A major new study draws attention to seven existential risks that are beyond the realm of traditional risk management processes. Nathan Skinner dissects the findings

Not all risks can be managed. In fact, it turns out that there are quite a few business issues that risk managers themselves have absolutely no influence over and yet pose an existential threat to their organisations.

In many cases these are problems created or exacerbated by the senior leadership within a business...and therefore completely outside the remit of the average risk manager to handle.

This is one of the principal findings of a major piece of research commissioned by Airmic and carried out by the Cass Business School. The research, which looked at over 20 major crises to strike companies around the world in the past ten years, throws a spotlight on corporate governance problems and how senior executives oversee their companies.

“It sounds obvious that the leaders of a business should have the skills that are necessary to understand and run it,” said the report. “But some of our studies suggested that the leaders did not.”

It draws attention to seven risk areas that pose existential threats to companies and that are beyond the realm of the traditional risk management process but which the report recommends should be drawn within its scope.

These issues arise from the board’s ineffective oversight of risks, poor company cultures and inadequate risk communication (see the full list of issues in the box at the bottom of this page).

The paper also warns boardrooms that without listening to views from the outside they are blindfolding themselves to risks within the business—and uses examples to demonstrate this.

In the reports own words “the studies contain a valuable and extensive opportunity to learn painlessly from the misfortune of others”.

Below are some of the key points illustrated by one of the case studies in the report. A complete breakdown of the report's key findings is available in the next issue of StrategicRISK.

BP Texas refinery explosion

In March 2005 an explosion and fire at BP’s Texas City Refinery killed 15 people and injured many others. The subsequent compensation bill added up to over $1.6bn. The oil company also had to pay several criminal penalties and fines for health and safety violations. It was one of the most prominent safety failures to hit BP in North America, meaning that its reputation was trashed even before the Deepwater Horizon disaster in 2010.

Lessons

1. Rapid growth led to too much complexity: BP doubled in size between 1998 and 2000 resulting in an extremely complex management structure.

2. Walk the walk, don’t just talk the talk: While the board talked up BP’s safety measures outside consultants said cost cutting was prioritised over safety.

3. Take notice of the warning signs: Before the Texas explosion there had been 23 deaths at the refinery, four since BP had taken over.

4. Listen and learn: Chief executive Tony Hayward wrote on BP’s internal website: ‘The top of the organisation doesn’t listen hard enough to what the bottom of the organisation is saying.”

5. It’s more than just compliance: The Baker report, commissioned in the aftermath of the accident, said that the main focus of BP’s safety audits was on satisfying legal requirements not on improving overall safety performance.

6. …and follow through: The same report claimed that BP repeatedly failed to “follow through” with improvements following the safety reviews.

Seven existential threats

Many of the seven over-arching risk areas highlighted by the Airmic/Cass report are virtually taboo because they touch on the behaviour, decisions, performance and perceptions of the senior echelons. They are:

1. Board skills and non-executive control: Risks arising from limitations on board skills and competence and on the ability of the NEDs effectively to monitor and, as necessary, control the executive arm of the company.

2. Board risk blindness: Risks from board failure to recognise and engage with risks inherent in the business, including risks to business model, reputation, and licence to operate, to the same degree that they engage with reward and opportunity.

3. Inadequate leadership on ethos and culture: Risks from a failure of board leadership and implementation on ethos and culture.

4. Defective internal communication: Risks from the defective flow of important information within the organisation, including up to board level.

5. Risks from organisational complexity and change: This includes risks following acquisitions.

6. Risks from incentives: This includes effects on behaviour that result from both explicit and implicit incentives.

7. Risk glass ceiling: Risks arising from the inability of risk management and internal audit teams to report to and discuss, with both the C-Suite (leaders such as the Chief Executive, Chief Operating Officer and Chief Financial Officer) and NEDs, the risks emanating from higher levels of their organisation's hierarchy, including risks from ethos, behaviour, strategy and perceptions.