accountants, offering business-relevant, first-choice
qualifications to people of application, ability and ambition around the world
who seek a rewarding career in accountancy, finance and management.
ACCA supports its 200,000 members and 486,000 students in 180 countries, helping them to
develop successful careers in accounting and business, with the skills required by employers.
ACCA works through a network of 101 offices and centres and more than 7,200 Approved
Employers worldwide, who provide high standards of employee learning and development.
Through its public interest remit, ACCA promotes appropriate regulation of accounting and
conducts relevant research to ensure accountancy continues to grow in reputation and influence.
ACCA is currently introducing major innovations to its flagship qualification to ensure its
members and future members continue to be the most valued, up to date and sought-after
accountancy professionals globally.
Founded in 1904, ACCA has consistently held unique core values: opportunity, diversity,
innovation, integrity and accountability.
How often, as we glance through the news headlines, do we see another corporate failure and
wonder – where was the board?
Risk and risk management have always risk discussions into strategic decision We hope that this report provides
been at the heart of concerns about making, as well as the skills and useful insights for both boards and
leadership. In this report, we explore the experience they have in managing risks executives to reflect on emerging good
role of boards in the risk management of to deliver business goals, and where practice. Policy makers too may also
the organisations they lead. there may be gaps. benefit by reflecting on these findings
in the light of recent developments.
Following the global financial crisis in This report suggests there are different The next phase of our work on risk will
2007-8 the focus on risk and risk approaches to risk management in go on to consider how organisations
management has intensified. Today there practice each with their own respective embed effective risk management
is an abundance of literature as well as strengths and weaknesses. It also across the business.
legislative and regulatory requirements. suggests that there is some way to go
Risk and risk management regularly to integrating strategy and risk decisions Maggie McGhee
features on the board agenda, effectively and many conversations on Director of Professional Insights
irrespective of sector. risk appear to focus on the downside ACCA
rather than upside. Perhaps we should
Yet remarkably less is known of the reality ask a different question– how can boards
of day to day practices among executives better exploit the opportunity implicit in
and board members. We know little risk and uncertainty to drive better
about how boards are truly integrating business outcomes?
4
Executive
summary
Boards have always been involved in the management of risk. Without appropriate risk taking,
organisations cannot exploit the full range of strategic opportunities that are available to them,
nor can they hope to protect themselves from less positive outcomes.
Equally, the governance and internal The purpose of this ACCA research The project is based on:
control roles of boards are closely project was to discover what boards are
connected with risk management. talking about and doing about risk • 30 interviews with practising executive
Effective risk assessment, reporting management, and the challenges that and non-executive directors (NEDs) from
and control help to enhance a board’s they face in ensuring the effectiveness of a broad cross-section of organisations;
governance and internal control these activities. In particular, this project
explored how boards are integrating their • two focus groups consisting of a
activities, reducing the probability that
discussions about strategy and risk, along number of risk-management
an organisation may deviate from its
with how their risk-management skills and professionals; and
stated objectives and so fail to meet
the needs of its stakeholders. experience are developing. The project
• ACCA’s Global Forums, with particular
also investigated the challenges that
thanks to the Global Forum on
What is less clear is how board-level boards face in performing their risk-
Governance, Risk and Performance.
risk management discussions and management roles and how the roles of
practices are changing and developing, the executive and non-executive director
are evolving: even on an Anglo-Saxon The research shows that board-level
especially in relation to the complex conversations and practices are varied
and dynamic world that characterises style unitary board it is possible that
differences may emerge. and that this variation does not
the early 21st century. Changing necessarily reflect the nature, scale and
technology, such as the growth of cloud complexity of an organisation’s activities.
computing and social media, creates The intention is to shed light on, and
learn from, current practice, and to share It shows, however, a wide range of good
opportunities for returns as well as practice across both larger and smaller
losses as do the major political and examples of good practice where
possible. It is for organisations and their organisations in a range of for-profit and
economic changes associated with not-for-profit sectors.
events such as Brexit, the election of boards to decide which of these practices
President Trump in America, or the are relevant to them, as part of their
efforts to ensure that board level risk-
global financial crisis of 2007–8.
management conversations and practices
are as ‘future-proof’ as possible.
5
Risk and the strategic role of leadership | Executive summary
Key findings include the following. • Regulation and compliance remain key allows them to perform a ‘critical
drivers for board-level involvement in friend’ role, helping to restrain over-
• Board-level conversations and risk management. Nonetheless, some confident executives or encourage
practices in relation to strategy and organisations are increasingly aware of overly cautious ones. A unitary board
risk management take place along a the strategic benefits of risk should not mean that all board
spectrum, with those of many boards management in helping them to members need a single perspective.
being nearer to one end of the exploit opportunities and so exceed
spectrum or the other (although a few their stated objectives. The report also makes a series of
display features from across the recommendations for organisations, their
spectrum). The extremes of the • A high level of diversity in boards’ risk boards and for policymakers. In particular,
spectrum can be characterised as: skills, knowledge, experience, the report reflects interview participants
education and training helps to develop (hereafter ‘participants’)’ concern that risk
o the Principled approach, where a collective consciousness that allows and risk management are not always
discussions about risk are more a board to identify changes in risk viewed in a positive way. Risk may bring
likely to focus on the exploitation of exposures and respond appropriately. with it the potential for losses, but it also
upside opportunities, and connect offers the potential for opportunity.
strategy and risk in an implicit and • Factors such as lengthy risk reports Today’s board has a key role to play here,
unstructured way, potentially and insufficient time devoted to risk helping its organisation identify and exploit
leading to inconsistent risk- management at board meetings create opportunities, which is as much a part of
management decisions, and significant challenges for board-level maximising the long term sustainable
risk-management activities. performance of the organisation as well
o the Prescriptive approach, where
as overseeing the mitigation of threats.
risk-management activities are much
• NEDs walk a delicate line between
more formalised and consistent,
participation (ensuring that tasks are
but with a high degree of focus on
performed) and oversight (providing
internal control which may mean that
assurance that tasks have been
strategic opportunities are missed. Disclaimer
performed within the agreed
parameters). NEDs need to understand Though funded by ACCA, this research
• Boards are still finding it hard to project was conducted by independent
the organisations that they are a part
understand and address softer factors, university academics. The findings from
of and participate in strategic decision this project reflect the views of the
such as culture and risk appetite.
making, but their ability to step back participants and are not necessarily
Often, this is because of a lack of clear
from day-to-day pressures and their those of ACCA or its staff and members.
information and difficulties in connecting
experience in other organisations
them to organisational performance.
6
Contents
1. Introduction 8
1.1 Uncertainty and change: how are boards responding to
risk-management challenges? 8
1.2 Connecting the dots: strategy, governance, performance and
risk management 8
1.3 Research aims, objectives and approach 9
2. Findings 10
2.1 The role of the board in risk management 10
2.1.1 Strategy governance, performance and risk 10
2.1.2 The principled–prescriptive spectrum 11
2.1.3 Risk appetite and setting parameters 12
2.1.4 Culture, communication and risk 12
An SME Perspective 13
2.2 Drivers for board Involvement in risk management 14
2.2.1 Regulation and compliance – requirements and influences 14
2.2.2 Oversight: reputation and emerging risks 15
2.2.3 Strategy – value creation, risk appetite and the pursuit of opportunities 16
2.3 Board skills and experience 17
2.3.1 Board diversity – Risk skills, knowledge, experience, education and training
(RI-SKeet) 17
2.4 Barriers to board involvement in risk management 19
2.4.1 Cognitive impediments 21
2.4.2 Social obstructions 22
2.5 Executive and non-executive convergence and divergence 23
2.5.1 The role of the board 23
2.5.2 The ‘critical friend’ 23
2.5.3 Different perspectives and board dynamics 24
2.5.4 Risk discussion at board level – the critical space 24
2.5.5 Committees and risk managers 25
4. Conclusion 29
Project methodology 31
References 32
Author biographies 33
1. Introduction
1.1 UNCERTAINTY AND CHANGE: emphasis on ‘softer’ considerations, non-executive directors, the intention
HOW ARE BOARDS RESPONDING TO such as the culture of an organisation. here is to highlight where boards have
RISK-MANAGEMENT CHALLENGES? got to in the ‘journey’ to evermore
Organisations in the 21st century are External events such as technological successful value creation.
facing high levels of complexity and developments, regulatory change or
uncertainty. Whether it is from the effects public scandals are easy to observe. It is, Finally, this report highlights areas of
of global warming, developments in however, much more difficult to see is good board-level risk-management
cloud computing, social media or political how boards are responding to the practices, and provides insights that
change and the potential for less liberal risk-management challenges presented boards can use to enhance their practice
trading environments, the number of by these events. further. The report also provides
ways in which organisations can trip up recommendations for policymakers, to
only ever seems to increase. The purpose of this research project was assist in the spreading and adoption of
to investigate how boards understand good practice as well as highlighting
In the face of this increased complexity their role in relation to risk management areas that call for more guidance.
and uncertainty, the temptation for today. Specifically, the aim was to explore
boards is to become more conservative how boards satisfy their oversight 1.2 CONNECTING THE DOTS:
and risk averse in an attempt to create responsibilities and evaluate their STRATEGY, GOVERNANCE,
certainty. In practice, boards that choose effectiveness and whether boards view risk PERFORMANCE AND RISK
to do this risk missing out on significant management simply as a tool for reducing MANAGEMENT
potential opportunities for their risk and increasing certainty, or whether risk
organisations and stakeholders. Worse management and strategic management ‘One of the greatest benefits the board
still, they risk losing ground to entities are integrated to support innovation and can bring to its management is to declare
with more innovative and entrepreneurial the pursuit of opportunities. itself open to the discussion and the
boards that are better able to steer their possibility of risk’ (consultant).
organisations towards the opportunities Another concern is how boards understand
on offer. Choosing the ‘safe’ option can concepts such as culture (including risk Risk management is often viewed as an
be a risky strategy in itself, as illustrated culture) and risk appetite. Further, the internal control activity, protecting
by companies such as IBM, which failed research explored what, if any, barriers organisations from harmful events such as
to capitalise on the personal computer, exist to prevent boards from having fires, employee misconduct or reputation-
and Kodak, which, despite developing effective risk-management conversations, damaging scandals. From this
the digital camera, chose not to market it. as well as board members’ perceptions of perspective, risk is a bad thing for
the roles of executives and non-executive organisations, something to be assessed
Corporate governance codes and directors in relation to risk management. and limited as much as possible. To the
standards are also changing. In the US a extent that risk is tolerated, it is done so
major revision of the COSO Enterprise The intention is not to find fault with or only because it is an inescapable part of
Risk Management (ERM) Guidance was criticise current risk-management ‘core’ activities such as manufacturing
completed in 2017 (COSO 2017). In the practices. The researchers know processes, marketing or service delivery.
UK, revisions to the Corporate Governance personally the challenges that board
Code were released for consultation in directors can face in navigating a path This report does not challenge this
December 2017 (FRC 2017). In both that both creates value for stakeholders perspective or existing corporate
cases, a closer relationship between the and ensures that an organisation can governance frameworks in this regard.
strategic-management and risk- remain viable into the long term. By Organisational scandals from Enron to
management roles of the board has been learning from the current practice of Barings, Barclays and VW have all
proposed. In addition, there is a greater boards, and the views of executive and highlighted the significant damage that
8
Risk and the strategic role of leadership | 1. Introduction
can be associated with weak governance, The specific objectives were as follows. 5. To examine whether there are areas of
culture and control. Risk management convergence and divergence in the
provides tools that organisations can use 1. To explore how boards have roles of NEDs, executives and risk
to help identify and reduce the probability developed and perform the following specialists in relation to the above.
and impact of such damage. roles in practice:
a. strategic risk management In exploring board-level risk-
On the other hand, neither does this report management activities and in providing
and decision making (seizing
endorse one particular perspective or recommendations for good practice, the
opportunities, avoiding inappropriate
another. While risk management can help a intention is not to complicate the role of
strategies, managing risks to strategic
board to control risks that may threaten the boards. What works for one board and
objectives, as well as enabling boards
achievement of the organisation’s strategic organisation may not for another. Trying
to prepare for disruptive, non-routine
objectives, it is also important to recognise to fit every board and organisation into a
and reputational issues, such as
the speculative dimension of managing specific theoretical approach can be a
‘black swan’ type risks)
risk, especially when dealing with the thankless task; best practice can vary
strategic-level risks that may occupy the b. oversight of risk-management according to the nature, scale and
attention of a board. As participants effectiveness (formal aspects of complexity of an organisation’s activities,
discussed, risk comes with the opportunity internal control) as well as its culture, competencies and
for returns, and even seemingly adverse resources. Consequently, this report does
c. communicating their approach
events such as regulatory change or not intend to replace existing theoretical
to risk management, and
political uncertainty can create frameworks by proposing any new
opportunities that may be exploited. d. managing and embedding frameworks or risk-management tools.
appropriate culture (including
Equally, highly strategic risks, such as the risk culture). Instead, the aim was to conduct the
development of a new product or market,
interviews objectively without a specific
or an acquisition or merger, very clearly 2. To understand the factors (eg
theoretical or conceptual agenda. This
combine a range of positive and negative regulation, stakeholder pressure,
report intends to find out how board
outcomes. In such situations, some boards improvements to strategic decision
members understand their risk-
and organisations may prefer to use terms making) that have encouraged boards
management role and make use of
other than ‘risk’, such as ‘volatility’ or to perform the above roles.
risk-management concepts and tools,
‘opportunities and threats’ or ‘managing
3. To determine whether boards have the and how they perceive the challenges
opportunity’. Nonetheless, the fact
skills, experience and training that they face in performing their
remains that exploiting opportunities is as
necessary to fulfil their risk- risk-management duties.
much part of risk management as
controlling downside outcomes, as management roles, in increasingly
complex risk environments. Resulting suggestions for practice
participants consistently pointed out.
(Chapter 4) are based upon what the
1.3 RESEARCH AIMS, OBJECTIVES 4. To investigate other barriers that may participants said about things that they
AND APPROACH prevent boards from performing their have done that have worked and those
risk-management roles (eg lack of skills that have not worked. It is for the readers
The aim of the project was to explore within the risk function, silo-based risk of this report to select the ideas and
current practice in board-level risk-related management, complex organisational activities that may work for them or
activities and to make recommendations to structures, lack of data). their organisation.
help improve the readiness of boards for the
strategy, risk and governance challenges.
9
2. Findings
The next five subsections the mechanism for creating value and risk Even where risk is viewed more positively,
present the findings for each management exists to help protect the there remains a danger that its significance
value-creation process from negative is underestimated or that strategic-level
of the research objectives. events. This linear approach is reflected risks are not viewed as risks:
The first of these was to in the quote below from an executive
director of a large listed company:
explore the various roles ‘...it’s very easy to say, “yes, we’re doing
this… but we don’t need to consider risk
that boards may perform in
‘I think strategy is decided at some because it is just a strategic direction
relation to risk management. point... And once you’ve agreed that, then and we know there will be risk in that”.
you say right, okay, for us to get there, Actually you do need to take that step
2.1 THE ROLE OF THE BOARD IN RISK that is not going to be easy, and yes, there back of formally considering the risk
MANAGEMENT are risks associated with that, and that in order to get the benefits of the risk
each of those risks, here is the impact, management in there.
‘The role of the board is oversight of the and here is where the impact is going to ...quite often people think, actually,
company’s strategy and performance, in be. And then it’s a question of “how do yes, we deal with risk every day, and,
general and, therefore, the question of risk you manage it?”’ (executive director). therefore, we don’t actually need to focus
is a key element of strategy. So, assessing on specific risk management; and that’s a
the risk implications of strategy, The quote highlights a potential issue bit dangerous’ (executive director).
discussing risk appetite, understanding with an overly linear approach to strategy
the elements of risk and where they sit and risk. In taking this approach, risk is In a small number of organisations strategy
in the organisation, and overseeing the generally viewed in terms of the setting and risk were integrated to a much
process by which risks are monitored probability and impact of loss, so the focus greater extent. The directors of these
and managed and mitigated through the is on the minimisation of risk associated organisations indicated that their boards
organisation’ (non-executive director). with downside possibilities. Viewing risk considered the risks associated with
as ‘bad’ means that the potential for choosing or not choosing specific strategic
2.1.1 Strategy governance, better-than-expected outcomes may be options at the strategy setting phase, as
performance and risk overlooked. It may also foster high levels of well as the organisation’s risk-management
The above quote reflects the prevailing risk aversion in boards, a problem that was competencies and capabilities.
view of the participants as to the role of identified by a number of the participants
the board in risk management. All the in both large and SME organisations. Such discussions were not necessarily
participants emphasised the oversight The consequence of this approach is structured in a formal way, nor did they
role that boards have, a role highlighted in that innovations may be missed. tend to use terms such as ‘risk’ or ‘risk
the UK Corporate Governance Code and management’. Despite the relatively
many other governance codes worldwide. unstructured nature of their approach,
‘In some areas there should be a
these boards were more likely to exploit
willingness to proactively take risk and
The quote also highlights that although opportunities even when faced with
indeed that to take no risk is potentially
strategy and risk are connected, the seemingly adverse events, such as the
the biggest risk of all because there’s a
relationship may sometimes be a linear economic consequences of the EU
possibility that people innovate around
one: the desired strategy is determined referendum, the election of President
you, you’re left standing, and as time
first, and then the risks that may arise Trump and his America First agenda or
goes by you become the dinosaur in
from this strategy and its implementation government welfare changes.
comparison to the rest of the sector’
are considered. In this context, strategy is (non-executive director).
10
Risk and the strategic role of leadership | 2. Findings
PRINCIPLED PRESCRIPTIVE
APPROACH APPROACH
Com
Holist
ic outlook pliance outlook
ite
Lik
yt p
et
O ut th
el
ward looking wi
om Inward looking ap
Wh l e eas r i sk
at is t r t ab ure e
xposure in relation
to
he board comfo ’ In ss
Risk as I do fo
rm
Ris
k c ay ’ oce
communication = ‘do o m m uni I s r
ion ed
thro cation = ‘do as gp
Risk i s c uss ugh a p o rtin
integrate ’ d granular bottom-up r e
d in a ‘bigger m
Less
e n d a it e
likely t Risk is
hat risk is a formal ag a formal agenda item
1 The terms ‘principled approach’ and ‘prescriptive approach’ came from the study participants. At its extreme, the prescriptive approach is intended to capture an approach focused exclusively on
risk compliance and procedures. On the other hand, the principled approach is intended to reflect an approach that, at its extreme, focuses on the ‘in-principle’ business objectives of a board to
the exclusion of explicit risk-management compliance and procedures.
11
Risk and the strategic role of leadership | 2. Findings
An organisation’s culture
can have a significant effect
on how people within the
organisation behave and
communicate with each other.
In contrast, participants warned that statement, for example. In contrast, ‘So the classic thing, zero harm – we’ve
boards following an extremely principled prescriptive approach boards should got no appetite for something – it’s a
approach may make inconsistent decisions avoid focusing too closely on internal complete misunderstanding of what risk
and may pursue upside opportunities at controls, as this may cause excessive risk appetite is. There is a wealth of metrics
any cost, exposing an organisation to aversion and a failure to exploit value- and information out there that you can
excessive amounts of risk. There is also the enhancing strategic opportunities. tap into to articulate statements in a
danger that boards that appear to adopt way which will actually add practical
a principled approach are not actually 2.1.3 Risk appetite and setting guidance to a business, and you’d be able
discussing risk and risk management in a parameters to measure whether you’re operating
sufficiently explicit way. It suggests that One concept that can help to improve within those parameters. But a lot of
an appropriate balance must be struck. the decision-making consistency of more companies are just nowhere… they’re still
principle-oriented boards, and help to doing the sort of high, medium and low,
‘When you start to scratch away from overcome the negativity associated with hungry-averse-type scales, which are just
the surface, you hear, “actually, no, the prescriptive approach, is risk appetite. worthless’ (Focus group).
that did go wrong”, or “actually, yes, Most of the participants used the concept
in their organisations to some degree, 2.1.4 Culture, communication and risk
we didn’t consider how these risks link
although it appeared that there was little An organisation’s culture can have a
together”… there’s almost like a sort
agreement on how to express this in a significant effect on how people within the
of bravado that you often hear about:
quantitative way. Often risk appetite organisation behave and communicate
“of course, we do this stuff”. But it’s the
might be expressed qualitatively in with each other. This can influence the
question of when should you have more
terms of risks that organisations might tendency for misconduct as well as how
explicit and formal consideration of risk:
want to take or avoid, or less explicitly risk and risk management are perceived
at what junctures will that add value?’
in terms of organisational values and (eg whether risk management is seen as a
(Focus group member).
ethics (eg attitudes towards compliance business enabler or bureaucratic red-
breaches, misconduct). tape) and reported. Events such as the
It should be emphasised that while boards
Barclays LIBOR scandal clearly illustrate
following a principled approach were
Participants said that a key benefit of such connections (Salz 2013).
more likely to make connections between
strategy and risk, this does not guarantee thinking about risk appetite was to help
On organisational culture and the specific
that they will make successful connections. boards set the parameters within which
aspects of culture related to risk taking
Equally boards following a prescriptive the executive directors and wider senior
and control (so called ‘risk culture’),
approach may be just as capable of management team could operate on a
participants claimed that culture was not
connecting strategy and risk and when they day-to-day basis. This approach provides
discussed in an explicit way by most of
do so are likely to make more considered clarity about the risks that may be taken and
the boards in the sample, and risk culture
and consistent decisions. Each type of those that should be treated with caution,
was hardly ever discussed or understood
organisation has to work to overcome its as well as how risk-management activities
as a discrete concept. Outside financial
own limitations in this regard. ‘Principled and processes should be conducted across
services, only two boards regularly
approach’ boards should guard against the organisation. Setting parameters is hard
discussed culture in relation to risk and
excessive opportunism and inconsistent if there are no clearly defined quantitative
this was because one was in a people-
risk-management decisions, and find limits: but the following comment
focused business and the other had a
ways to anchor their discussions, linking indicates that there is readily available
risk director responsible for focusing on
back to the organisation’s risk appetite information to support the process.
culture, and risk culture in particular.
12
Risk and the strategic role of leadership | 2. Findings
Other non-financial services organisations Opinion was split on how communication communicated directly with a range of
only discussed culture at board level on between the board and the wider people, not just the executive, and
an ad hoc basis, for example in relation to business should be achieved. In some communication was more integrated.
major change projects, or the appointment organisations, boards communicated via Those with a top-down approach put a
of a new CEO or chair. Risk culture was the executive team and communication greater emphasis on maintaining board
not generally discussed by non-financial tended to be top-down. In others, independence and the avoidance of it
organisation. In contrast the boards of all non-executive members of the board becoming overly operational.
the financial services organisations in the
sample looked at culture and explicitly at
risk culture. Regulation was cited as the
main reason for this. An SME Perspective
Investigating the role of the board in
Outside financial services, attempts to strategy governance, performance and risk
assess culture formally may have been identified some findings specific to SMEs
rare, but the value of doing so was that are worth highlighting.
recognised by some of the participants:
A number of participants had executive and
non-executive director experience with SMEs.
‘…you’ve got to have a definition of These directors commented that SME boards
what you think the culture is. And then tend to be more innovation-focused and will get
you’ve got to have metrics which help involved in entrepreneurial activities. They said
you determine whether that culture, in that this is driven in part by the need for SMEs
fact, exists. And those…might involve to innovate to survive in highly competitive
employees’ feedback surveys, discussions marketplaces (as they often have less financial
with focus groups of employees... There security or brand reputation to fall back on than
are practical steps that boards and larger organisations), but it was also a consequence of increased agility and the closer
proximity of the board to the wider business. SME boards appeared to be able to make
management take to determine whether
strategic decisions to exploit new opportunities that could be implemented quickly.
… the culture they aspire to is, in fact, the
culture that is operating in the business.’ Nonetheless, it was also observed that SME boards can be more short-term and reactive in
(Non-executive director) their approach, primarily because of their higher risk of failure. Formal risk management
conversations were comparatively rare in participant SMEs, suggesting a more principled
On the subject of communication many approach (in the sense used in section 2.1.2 above). In general, risk management was
of the participants did make links considered formally only once or twice a year, in relation to topics of regulatory significance
between this and culture, and in particular such as health and safety.
the importance of an appropriate ‘tone SME board members were also much more likely to have closer communication with the
from the top’ in relation to risk taking and wider business, and some of the SME participants with risk-management expertise were
control. Several of the participants also helping their organisations to drive significant improvements in practice. Participants
emphasised the importance of the explained that the smaller size of SMEs made it easier for board members to get to know
board’s ‘talking the talk’ and ‘walking the the wider management team of their organisation. In addition, board members may
walk’ to ensure that people within the possess skills that are not present anywhere else in the organisation (eg specialist
organisation would believe that the board knowledge of risk management) and that enable the business to be driven forward.
took the management of risk seriously.
13
Risk and the strategic role of leadership | 2. Findings
Significantly, there
appeared to be an
increasing recognition of
the importance of board-
level risk discussions.
2.2 DRIVERS FOR BOARD Nonetheless, some also recognised that about not taking risks at all’ (executive
INVOLVEMENT IN RISK MANAGEMENT adopting a ‘compliance mind-set’ director). It was also clear that many saw
reflected the more prescriptive approach the influence of regulation and regulators
This section is concerned with key
to risk management outlined in section at work directly in day-to-day risk-
drivers that participants believed were
2.1.2, a situation that may foster excessive management practice in areas of risk such
prompting risk discussions and activities
risk aversion: ‘it’s the mind-set of actually, as governance, culture and strategy.
in boardrooms. The responses may be, to
rather than helping us take risks better it’s Specific examples are set out in Table 2.1.
some degree, regarded as reflecting the
spectrum identified in section 2.1.2. On
the one hand, a number of the motivations
identified could be considered to fall TABLE 2.1: Examples of regulatory influence on boardroom decision making
within a strategic, or value creation, AREA OF REGULATORY EXAMPLE
perspective. On the other hand, another INFLUENCE
set of motivations might be regarded as
Risk appetite ‘The risk-appetite framework and risk-appetite statements
inclining more towards a regulatory
Boards are more conscious of are very much something that the board seems to feed into.
governance, or value preservation,
their role in risk oversight We are seeing,… through regulatory pressure, to evidence
perspective. Significantly, there appeared
more what the board are actually doing in the oversight piece’
to be an increasing recognition of the
(executive director)
importance of board-level risk discussions.
Committee structure ‘If the regulator wants the board to be more collectively involved
The themes presented below are ordered Board members may not be in everything,.. why make us have separate committees?’
according to the importance assigned to clear as to the responsibilities (executive director)
them by the participants. Regulatory drivers of the committee versus
were by far the most cited reasons for the board
board-level risk discussions and activities. Board member responsibility ‘There’s a prescribed responsibility for culture within the
The role of chairman in setting organisation that resides with the chairman. And our
2.2.1 Regulation and compliance – the culture is clear in the chairman is fairly conscious of ensuring that he can fulfil that...’
requirements and influences current regulatory framework (executive director)
The direct impact of regulation Horizon scanning and ‘There’s some really good external publications that are put out
Legislation, regulatory requirements, scenario planning by the regulator…they’ll do a review themselves of all of the
corporate codes and professional codes Some boards are actively using concerns and risks that they’ve identified through the course of
of conduct were regarded by many horizon scanning and scenario the year…[and]…more broadly looking forward as well and
participants as having a direct effect on planning in fulfilling their thinking, what are the things that are keeping the regulator
attitudes and practices in relation to risk oversight responsibilities. awake at night?…that’s a key document really for any kind of …
management. There was an acceptance This may include the use of audit and risk committee to be poring through and saying, right,
that sometimes this might lead to a ‘tick internally generated scans and here are the 10 risks the regulator has identified as being really
box’ approach: external resources, such as risk key and on its mind.
reports by regulators.
‘Where do we sit against these 10 risks? What are we doing
‘..I do think there are times when you in relation to these 10 risks? Are these risks we’re aware of?
We do that exercise proactively…cross-check or cross-reference
do need to tick some boxes, by the way,
to say…these are the key risks, these are the ones that appear on
because you have lists of compliance
our register, these are the ones that don’t appear on our strategic
matrices that you have to follow, and
risk register, and these are the reasons why. This is one that…
you have to show that you’ve followed
we didn’t have previously as a risk. We’ve rated it here. It’s not
them, and the best way of doing that is
on a strategic, [but] it’s on an operational risk register’
to tick a box to say that you’ve done it.’ (executive director)
(non-executive director)
14
Risk and the strategic role of leadership | 2. Findings
Non-executives need to be
assured that executives have
ensured there is an appropriate
risk-management framework
that is operating effectively.
Regulatory requirements and statements Embedding regulatory impact ‘First of all, the tone has to come
influence the strategy, structures, within organisations from the top so if your…board thinks
practices and behaviours of organisations Participants spoke of the increasing about risk management in terms of...a
in more or less subtle ways. This is also recognition and importance of risk, and compliance exercise, it will always
having an effect on risk-management risk management practices, at board remain a parallel process. It will never
practices among organisations operating level. This attitude, and the pervasiveness be embedded in the day-to-day work,
within less-regulated sectors. Firstly, of the influence of regulation discussed in the day-to-day operating model of
board members who have worked in above, was reflected by a number of the the company. And therefore it will never
regulated environments appear to see participants in discussing the relevance of be part of discussion at board level’
the benefit of transposing these risk culture, or their role in embedding (executive director).
regulation-driven, risk-management risk awareness, in their organisation.
practice into other organisations. The report will further discuss the
‘One of the things that… is generally importance of the board’s understanding
‘I joined the board…and we also had accepted [is] that boards need to be of what is happening on the ground in
a new chairman at the same time and involved in…agreeing … what the overall the wider organisation in section 2.3.
we both come from working in a highly risk appetite of the business is. How
regulated environment…and we were a can you do that if you don’t understand 2.2.2 Oversight: reputation and
little surprised at the lack of risk expertise the concepts of the culture in which emerging risks
and focus on risk that we found when we risk appetite is articulated and agreed, Governance and oversight of their
joined the business so I think it’s probably because they’re entwined with each other. organisations was often mentioned by
fair to say that the impetus [for changing They’re part of the same thing’ (non- participants when discussing the
things] was driven by the chairman and executive director). importance of risk at board level. This
then myself with the recognition that was often associated with compliance.
really we have to get the organisation up From a board perspective, this is important Non-executives need to be assured that
to speed ... around risk’ (consultant). for two reasons. Firstly, and as has been executives have ensured there is an
a key theme of financial regulators appropriate risk-management framework
Secondly, there is also recognition that (FSB 2014), if the ‘right’ risk culture is that is operating effectively. In this context
even in less regulated environments embedded in an organisation then this of governance and oversight, two specific
boards are nevertheless being held provides additional assurance to a board drivers were mentioned consistently:
more accountable for their decisions about the effective operation of the reputation and emerging risks.
by stakeholders. organisation’s risk framework. Secondly, it
explains the importance that many of the Board role in protecting and
participants placed upon ‘tone at the top’ enhancing reputation
‘In a non-regulated organisation the risk
has always been there, but … I’m seeing and the non-executive board members’
in some of the stuff I’ve done more of a understanding of what was happening on ‘Reputation is kind of an interesting one,
move towards, not the level of stuff that’s the ground and checking this against because it tends to be an underestimated
expected by the FCA from a regulated their experience at board level. risk by management, I think, and yet
body, but it’s a move towards that you can point to examples in the public
direction, a greater scrutiny, a greater… domain where people have suffered quite
assessment. … The concept of holding to badly from reputational risk or having
account of directors by shareholders is out a bad reputation for something...’
there and it’s coming with a bit of a force’ (non-executive director).
