Home > Risk > Board members should discuss this excellent paper on Boards and the Taking of Risk for Success

Board members should discuss this excellent paper on Boards and the Taking of Risk for Success

The ACCA published an excellent product a couple of years ago. Risk and the Strategic Role of Leadership might have been written by three UK academics, but reflects the practical thinking of board members as well as risk practitioners.

Here are some notable excerpts, with some highlighted by me:

  • Boards have always been involved in the management of risk. Without appropriate risk taking, organisations cannot exploit the full range of strategic opportunities that are available to them, nor can they hope to protect themselves from less positive outcomes.
  • Effective risk assessment, reporting and control help to enhance a board’s governance and internal control activities, reducing the probability that an organisation may deviate from its stated objectives and so fail to meet the needs of its stakeholders.
  • Risk may bring with it the potential for losses, but it also offers the potential for opportunity.
  • Boards are still finding it hard to understand and address softer factors, such as culture and risk appetite. Often, this is because of a lack of clear information and difficulties in connecting them to organisational performance.
  • Regulation and compliance remain key drivers for board-level involvement in risk management. Nonetheless, some organisations are increasingly aware of the strategic benefits of risk management in helping them to exploit opportunities and so exceed their stated objectives.
  • Factors such as lengthy risk reports and insufficient time devoted to risk management at board meetings create significant challenges for board-level risk-management activities.
  • Today’s board has a key role to play here, helping its organisation identify and exploit opportunities, which is as much a part of maximising the long term sustainable performance of the organisation as well as overseeing the mitigation of threats.
  • Risk comes with the opportunity for returns, and even seemingly adverse events such as regulatory change or political uncertainty can create opportunities that may be exploited.
  • …highly strategic risks, such as the development of a new product or market, or an acquisition or merger, very clearly combine a range of positive and negative outcomes.
  • exploiting opportunities is as much part of risk management as controlling downside outcomes.
  • Viewing risk as ‘bad’ means that the potential for better-than-expected outcomes may be overlooked. It may also foster high levels of risk aversion in boards, a problem that was identified by a number of the participants in both large and SME organisations. The consequence of this approach is that innovations may be missed.
  • “In some areas there should be a willingness to proactively take risk and indeed that to take no risk is potentially the biggest risk of all because there’s a possibility that people innovate around you, you’re left standing, and as time goes by you become the dinosaur in comparison to the rest of the sector” (non-executive director).
  • In a small number of organisations strategy setting and risk were integrated to a much greater extent. The directors of these organisations indicated that their boards considered the risks associated with choosing or not choosing specific strategic options at the strategy setting phase, as well as the organisation’s risk-management competencies and capabilities.
  • …an extremely prescriptive [ndm: the paper talks about two approaches, prescriptive and principled] risk-management approach may cause board-level risk-management activities to become static and reactive, with board members getting lost in operational detail (a potential problem made worse by lengthy risk registers) and taking an overly negative view of risk.
  • …an extremely principled approach may make inconsistent decisions and may pursue upside opportunities at any cost, exposing an organisation to excessive amounts of risk
  • “So the classic thing, zero harm – we’ve got no appetite for something – it’s a complete misunderstanding of what risk appetite is. There is a wealth of metrics and information out there that you can tap into to articulate statements in a way which will actually add practical guidance to a business, and you’d be able to measure whether you’re operating within those parameters. But a lot of companies are just nowhere… they’re still doing the sort of high, medium and low, hungry-averse-type scales, which are just worthless” (Focus group).
  • …adopting a ‘compliance mind-set’ … may foster excessive risk aversion: ‘it’s the mind-set of actually, rather than helping us take risks better it’s about not taking risks at all’ (executive director).
  • Non-executives need to be assured that executives have ensured there is an appropriate risk-management framework that is operating effectively.
  • What was stressed by a number of participants was the need for discussion of risk at a strategic level – not at a level of governance and oversight that dwells on risk registers and frameworks – in order to be able to take advantage of opportunities.
  • The ability to move away from vast static risk registers that are essentially backward looking, towards a dynamic view of the real-world impact of risks on the activities of the organisation, was something that many have aspired to, but few have actually achieved, in their board’s approach to risk registers. All too often, and much to the disappointment of some participants, the use of risk registers was seen as a ‘tick-box’ exercise characterised as compliance, as opposed to one of many sources of information pertinent to strategic decision making.
  • The risk and/or audit committee was seen to act as a filter for the board, with a more succinct discussion taking place at board level.

The paper has a number of highly constructive suggestions. I recommend reading them all, but here are the ones I especially liked:

  • Place risk in a positive context. Consider the potential for outcomes to be better, as well as worse, than expected, making it clear when you are talking about opportunities and risks. If necessary, avoid using words such as risk if they have a negative meaning in your organisation; eg consider alternatives such as ‘volatility’ and ‘uncertainty’.
  • Integrate your strategy and risk decisions. When setting your strategy and business objectives, consider the potential for better or worse-than-expected outcomes from the outset.
  • Boards should adopt the 75:25 rule. Spend 75% of board meetings looking outwards and forwards. This will help the board to identify external and future threats and opportunities. Spend the remaining 25% of board meetings looking inwards and backwards. This will help the board to understand the organisation’s capabilities and competencies in areas such as finance and risk management.
  • All papers going to the board should have a dedicated risk section within the executive summary, highlighting their risk implications for the strategic objectives of the business. This provides visible anchor points for discussion of the strategic risk-reward equation.
  • Policymakers should revisit their risk mind-set: risk is not bad in itself and opportunities are never certain. Rather than considering risk management as a device for increasing certainty, it should be considered as a means for achieving ever more positive outcomes. Risk management should help an organisation to create value, as well as to protect it.
  • Always encourage boards to make links between strategy and risk. Potential risk exposures, along with the ability of an organisation to manage these exposures, should be considered as part of strategy setting. Risk management should not be a bolt-on activity after the strategy has been determined.

I recommend that the full board, not just the risk and/or audit committee, should receive a copy of this paper and hold a discussion with management on its key points, recommendations, and self-assessment questions.

I welcome your thoughts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: