50
Excellence in Leadership | Issue 1, 2013
an example of a major risk event that had a significant impact on reputation, thus falling within the board’s area of interest. The key thing here is to identify material risks in the context of the specific business – and perhaps even more importantly, understand how they connect with each other. The board can really add value by seeing risks from this broader perspective.
AN ‘AMAZING LACK OF CURIOSITY’
This was the accusation levelled at the former BBC director-general in his handling of the Newsnight crisis, but it could equally apply to those boards that have failed to ward off trouble. The real value that a skilled board can add is to discuss, debate, ask questions and constructively challenge management about risks and opportunities. The board information pack should have this in mind. So while it is essential that the board has sight of the risk register for reference, it also needs a very focused report that helps the board to grasp the material changes since the last meeting and provokes discussion and questions on what might have been missed. CIMA is currently trialling a framework that does just this and intends to launch it later this year. A key finding so far is that the process of preparing information in this format is a challenging but constructive discipline for executive management in terms of the questions posed to them. This recognition of the need to facilitate discussion is also acknowledged by the FRC; in its forthcoming review of its guidance on internal control (often referred to as the Turnbull guidance), it has signalled its intention not to make detailed prescriptions, but instead to flag issues in a way that makes boards and management think intelligently about risk. A valuable exercise is to appraise existing risk information that goes to the board in terms of how well it passes the “curiosity” test. For example, does it contribute to a meaningful, strategic discussion? Does
it provoke challenging questions? If the answer is no, it might be time to review the format. Our experience so far shows that a good first step is to streamline the information on the “less is more” principle.
THE BIG GLOBAL RISKS
In terms of the risks that threaten the long-term viability of the organisation, the board needs to consider the big global risks. In recent months, I had the opportunity to listen to the UK government’s chief scientific officer, Professor Sir John Beddington, at the Institute of Risk Management’s annual lecture. He gave the audience a glimpse into how governments deal with risks such as pandemics, volcanic eruptions, antibiotic resistance and severe space weather. Covering similar territory is the World Economic Forum (WEF) “Global Risks Report 2013”. It is well worth a look as part of your environmental scanning process. The striking and consistent point that emerged from each was that many of the individual risks have not actually changed very much. What really matters – and therefore what really needs to be understood – is how these risks interact with each other to create novel risks. A further challenge is translating such information into practical responses at an organisational level. These are such major risks that an organisation cannot deal with them single-handedly. On the other hand, ignoring them is not appropriate either. John Scott, chief risk officer of Zürich Global Corporate and one of the authors of the WEF report, illustrated how this can be done for the key scenarios in this year’s WEF report at a recent presentation to the Tomorrow’s Good Governance Forum. Digital fires in a hyperconnected world – this case refers to cyber risk, critical information infrastructure failures and the viral spread of information – or misinformation. The origin may be organised crime seeking financial
gain, or governments trying to obtain intellectual property. Business response – focus on the practical with emphasis on data privacy and security. Even simple steps like a clear desk policy can be valuable to prevent loss of information. The dangers of hubris on human health – the key issues here are pandemics and antibiotic resistance. Business response – while it is clearly beyond the capacity of individual companies to come up with measures such as incentives to reduce overuse, what they can do is focus on business continuity planning. Testing economic and environmental resilience – this was by far the most complex set of circumstances, bringing together stresses on the global economic system and the environmental system. Business response – with a broader set of triggers, this one is by far the most challenging for an individual organisation to handle. However, an important first step is to invest in scenario planning, using such resources as the WEF report as part of strategic planning, simply to get a handle on how supply chains and other aspects of the business might be affected. The essential task for the board here is to provide the external “eyes and ears” of the organisation and ensure that these macro risks are on the radar. Risk governance is a multi-faceted task, incorporating the setting of the right policies and tone from the top, risk identification and mitigation, monitoring and assurance and crisis management. An essential aspect of this is for the board to have clarity over which risks it should be focusing on; this should then drive the provision of the right information to support meaningful board debate.