(non-executive director).
15
Risk and the strategic role of leadership | 2. Findings
This was emphasised particularly by ‘Boards don’t know what they don’t ‘What really could unseat the strategic
organisations that were customer facing, know. So, if something happens outside objectives of the business? What
focused on ensuring they had the trust that you believe will have a substantial really are those opportunities that the
and confidence of their customers. For impact on the business, the board then business might be missing because it’s
example, the significance of this issue for has to have a conversation about it’ too conservative in its risk appetite. And
oversight and governance is apparent in (non-executive director). then real discussions are not so much
the experience of the financial services risks, but they are issues that affect
sector and its efforts to gain or regain the In turn, this echoed participants’ the risk and the environment in which
trust of the general public after the discussion of the importance of the the organisation is trading. And it’s
financial crisis of 2007–8. diversity of the board in bringing a range absolutely vital that the board has the
of (‘outside’) expertise and experience to opportunity and the education to allow
While discussions about reputation often risk discussions (see section 2.3.1 for them to have those kinds of discussions’
took place in the context of protecting further discussion of board diversity); (non-executive director).
value – perhaps the more customary of scenario planning as a tool for
‘defensive’ risk governance perspective anticipating new or developing risks (such In having these discussions, participants
– it was also recognised that effective as cyber risk); and of horizon scanning in emphasised how important it is that a
management of risks to reputation could actively researching and examining the clear understanding of the organisation’s
also enhance reputation: implications of what is happening to risk appetite is embedded in strategic
competitors and similar organisations, as decision making. It was also suggested by
‘And we’ve seen some of that in the last well as in the socio-economic environment some participants that this is key to acting
five years, I would suggest in some of in which the business is operating. strategically in a fast-moving environment:
the cyberattacks that have happened to
major organisations. Some have handled 2.2.3 Strategy – value creation, risk ‘in order for the board to achieve their
them very badly and have upset their appetite and the pursuit of strategy, people needed to be doing things
customers and had their reputation opportunities differently, faster and making different
damaged. Others have managed it really In addition to regulation and compliance decisions. So that was actually key about
well, really transparently and have done as a driver of board-level risk discussions, making sure that the risk appetite in the
a great deal to enhance reputation, and in participants also emphasised strategic business or the definition of risk in the
fact their share price’ (consultant). drivers. This echoes again the business underpins the strategy. They
prescriptive-principled spectrum couldn’t do the strategy without that
Emerging risks and incidents discussed in section 2.1.2. right risk appetite’ (executive director).
A wide range of external events (eg
sectoral risk events, political and socio- What was stressed by a number of This reflects back to the discussion in
economic events, media reports) were participants was the need for discussion section 2.1.1 concerning the relevance of
reported as common drivers for board- of risk at a strategic level – not at a level of risk in strategy setting.
level discussions about risk: governance and oversight that dwells on
risk registers and frameworks – in order to
be able to take advantage of opportunities.
16
Risk and the strategic role of leadership | 2. Findings
17
Risk and the strategic role of leadership | 2. Findings
18
Risk and the strategic role of leadership | 2. Findings
some participants, with the latter being was not enough board training was
related on multiple occasions to a Case study: using external because it is generally assumed that risk
well-known large-scale hacking event in specialists to enhance management is something anyone can do,
a telecommunications company. RI-SKeet because they do it unconsciously every day.
In the aftermath of two publicly reported
This event provided boards with a near-miss hacking incidents it was acknowledged 2.4 BARRIERS TO BOARD
scenario that placed cyber risk as a focal by a manufacturing company that its INVOLVEMENT IN RISK
point of discussions within the boardroom. board’s RI-SKeet regarding the cyber MANAGEMENT
It was apparent that potential near misses domain was weak. The board
This section examines the barriers that
(proactive) and actual losses (reactive) supplemented the relevant RI-SKeet by
prevent a board from managing risk
were extremely important in prompting bringing in an external specialist to
advise the members; during this audit, effectively. The research objective was to
explicit and strategic risk discussions in
the company actually came under attack identify common barriers that can impede
the boardroom. This emphasises the
by a foreign entity attempting to steal the functioning of a risk-sensitive board.
significance of such events as a driver for
intellectual property. It was
risk discussion (as outlined in section 2.2).
acknowledged that had the board not ‘The problem with risk is that if
been proactive in obtaining this expertise
It was also clear that boards use the you don’t keep it alive it will die’
it would have been a ‘disaster’ for the
expertise of external and internal risk (executive director).
company as its products could have
specialists in an attempt to provide been made available on the grey market.
RI-SKeet in areas in which they have a Many participants made it clear
particular lack of expertise. While this is throughout the interviews that, in order
especially common in relation to financial to be able to consider risk strategically,
misstatement risk, via the use of external These discussions are further supported boards need to be aware of, and
auditors (the risk specialists for financial through the use of scenario exercises that understand, how risk ‘lives’ in their
misstatement risks), it was suggested that allow the board to understand its organisation. Risk needs to be alive and
the use of other types of risk specialists (eg members’ strengths and weaknesses in visible at board level to enable meaningful
cyber risk or health and safety specialists) prevention of and responsiveness to risk, discussion. Yet, the process of making risk
was just as relevant for other areas. as well as the pressure points around more visible to the board is fraught with
RI-SKeet, risk ownership, and risk appetite difficulties as there are multiple barriers
that require attention. that inhibit this from occurring.
‘Having finances misstated is a risk,
and therefore [external] auditing is
In order to ensure that boards remain It is evident from the interviews that
well known [as a means of mitigating
risk-relevant, and taking into account the the majority of these barriers fall within
financial misstatement risk] and
findings of skills matrices, audits and two categories; these are ‘cognitive
everybody assumes it’s there. But doing
scenarios, there was an understanding impediments’, which reduce a board’s
the same on health and safety or on IT is
from participants that training is beneficial, ability to make risk-sensitive strategic
also, to me, a logical step, if that’s one of
particularly for ‘killer issues’. Even so, this decisions, and ‘social obstructions’,
your risks’ (non-executive director).
attitude was not unanimous, especially which suppress risk-relevant dialogue in
among participants in the SME sector, the boardroom. As shown in Figure 2.3,
Risk specialists also enhance the risk-
where risk training (whether in-house or the board’s-eye view of the organisation
relevance of a board through facilitating
external) at board level is less prevalent. becomes blurred because these
the explicit discussion of risk at away-
This was articulated by one executive barriers filter out a holistic view of the
days, in which time is dedicated to
director, who stated that the reason there organisation. It is also important to note
strategic ‘deep dives’ of risk issues.
