Complying with corporate governance creates the opportunity for better reporting, says Chris Williams
For many organisations, good governance has always been part of their strategy for delivering a high level of value. The Turnbull Committee's Internal Control (Stock Exchange Combined Code) document, while short, has caused a major impact in board rooms, and has gained further impetus due to recent high profile disasters. The requirement to establish the Turnbull Committee was implemented after earlier reforms had failed to go far enough to ensure corporate probity and the management of stakeholders' interests.
Organisations are swimming with this corporate tidal wave and are overhauling their strategies and reporting systems to ensure the attainment of a set of minimum standards for the conduct of affairs. Internally this may include communicating corporate values, or setting new metrics for staff appraisal, training and management. Externally, it may include improving corporate standing and achieving a greater openness with the media. Much of an organisation's value lies in its employees, and it is folly to expect them to perform well unless they have been made aware of the corporate goals and their role in achieving those goals.
Organisations that have done this well have introduced new processes and tools to gain access to their unique knowledge in order to leverage their business advantage. The distinction is often that they have identified and addressed the best practices which include their corporate objectives, in order to deliver the elements required for efficient governance reporting. Specifically they have not attempted to drive the strategy from the corporate governance requirements downward.
The risk management approach
Turnbull, HM Treasury, ICAEW, NHS and other guidance, prescribe the identification and assessment of risk, as well as the ownership of risks, but leave the implementation of the process to the individual organisation. While the primary activity of risk management is to manage the risks that affect the delivery of the organisation's objectives, there is an equally powerful and positive benefit to be gained. This lies in embedding the risk management culture as a dynamic communications channel, enabling the organisation to identify relevant, value-added solutions to improve its ability to achieve its objectives. It is this integrated approach that provides the confidence for the corporate governance compliance statements. Risk management software offers much more than simply the recording of distributed actions, but software tools are often introduced to automate the organisational processes. However, attention to this process or culture is paramount. A lack of planning may result in the failure to address some of the many spin-offs available from a well-planned culture.
The Institute of Quality Assurance (IQA) reminds us that risk management is the collective responsibility of the whole board, and advocates a comprehensive QMS in the fight against risk, harmonised with the risk-based approach that has been introduced into international standards and promoted by BSI.
BSI is promoting the broad deployment of a risk-based approach, introduced by ISO 14001 and OHSAS 18001. Their solution embraces the rationale behind ISO9001:2000 (requirement for a virtual circle of continuous improvement to be built into everything the organisation does) and ISO9004:2000 (guidelines for performance improvement, to interact with all stakeholders and gain their involvement and confidence). It implies an integrated approach to all aspects of management, shifting away from the stove-pipe mentality, to a more efficient and powerful way of combining legislative compliance and organisational objectives to make better, more informed decisions, and to deliver strategies successfully.
The introduction of the risk management process is probably the biggest global process change since the introduction of formal quality systems in the 1970s, and the shift in culture needs to be understood. The ICAEW's Faculty of Finance and Management's recently-published Risk Management for SMEs 1) is one of the most lucid publications advocating risk management available. It endorses the objective of good risk management and good risk reporting reinforcing each other. The Institute is a major contributor to the debate on managing business risk and to the belief that an integrated risk management process will result in 'better management of risks and better sharing of risk-related information'.
Risk management is a process, simple and uncomplicated. It is one that we all practise daily – the probability of catching the train, the impact of not doing so; the probability of making a sale; the the impact of failing to.
Traditionally, if a health and safety register is maintained for a specific application, the manager may tick the boxes, with 'compliant' or 'non-compliant', simply recording the status at the time. If, however, the same judgement is made from a risk perspective (assessing probability and impact), it permits specific degrees of assessment. The world is not black and white and neither is the status of a health and safety register. Therefore, the ability to record the true state and communicate it along with the measurement criteria adds value.
In its literal sense, risk management can be perceived negatively. In reality. however, it can easily encompass opportunity reporting, incidence reporting, employee feedback and organisational knowledge into a uniform, risk-aware culture.
A risk culture such as this can evolve to be the driver for an organisational management and communications process that ensures that a legislative process, such as health and safety, is the distributed responsibility of 'risk owners' within every business unit.
