Risk management is crucial to the survival of every business, yet few boards have a strong working knowledge of the area. Here are some key steps you can take to rectify this
In an ideal world, the board reviews risk on a regular basis – at least quarterly – and sets out its policy clearly so that this can be implemented by managers on a day-to-day basis. But there is evidence that, in some companies, the only attention given by boards to risk is a passing nod when receiving reports from the audit committee on its annual review of the effectiveness of the company’s system of internal controls.
As recent events such as the banking crisis have shown, it is essential that the process of establishing the company’s risk appetite and its oversight of risk management is considered a primary function of the full board. However, according to a recent report from Airmic (see page 42 for details), there’s still a major gap in the board’s understanding of operational risk. Some boards and executive management are simply unaware of what is happening at the coal face.
Here are some steps risk managers can take to narrow the information gap and communicate effectively with the board:
1 Use a board-friendly format to outline risks
Every board has different expectations and risk managers should find out what works for their board. Risk reports to the audit/risk committee must be both comprehensive and understandable. In particular, non-executive directors (NEDs) need to ensure they understand the reports they are receiving. If not, they should be encouraged to ask for more information and/or ask for reports to be presented in a format they can understand.
All papers that go to the board to get their go-ahead – launching a product or making an acquisition, for example – should include a section on the risks involved in the proposal. When the board is going through its decision-making process, the paper should be presented by a member of the senior management team making the proposal and the board should question them on the risks.
The board should also ask senior managers or executive directors from other areas of the business about the risks they have identified.
2 Get direct access to the board
For governance to work properly, the entire risk agenda must be brought to the attention of the board. Risk managers should use this argument in order to get direct access to the risk or audit committee chairman. They should have a meeting with the committee once or twice a year and ensure his/her appointment or removal is a matter for the committee. Essentially, the company’s risk officer should have the same status as head of internal audit.
3 Ensure the board has a good line of sight to risk
Make sure the board has a full grasp of the nature, and extent, of the significant risks the company is willing to embrace in implementing its strategy. There should not be any no-go areas that prevent directors from overseeing risk management.
The glass ceiling that often discourages or even stops managers talking directly to the board must be circumvented. To help directors better understand the business and therefore the risks faced – bearing in mind that executive directors themselves may not be appropriately familiar with operations – directors, and non-executives in particular, should be encouraged to visit different parts of the business.
These visits should not be stage-managed by executive directors but should allow interaction among non-executive directors and other business managers below board level, and allow direct relationships to be fostered.
4 Agree a committee strategy
There’s an assumption in too many boardrooms that as long as one of the board committees has looked into a particular issue, the directors can be discharged of their responsibility. Work with your board to set up a system that ensures all committees report back on their deliberations. The board should then decide collectively on the action to be taken on the risks identified by the committee.
5 Tell the whole story
The board won’t be able to make decisions on risks unless they have the whole picture. That means it’s vital for risk managers to highlight all possible risks, especially those that are unlikely but would have a big impact.
Risks that cannot be tolerated can then be used to inform the strategic agenda. SR
Seamus Gillen is director of policy at the Institute of Chartered Secretaries and Administrators