19
Risk and the strategic role of leadership | 2. Findings
1 Risk Committee
2 Risk Specialists 1 2 3
3 Audit committee
THE ORGANISATION
20
Risk and the strategic role of leadership | 2. Findings
As explained by the
participants, the ability
of a board to make risk
visible is hampered by
organisational complexity.
that the presence of ‘social obstruction’ on ‘emerging’ and ‘moving’ risks. This
may facilitate the creation of a ‘cognitive approach has three benefits. Firstly, it Case study: when static
impediment’ and vice versa. ensures that information going to the data (unfortunately)
board remains relevant and forward- becomes reality
To bring risk back into focus, the board looking. Secondly, it ensures that the
may make use of various committees and A company was considering a large-
board does not become overly involved
specialists as lenses through which to see scale IT reconfiguration project
in operational issues arising from the risk throughout its business operations.
the organisation closely. However, our register, as highlighted by one executive During this process, a crucial strategic
participants observed that the existence director: ‘If they start talking about the decision on whether to proceed with the
of these risk focal-lenses does not 99th risk on the register, they’re getting project was brought to the board for
sufficiently compensate the loss of vision too much into the operational’. Thirdly, consideration. Given the time it had
caused by these barriers. Therefore, providing information on developing risk taken to implement the project, by the
participants considered it important to situations enables risk conversations that time the end-to-end system was fully
reduce the internal barriers to increase help to mitigate potential losses and implemented the business had changed
the ability of the board to obtain a holistic exploit strategic opportunities. its strategic direction and the system
view of the organisation that is grounded was no longer fit for purpose.
in knowledge and understanding. The ability to provide a bottom-up It turned out subsequently that the
synthesis of information that makes the report presented to the board contained
2.4.1 Cognitive impediments invisible visible, while reducing the many technological terms, and detailed
Cognitive impediment 1: Static risk data overburdening amount of risk information a combination of risks associated with
The majority of respondents, regardless the board receives, can improve general the functionality that was being
of industry or scale of operations, enquiry and strategic decision-making designed and their relevance to the
emphasised that the single largest within the boardroom. changes of business strategy. When an
impediment to a functioning, risk-sensitive investigation as to the cause of delay
board is the inability to obtain an adequate Cognitive impediment 2: had been completed, it turned out that
Organisational complexity the board had found the report difficult
view of the health of the company through
As explained by the participants, the to understand owing to the volume of
the board papers. The ability to move technical terms contained. As a result,
away from vast static risk registers that are ability of a board to make risk visible is
the board had been unable to consider
essentially backward looking, towards a hampered by organisational complexity.
the issues effectively and efficiently when
dynamic view of the real-world impact of This complexity makes the setting of considering the viability of the project.
risks on the activities of the organisation, decision-making parameters difficult for
was something that many have aspired boards. This is further accentuated by
to, but few have actually achieved, in their static risk data that is backward looking
board’s approach to risk registers. All too and potentially irrelevant to challenges Further, in the context of the ‘prescriptive’
often, and much to the disappointment the business currently faces internally and ‘principled’ approaches to making
of some participants, the use of risk and within its environment. As outlined decisions on strategic risks outlined in
registers was seen as a ‘tick-box’ exercise by one participant: section 2.1.2, it was suggested that more
characterised as compliance, as opposed complex ‘principled’ organisations should
to one of many sources of information ‘the big complex ERM systems, which have visible anchors to ensure that
pertinent to strategic decision making. take an enormous amount of time to business critical issues are not missed,
gather [information on], and information for example risk metrics and currently
In an attempt to ensure that standing is providing a picture of what was, significant risks from the risk register.
items on risk registers do not lead to as opposed to…what is currently
complacency, some participants pulsing around you in the organisation’
highlighted the importance of focusing (executive director).
21
Risk and the strategic role of leadership | 2. Findings
22
Risk and the strategic role of leadership | 2. Findings
23
Risk and the strategic role of leadership | 2. Findings
• support and the right parameters of these decisions. Participants were also Overall, participants observed that
(non-executive director) clear about the effect that different managing the mix of characters, in what
personalities can have on board dynamics one participant referred to as the ‘theatre
• oversight (executive director)
and resultant risk-management outcomes: of the board’ (executive director) was
• influence (non-executive director) regarded as key in enabling the
‘if you’ve got some people that are really discussion of risk at board level. The same
• critical friend (non-executive director).
passionate about it and have the trust of participant also noted how this extended
the board then [they] can revolutionise to the management of board meetings
The ‘critical friend’ concept captures both
the way a board looks at risk. If you themselves, especially when agendas are
the support and the rigorous examination
haven’t got somebody [who is] passionate large, limiting discussion and challenge
that participants expected NEDs to bring
and [who] doesn’t really get it, then it (see also section 2.4).
to an organisation and to the executive
directors in their running of that becomes fairly piecemeal and fairly,
sort of, part of what happens’ (non- 2.5.4 Risk discussion at board level –
organisation, to ensure the effectiveness
executive director). the critical space
of the board.
A theme emphasised by a number of
It was also noted that the stability of a participants was the distinction between
2.5.3 Different perspectives and
particular business or industry can have ‘ensurance’ and assurance – where the
board dynamics
an effect on the board’s approach to risk. role of the executive directors is to ensure
The participants drew attention to the
A key concern expressed by some that the organisation’s strategy is
different perspectives that executives and
participants was that ‘cosy club’ type implemented, and NEDs assure that the
non-executives bring to the operation
cultures can emerge in benign risk implementation is performed effectively
and decisions of the board.
environments, leading to complacency and is consistent with the agreed strategy.
and a lack of challenge in the board room.
‘… the execs bring experience, detail,
‘We very often think about the role of
track record, you name it from the business.
‘In some businesses, where things tend the board being fundamentally about
The non-executives bring dispassion …
to be very, very stable, the non-execs the assurance in terms of safety of the
without emotional investment … the
tend to be a little club, they just come in overall organisation – reputation, cost
execs bring depth, then the non-executives
and they meet, and they go through the of return on capital, all of those issues;
should bring breadth and bring … to bear
motions, but because the environment is and the executive is responsible for the
their experience they had from other areas’
stable, then they tend to be fairly tame “ensurance” of the way in which assets
(non-executive director).
at meetings. We’ve got completely the are deployed in the organisation, and
opposite, where they come in, they aren’t how you have as a board a sensible,
Participants went on to suggest that the meaningful conversation about that
NED’s job is to provide support through aggressive, but very challenging, simply
because they recognise transformation interrelationship seems to me to be
constructive input and suggestions for absolutely critical – it’s a critical space …’
optimising risk-management decisions, puts the business at enormous risk’
(executive director). (executive director).
while it is the executive’s job to think of the
practical solutions for the implementation
24
Risk and the strategic role of leadership | 2. Findings
A distinction was also made between Within this critical space, the importance
‘It’s a very fine filter, if you like, in that
executives and non-executives’ roles in of the safe-zone atmosphere discussed in
the discussions that take place in the
the management of risk. Outside the section 2.4.2 becomes even more obvious.
committees, it’s really down to the chair
board, executives were responsible for
of that committee then to distil the key
day-to-day risk taking across the 2.5.5 Committees and risk managers
points from the committee discussion to
organisation, while the board itself, and The discussion by participants of the
the board’ (executive director).
in particular NEDs, kept a degree of relationship between the board and audit
separation from this activity: committee, risk committee, or audit and
Nonetheless, participants noted the
risk committee, as well as risk managers,
possibility of duplication, especially if
‘there’s a dichotomy that exists reflected the issues already mentioned
there is both a risk committee and an audit
between the board table and the above. Participants noted the difficulty of
committee and reporting lines are not
executives, because the executives drilling down into detailed risk issues
clear. Outside formal reporting, established
actually are taking the risk [whereas] the within time-pressured board meetings,
lines of communication between executive
board very rarely takes the risk; it’s the and the important role of the audit and/
and non-executive board members, as
executives themselves who are taking or risk committee:
well as between board members and
that risk’ (non-executive director). sub-committees, were therefore regarded
‘the Board meeting was three hours as important in enhancing the risk
The reason for this separation was to … he [the risk manager] should really discussion at board level. Key one-to-one
allow the board to operate as a ‘critical have had an hour out of that three hours, relationships that were identified included
space’ within which both executives and in my view, to really get to the bottom the board chair and CEO and the audit
non-executives can debate and challenge of some of these [risk] areas, [but] he committee chair and CFO.
at a strategic level. The ‘critical’ nature of was granted 10 minutes or so...So that
the ‘critical space’ arises because the bit there said, okay, so things aren’t Participants also mentioned the importance
interactions between board members are happening correctly at [the] board, where of the board’s, especially non-executives’,
crucial for effective risk governance. In should they then happen? So the audit relationship with senior risk managers in the
turn, it is this space that encourages and committee, in my view, is the place where organisation. These relationships helped
nurtures a relationship where each scrutiny of the [risk] areas takes place’ ensure that discussions at board level
non-executive can be both a ‘critical’ (non-executive director). were supported with all necessary data, as
and a ‘supportive’ friend. well as allowing NEDs to metaphorically
The risk and/or audit committee was ‘kick the tyres’ (executive director) of the
‘Their main role is to hold [me] and seen to act as a filter for the board, with organisation in relation to its risk policies.
the group chief executive to account, a more succinct discussion taking place
and to make sure that we have got at board level.
the processes and procedures in place
to manage the risks that we…as the
executive, …think we face. And to
challenge us on our assessment of
those risks’ (executive director).
