Risk is part of everyday life and in the business world every activity that an organisation undertakes and any decision that is made involves risk. Some risks are known, others are not and some are ignored at great cost. The preface to the World Economic Forum’s 2021 Global Risks Report, for example, states that in 2006 the Global Risks Report ‘sounded the alarm on pandemics and other health-related risks. That year, the report warned that a ‘lethal flu, its spread facilitated by global travel patterns and uncontained by insufficient warning mechanisms, would present an acute threat.’ Impacts would include ‘severe impairment of travel, tourism and other service industries, as well as manufacturing and retail supply chains’ while ‘global trade, investor risk appetites and consumption demand’ could see longer-term harms.’ Fast forward 16 years and all of this has come to pass in the shape of COVID-19 yet few were prepared for it.
The global financial crisis of 2008 is another stark example of the destabilising impact that risk can have. In that case a relatively small issue in one country – rising mortgage default rates in the US – quickly led to financial market collapse around the world, the effects of which are still felt today. Given the capacity for risk to have such a devastating effect, modern risk management is a fully integrated part of the organisational decision-making process, used to anticipate and quickly respond to different risk events that might otherwise negatively impact the value of an organisation.
The type of risks that organisations face are many and varied. Climate change, compliance, environmental pollution, financial crime, health and safety, information security, quality and performance, shareholder activism and organisational solvency, to name but a few. Connecting risk to strategy allows organisations to directly link their long-term objectives with risk-taking opportunities.
Risk management is a broad discipline that can be applied to all organisational activities, such as operational risk management, project risk management, supply chain risk management and cyber risk management. It must adapt to risk exposures and their changing nature, as well as the emergence of new risks. Digital risks linked to advances in information technology, the use of ‘Big Data’ and automated decision-making are expected to lead to future developments for risk management. Equally, the growing complexity of modern markets and environments and changing knowledge and skills are already affecting most organisations.
In order to respond to such risks, many organisations have risk appetite frameworks and statements, the idea being that these will help them to keep their risk profile within acceptable parameters, while at the same time exploiting upside opportunities that help them to achieve their objectives.
Control strategies may be used to influence probability or impact and to mitigate the secondary effects of risk events, such as business disruption and reputation losses. Risk control involves the application of tools to influence the probability and/or impact of a risk event. The mitigation of follow-on effects that risk events may have on the continuity of an organisation’s operations or its reputation is also a key part of risk control.
In most organisations, the risk management process is formalised to facilitate successful and consistent decisions regarding risk-taking and control. However, this does not mean that all organisations operate exactly the same process. Differences in approach are common.
As little is certain in the world in which businesses operate, consequently almost every decision that is made will have multiple potential outcomes. Entry into a new market could prove profitable or a failure, a partnership could turn out to be a perfect match or a mismatch in terms of cultural fit or a new technology could adversely impact the environment. It is inevitable that where there is uncertainty, risky decisions will need to be taken from time to time. Some will generate stakeholder value and some will not. Balancing the desire to create value for stakeholders while at the same time reducing risks that could cause financial or physical harm such as pollution or injury is far from easy.
The global environment within which risk management is conducted consists of stakeholders, regulatory agencies and standard-setting bodies, all of whom have an interest in ensuring the effectiveness of organisational risk management activities. These stakeholders, agencies and standard setters are increasingly global in nature.
Consequently, managing an organisation effectively requires significant time and financial resources. According to Simon Ashby, author of The Good Governance Guide to Risk, ‘Organisations meet the needs of their stakeholders through setting objectives that provide an appropriate balance between risk and return, and by ensuring that these objectives are achieved. This includes managing the risks which may threaten the achievement of these objectives, such as competition or compliance risks. How an organisation balances risk and return and the degree to which it manages the risks associated with implementing its objectives will depend on the risk attitudes and preferences of these stakeholders.’