What is rarely contained in any of the guidance is the manner in which the strategy is translated into a structure that meshes with the organisation's unique profile. This can be a significant challenge, either due to the complex range of protocols identified, or because some specialist activities deem that they fall outside an organisation-wide risk solution.
The risk management principle thus becomes much more than a limited activity within specific company functions. It evolves into a universal culture that integrates with all of an organisation's activities to support better-informed decision making.
Whether your risk management process is still evolving or has gained the support and involvement of all aspects of the organisation, you will reach various trigger points, where a fundamental review is beneficial. Change management requires the buy-in of the staff. The risk management process encourages risk ownership, whereby all risks are monitored and managed, and this requires that there is trust and belief in the process among employees. Much of an organisation's potential often rests in the commitment of the staff and their collective knowledge. Not having a process to enable all contributions to be reported is a frequent omission and limits an organisation's ability to address existing problems, or to evolve improved processes.
Identifying and implementing the right risk management process requires the scope of the process to be defined from all known perspectives: what aspects of the business require to be addressed and what existing processes can be integrated into the programme. In mature organisations it is usually best to define and implement a pilot programme and review it regularly. It may be beneficial to employ specialist consultants to provide proven processes. As a rule these stages of implementation should be carried out before any risk management software tools are deployed, because software only automates the process and reflects the culture that has already been defined.
There are a number of software tools with their roots in various business processes and therefore capable of addressing the requirements of those environments, and they should be carefully considered.
However, the concept of an organisation-wide process demands that the software is sufficiently flexible to add value in all areas of the business and able to evolve with the business as its best practice programme prompts change. Such dynamic tools are available.
As with any software tool, the care taken in determining the scope of the risk management culture that is to be reported is vital. Your IT risk register will also remind you that data security is a major consideration, with as much as 25% of all computer fraud and data mismanagement occurring from within an organisation. So integrating your ISO 17799 compliance process into the risk assessment programme will ensure that it is routinely maintained so that only those who need to know have access to specific information.
The knowledge contained within your risks registers will certainly contain commercially sensitive information related to your corporate objectives, current risks and opportunities, as well as the unique ways in which you manage them. Unlocking this knowledge and communicating it effectively leads to improved operational efficiency, greater confidence throughout the organisation and the achievement of objectives.
Whether you operate in local government, the NHS, an SME, a plc or other organisation, the benefits of deploying a risk management culture are extensive and can help to unlock some of those intractable problems that you have learned to live with.
Chris Williams is the marketing director for Line International's risk management services,
Tel: 07710 620820, E-mail: cwilliams@lineint.com
1) Risk Management for SMEs is available at www.icaew.co.uk/risk
AIRMIC COMMENTS
Clive Smith, chairman of AIRMIC's Integrated Risk Management special interest group, writes:
A risk culture is a central platform for the success of any organisation's risk management approach. Our goal as risk managers is to positively enhance the management of risk across the entire organisation by helping to create a risk aware culture. But not a risk averse one!
By talking about a risk culture we mean the unique mix of formal and informal influences that help shape the behaviour and decisions of our colleagues in the way they work and respond to risk and its management. These influences will, of course, include formal risk management policies, but will also include how and how far these policies have been enforced by managers and supervisors, as well as how individuals perceive their roles in the context of taking and managing risk.
Marshalling the development of a risk culture relies on a sustained effort to influence behaviour and awareness of risk. Risk management is often about winning hearts and minds to provoke and reinforce positive long term changes in behaviour.
The work many organisations have done on raising the awareness of the importance of risk management through formal policies, risk workshops and reporting can help to provide a foundation for increasing the profile of the desired risk culture across the organisation. Further work to guide behaviour and decision taking is key to fostering awareness of risk across the organisation. We want to engender ownership of risk and its management across the organisation so that our colleagues do the right thing and take the right risks to achieve success.
A successful risk management effort will touch all areas of the business, positively influencing decision taking and behaviour in all functions and how they respond to and manage risk. For many organisations, developing and sustaining their risk culture is work in progress, sometimes a very challenging area of risk management, but it remains an important risk management goal.
The work of Stephen Ward at the University of Southampton is particularly useful in identifying the potential areas of both formal and informal influence on the behaviour of people and the way they do things within the organisation. How risk managers influence their organisation's risk culture and sustain long term change in the management of risk is very much the day job of the risk manager, and I wish my fellow professionals every success in their efforts.