25
3. Suggestions
for practice
3.1 SUGGESTIONS FOR BOARDS 3. Boards should recognise that, in managing significant risk
events, it is possible to enhance, not just preserve, the value
3.1.1 Integrating risk and strategy
of the organisation, for example in managing reputational
1. Place risk in a positive context. Consider the potential for risk. Significant events, mishaps and failures can also be
outcomes to be better, as well as worse, than expected, used as prompts for testing the risk appetite, and the
making it clear when you are talking about opportunities resilience of the risk framework and governance structures,
and risks. If necessary, avoid using words such as risk if they of an organisation.
have a negative meaning in your organisation; eg consider
alternatives such as ‘volatility’ and ‘uncertainty’. 4. Boards are being held more accountable by a wider range
of stakeholders than in the recent past. Being clear and
2. Integrate your strategy and risk decisions. When setting your transparent about how the board manages risk, and
strategy and business objectives, consider the potential for communicating this externally, is important for every
better or worse-than-expected outcomes from the outset. organisation, including those in less-regulated sectors.
3. Boards should adopt the 75:25 rule. Spend 75% of board 3.1.3 Delivering RI-SKEET
meetings looking outwards and forwards. This will help the
1. Identify gaps in RI-SKeet by employing board reviews that
board to identify external and future threats and
align strategic risks with the output of those reviews, and
opportunities. Spend the remaining 25% of board meetings
where necessary include annual training that ensures that
looking inwards and backwards. This will help the board to
members of the board remain risk-relevant with bespoke
understand the organisation’s capabilities and competencies
training for each of the members of the board.
in areas such as finance and risk management.
2. ‘Kick the tyres’. All NEDs should get out into the business to
4. It may be instructive for boards to reflect on the relationship
understand it. Think about spending time in social
between risk appetite and strategy when reaching decisions
environments within the business – the tea room, the
about both. Section 2.2 indicated that it is often unclear
canteen – where much more can be picked up qualitatively
whether risk appetite should come before or after strategy
than is presented to boards in their meeting packs.
(a ‘chicken and egg’ situation). Consider whether the board’s
risk appetite determines strategy, or whether decisions about 3. Use awaydays in order to improve RI-Skeet. They should be
strategy lead to how the organisation frames its risk appetite. an impetus within the boardroom for the development and
improvement of understanding of organisational risk
3.1.2 Deriving value from risk management
exposure. The use of scenarios that are facilitated
1. Compliance and a ‘tick box’ approach may be the correct independently from the board, and executed with the
approach to take to certain elements of risk governance. business strategy and current strategic exposures in mind,
Nonetheless, boards should be aware of the limitations that will focus attention on exposures much more than a
a ‘compliance mind-set’ may place upon their ability to monthly RAG (Red, Amber, and Green) traffic-light rating.
exploit opportunities by taking risks.
4. The owner-manager, as the ‘Swiss army knife of risk’ within
2. Boards should be mindful of the interrelationship between their SME business, should identify the ‘killer issues’ to their
the embeddedness of risk in the discussions and decisions business and ensure that they actively acquire appropriate
of the board, and its embeddedness in the organisation RI-SKeet to address these issues. This may include using
itself. This emphasises the importance of the ‘tone at the external risk specialists to support them.
top’ set by the board and of efforts of board members to
‘test the temperature’ of what is happening in practice in
the organisation.
26
Risk and the strategic role of leadership | 3. Suggestions for practice
3.1.4 Managing and enhancing board 3.1.5 Executive and non-executive 3.2 SUGGESTIONS FOR POLICYMAKERS
risk discussions dynamics
The participants showed that policymakers
1. NEDs should consider the adoption of 1. Create a critical space for risk debate can have a significant influence on
an ‘in camera’ session before and/or by encouraging constructive board-level risk-management
after board meetings. These sessions challenge. Boards should be aware of conversations and practices. Often this
allow NEDs to meet without the the possibility of apparently benign influence is positive, but care is needed to
presence and influence of the risk environments leading to move board activities in the right direction.
executive team to create a safe zone complacency in the boardroom.
for the candid discussion of risk. This
1. Policymakers should revisit their risk
can be enhanced further by allowing 2. Unified responsibility does not mind-set: risk is not bad in itself and
NEDs to meet with representatives of necessarily mean unified roles at board opportunities are never certain. Rather
the risk and independent oversight level. NEDs should maintain a degree than considering risk management as a
functions during ‘in camera’ sessions, of separation from day-to-day risk device for increasing certainty, it
to ensure that the tone at the top taking activities, enabling them to carry should be considered as a means for
reflects the tune on the shop floor. out their role as ‘critical friends’ to the achieving ever more positive
executive and senior management. outcomes. Risk management should
2. All papers going to the board should help an organisation to create value, as
have a dedicated risk section within 3. Boards should ensure they structure, well as to protect it.
the executive summary, highlighting and make use of, their committees (eg
their risk implications for the strategic risk, audit) in a way that best supports 2. Always encourage boards to make links
objectives of the business. This provides the board’s decision making on between strategy and risk. Potential
visible anchor points for discussion of strategic risks while not delegating risk exposures, along with the ability of
the strategic risk-reward equation. their accountability. Established lines an organisation to manage these
of communication between the board, exposures, should be considered as part
3. In the process of horizon scanning, the its committees, and the risk specialists of strategy setting. Risk management
board should consider requesting a supporting those committees, should should not be a bolt-on activity after
‘deep dive’ analysis of a number of the be clear and transparent. the strategy has been determined.
key strategic risks for scrutiny during
away days with a dedicated risk focus.
3. Recognise the difference between
This will reduce the information
separation and segregation. Boards,
burden on the board while ensuring
and especially non-executives, need to
that the reporting of information is
maintain a degree of independence,
tailored to the needs of the decision
but that does not mean they should be
makers. ‘Deep-dive’ analysis can also
kept apart from the people within the
be performed through audit and/or
organisation. Boards should understand
risk committees.
27
Risk and the strategic role of leadership | 3. Suggestions for practice
8. Do NEDs act as critical friends to the executive and wider senior management
team – helping them to exploit opportunities and avoid losses?
10. H
ow effective are the board’s subcommittees in enabling the board to focus
on strategic risk-management issues?
28
4. Conclusion
‘Boards are responsible for setting practices, to a degree, via what is termed uncertainty that may exist to the
strategy and fundamental to that is this above the ‘principled–prescriptive advantage of the organisation and its
understanding of risk versus reward. spectrum’ (see section 2.1.2 above) stakeholders. Risk-management tools
So, if we sit in this direction, what are such as risk reports, risk appetite
the potential risks? What’s the reward? • Organisations and boards that adopt a statements and managing the cultural
Obviously in formulating that kind of more principled approach are likely to aspects of risk taking can be used to help
cohesive strategy you need to have a make more connections between support this, as much as they can be used
really good grasp of that. So, to me it’s strategy and risk, but these connections to mitigate losses.