Most stakeholders are inherently risk averse. They prefer certainty to risk. This does not mean, however, that they are averse to the same risks or have equal levels of risk aversion. While shareholders look to maximise their dividends, creditors want the security of knowing that their loan will be repaid and consumers want safe, reliable products and services. Where conflict exists between stakeholder groups, different priorities will need to be managed to increase the overall level of stakeholder satisfaction. The board and senior management play a crucial role, weighing up different prioritires and assessing the costs and benefits of different risk management decisions and risk exposure levels. In addition, governance professionals and other individuals such as specialist risk managers have a role to play in supporting these decisions to ensure that any legal, regulatory or ethical concerns are considered.
Non-compliance can have serious consequences, including fines, the imprisonment of key staff, and the closure of the organisation. Non-compliance can lead to lengthy legal disputes, liability claims, negative media coverage, loss of reputation and can affect the share price of quoted companies.
In the long term, non-compliance will be exposed and will have a significantly detrimental effect on any organisation.However, complying with all applicable laws and regulations is time consuming and costly, especially as laws and regulations change. Over-compliance is a possibility and can affect the efficiency of an organisation and its processes. Compliance management helps an organisation to balance the costs and benefits of compliance to ensure that its compliance activities are cost effective and support the achievement of all its other objectives.
Compliance management does not have the same focus or objectives as risk management. Not all compliance activities may be connected with risk management. Nevertheless, there are many circumstances where the boundaries of compliance and risk management cross. Risk managers often get involved in relevant compliance activities, compliance managers may find themselves involved in risk management and governance professionals and leaders will have to straddle both.
Corporate governance regulations contain rules, guidance and principles that can have a major impact on risk management practices in an organisation, and which can also be the foundation for building a robust risk management framework.
Governance and compliance frameworks are used to ensure that a company’s risk management framework, and associated processes and procedures, are implemented effectively. An organisation’s risk management framework must be implemented effectively to ensure compliance with relevant laws and regulations and to meet the risk management needs of stakeholders – keeping them and their assets safe and providing a stable level of return over the long run.
Governance and compliance frameworks are a necessary component of effective risk management. Without governance and compliance frameworks for risk management, organisations will be vulnerable to bad behaviour on the part of their employees, including negligence or criminal activity.
In addition, effective governance and compliance frameworks for risk management help all employees to understand the ‘rules’ regarding risk management, including the risks that can be taken to support the achievement of objectives and those that are out of bounds.
Risk management, governance and compliance are therefore inseparable. It would be impossible to have effective risk management without appropriate governance and compliance frameworks. Equally, effective governance and compliance relies on risk management processes, tools and techniques.
An equally important intangible asset is culture and risk culture, particularly the ‘tone from the top’ in relation to risk taking and control. Organisations that have addressed their cultures have reported benefits beyond improved financial performance, including improved employee performance, a reduction in incidents and near misses and reduced regulatory issues.
The 2018 UK Corporate Governance Code puts the relationship between companies, shareholders and stakeholders at the heart of long-term sustainable growth in the UK economy, asking that boards not only take responsibility for risk but also create a culture which aligns company values with strategy.
Too many organisations see risk as a checklist exercise that can be undertaken once then filed away. Those who really embrace the topic will use the data and knowledge that an effective risk framework provides to underpin discussions, decisions and strategic focus. Creating a risk model and framework that is beneficial to the organisation; reflects the sector in which it works; and incorporates any regulatory requirements is a core element of good governance. Aligning this framework to the practicalities of organisational activities and strategic decision making, without stultifying potential, should be an ideal for all senior leaders to strive for.
The Good Governance Guide to Risk aims to act as an engaging, thought-provoking and useful text for any individuals who are interested in the subject of risk from a governance, leadership and board perspective. It provides a clear introduction to the breadth of this topic, from theoretical frameworks to practical applications, and the benefit of using risk metrics in strategic decision-making.
The Good Governance Guide to Risk
Author: Simon Ashby
Series Editor: Sue Lawrence
Price: £49.95 | Published: June 2021
Available to order here – www.cgi.org.uk/shop
Learn more about this topic and other aspects of risk in our Risk & Risk Management Hub.