kind of fundamental to the core function may not be very explicit and are often
of a board for it to have… a good unstructured. Failure to make such Perhaps unsurprisingly, this research also
appreciation and understanding of risk connections can lead to inconsistent shows that the primary driver for much
management. That’s kind of response decision making and the pursuit of board-level risk-management activity is
number one’ (executive director). opportunities without the proper compliance. Legislation, regulatory
consideration of downside outcomes. requirements, corporate codes and
The effective governance of organisations professional codes of conduct were
requires boards to fulfil a wide range of • Organisations and boards that adopt a regarded by many participants as having
responsibilities and it is often hard to more prescriptive approach tend to a direct effect on attitudes and practices
balance these during time-limited board view risk management as a device for in relation to risk management. This may
meetings. One solution is to recognise internal control and, to the extent that be a doubled-edged sword; on the one
the fact that many of these connections are made between hand ensuring that boards are engaged
responsibilities are connected, especially strategy and risk, their focus is on risks in risk management, but on the other
those related to strategy and risk, as to objectives. This can make it harder promoting a tick-box approach. What
indicated by the above participant. to exploit opportunities, but risk- may help here is a greater emphasis on
management activity is more the other benefits of risk management,
The research shows that while many structured, meaning that ‘downside’ for example in mitigating reputational
boards are taking steps to connect their outcomes may be better controlled. effects, improving efficiency or the
strategic and risk-management exploitation of opportunities.
responsibilities, there does not appear to Whichever approach is adopted between
be one best way to achieve this. Rather, a the two extremes, effective strategic-level As regards the mix and composition of
diversity of practices exists, each with leadership is not necessarily about board skills, having board members who
different strengths and weaknesses. It is achieving greater levels of certainty; it is are risk-management professionals can
possible, however, to situate these about being able to exploit any be helpful, as are internal and external
29
Risk and the strategic role of leadership | 4. Conclusion
risk management specialists who support Finding ways to explore risk-management Are boards ready for the challenges of
boards. Nonetheless, it would seem that issues outside time-pressured board today, as the strategic environment
even more important is fostering a meetings can also be important, for becomes ever more complex and
diverse range of risk intelligence, skills, example by organising board away days. interconnected and regulation only ever
knowledge, experience, education and seems to increase? Can they exploit the
training (RI-SKeet) across the board. Finally, it was plain that, while boards may opportunities that come with change,
Boards operate as a collective intelligence: have shared responsibilities, this does not while at the same time mitigating any
no one board member can possibly know mean that board members all share the associated potential loss events? From
everything there is to know about risk same roles. Participants explained that this research it is clear that there is
management or the various risks and the role of the executive is to ensure that already much good risk-management
opportunities that may affect the strategy the organisation’s strategy is practice, but this practice needs to be
and governance of an organisation. The implemented and that the board, and shared more widely and in an open-
more diverse the types of RI-SKeet among NEDs in particular, assure that the minded way. It is for organisations to
the board members, the better prepared implementation is effective and select the practices that best suit their
organisations will be both to avoid and consistent with the agreed strategy. In needs. It is hoped that this report will
mitigate the downside of risk events and this context, the board provides a critical help boards to learn from the experiences
to exploit potential opportunities. space for discussions about strategy and of a wide range of organisations to
risk, with the NEDs acting as critical enable them to continue to future-proof
It is therefore important to ensure that a friends to the executive and wider senior their activities.
board maximises its RI-SKeet potential. management team. In performing this
Backward looking, static and/or lengthy critical friend role, NEDs are able to step
risk reports do not help here, but equally back and see a bigger picture. As a result,
significant is the creation of a safe-zone they are better able to use their RI-SKeet
atmosphere where boards are free to to ‘horizon scan’ for emerging
discuss risk issues in an open and opportunities or losses and so guide
constructive way. This may include executives/management in the most
encouraging board members to ask ‘dumb’ appropriate way. They may also help to
questions, challenging the status quo by constrain both over-exuberant and
playing devil’s advocate or considering too-timid risk taking.
extreme risk events or control failures.
30
Project
methodology
The findings from this report were drawn from 30 semi-structured interviews conducted
with non-executive and executive board members from a wide range of organisations.
Table 2.1 provides an overview of the interviews were conducted by two, FSE 250, 350 and AIM) companies.
14 executive and 14 non-executive occasionally three, of the researchers to In addition a total of 17 private, 8
participants in this project, plus two help control for interviewer bias and to partnership and 15 not-for-profit entities
board-level consultants. Participants ensure that each interview was as were represented. The remainder were
came from both large quoted (eg FTSE complete as possible. a variety of other organisational forms
100 and 250) companies and SMEs and (eg networks, members’ associations
included people from both for-profit and To improve robustness further, the draft and employee-owned firms).
not-for-profit organisations, including findings from the interviews were
charities and social enterprises. A presented to two focus groups in To manage the effects of cross-cultural
significant number of the participants, November and December 2017. These biases and different regimes for
especially the non-executives, had focus groups consisted of risk- corporate governance and risk-
current experience of multiple management experts and industry management regulation, the research
organisations, so in fact information on association representatives. focused on UK-based organisations
experience of board-level risk- (though a number were multinational in
management activities in approximately Data limitations, especially for private focus). The researchers would
60 different organisations was collected. companies, make the precise calculation encourage organisations, boards and
of the split between SME and larger researchers in other countries to build
All interviews were conducted on the organisations complex. A search based on this research and explore the
phone via conference call facilities and on publicly available information risk-management activities of boards
were recorded, allowing for each indicated that the participants have based in their countries. The expansion
interview to be transcribed for been involved in, approximately, a total of this research would create further
subsequent analysis. In most cases of 7 FTSE 100 and 10 other quoted (eg opportunities for sharing good practice.
31
References
COSO (Committee of Sponsoring Organizations of the Treadway FSB (Financial Stability Board) (2014), Guidance on Supervisory
Commission) (2017), Enterprise Risk Management: Integrating with Interaction with Financial Institutions on Risk Culture: A Framework for
Strategy and Performance, Committee of Sponsoring Organisations of Assessing Risk Culture <http://www.fsb.org/wp-content/uploads/140407.
the Treadway Commission, <https://www.coso.org/Pages/erm.aspx>, pdf>, accessed 19January 2018.
accessed 19 January 2018.
Salz, A. (2013), Salz Review: An Independent Review of Barclays Business
FRC (Financial Reporting Council) (2017), Consulting on a Revised UK Practices <https://online.wsj.com/public/resources/documents/
Corporate Governance Code, Financial Reporting Council, <https:// SalzReview04032013.pdf>, accessed 19 January 2018.
www.frc.org.uk/consultation-list/2017/consulting-on-a-revised-uk-
corporate-governance-co>, accessed 19 January 2018.
32
Author biographies
Dr Simon Ashby is Associate Professor of Financial Services at the Plymouth Business School
(www.plymouth.ac.uk/schools/plymouth-business-school). Prior to this he worked as a
financial regulator for the UK Financial Services Authority (writing policy on risk management)
and a senior risk manager in a number of UK financial institutions (covering both credit and
operational risk).
Simon has a PhD in corporate risk management and has published many academic papers
and industry reports in the discipline. His current research interests include board-level risk
management and risk governance; cyber risk management; risk culture; and the reputational
effects of operational risk events.
Simon is a fellow and former chairman of the Institute of Operational Risk (www.ior-institute.
org) and a non-executive director and audit and risk committee chair of Plymouth Community
Homes (www.plymouthcommunityhomes.co.uk).
Dr Cormac Bryce is an assistant professor of risk at the University of Nottingham within its
Business School, and is a member of the Centre for Risk, Banking, and Financial Services. His
multi-method research spans from human behaviour in financial organisations to the effect of
regulation on organisational behaviour within the aviation and financial services industry.
Cormac’s recent research focus has been grounded in the areas of error-reporting climate and
the effects of risk events on the market sentiment of financial services organisations.
Dr Patrick Ring is a qualified solicitor who, before entering academia, worked in the
corporate area of private practice, later working as a lawyer with a large life assurer for a
number of years. He is currently a senior lecturer in financial services in the Glasgow School
for Business and Society at Glasgow Caledonian University. Patrick is a member of both the
Chartered Institute of Securities and Investment and the Chartered Insurance Institute, as well
as an associate of the Pensions Management Institute.
Patrick’s teaching and research interests include financial regulation and compliance;
operational risk management and culture in financial services; trust in financial services;
pension policy and reform; and the retail financial advice sector.
33
PI-RISK-STRATEGIC-LEADERSHIP
ACCA The Adelphi 1/11 John Adam Street London WC2N 6AU United Kingdom / +44 (0)20 7059 5000 / www.accaglobal.com