Bringing risk home to the highest of corporate levels

Bringing risk home to the highest of corporate levels

Bringing risk home to the highest of corporate levels

Malcolm McCaig

Malcolm McCaig is a Risk Consulting Partner specialising in Financial Services at Deloitte & Touche in London.

The relationship between risk and reward is well understood. Often, the higher reward demands taking a higher risk. Some Chief Executives recognise the significance of risk management in creating value for their organisation, and as a result more are taking ownership of the process. But many are still not fully bought in.

The Turnbull report in 1999 set the guidelines for the internal controls needed by a company to identify, evaluate and manage its major risks. Turnbull requires all listed UK companies to report to their stakeholder on their risk controls. Its impact has pushed risk management up the corporate agenda, and into the boardroom. Companies pay the price in terms of damaging their reputation

At the same time, the capital markets are increasingly demanding better corporate performance. Stakeholders are reacting more severely to unmet expectations or sudden surprises. Companies that manage risk badly, pay the price in terms of damaging their reputation, share price or credit rating.

If risk management is so crucial to both preserving and building the value of a business, why is it difficult to convince those Chief Executives that have not become fully involved to do so?

The shift in ownership

Shortly after the Turnbull report was issued, we surveyed Chief Executive ownership of risk management and found that only 10 per cent took responsibility for the effectiveness of their organisation's risk management. Instead Financial Directors tended to take the main responsibility. The same survey was conducted earlier this year, and Chief Executive ownership had risen to 35 per cent, whilst ownership by the FD was down to 30 per cent.

These statistics illustrate the shift in the ownership over the past two years. One reason for this is that in 1999 the focus of Corporate Governance was purely on financial risk. The implementation of Turnbull broadened the scope to encompass all significant risks including business, operational, compliance and other risks to achieving business objectives.

But the shift also implies that developments in corporate governance have helped to escalate risk to a boardroom debate, requiring the attention of the top team. The statistics also reflect the increasing scrutiny that boards are being subjected to from institutional investors, other stakeholders and analysts.

However, our research shows that there is still quite a long was to go before risk management gets the attention it deserves in every organisation. One of the reasons for this can be seen by looking at the traditional role of the Chief Executive.

Every Chief Executive is under time pressure, and faces a number of priorities and demands for their time. A main priority is to solve any arising problems. If an initiative is not working or a process has broken down, it is in the Chief Executive's interest to fix it. He or she will become involved to evaluate the situation and make a decision, or find a solution to apply. Once this is done it is natural for them to disengage from the implementation activity, so that they are free to tackle the next issue. Ensure these crucial relationships run smoothly

Chief Executives also get involved in opportunities, such as evaluating a potential acquisition, a new product or a strategic new hire. Again, their priority is to make a decision and support the process in moving forward. Another main responsibility is to communicate with stakeholders and investors. And ensure these crucial relationships run smoothly.

So, if a Chief Executive's role is to create vision and set direction, where does something like risk management sit within this role? The answer is, "it does not fit comfortably".

A risk is something that has not yet happened. It is not a problem today, so why fix it? Risk management has to compete with a number of people queuing up at the Chief Executive's door trying to deal with current affairs.

Why should risk management get time?

The Turnbull guidance has prompted Chief Executives of UK listed companies to get involved in risk management, at least once a year, in looking at the system of control that their organisation has in place. It is also their responsibility to ensure that this message is put into the public domain, to stakeholders that the organisation has met its corporate governance obligations. Effective risk management goes much further

The incentive to take risk management more seriously comes from other directions. A major pressure is external and comes from shareholders and institutional investors or the wider community, such as pressure groups or consumers. Non-executive directors, with the experience on the boards of other organisations are also effective appliers of pressure. These groups create demands to implement risk management into every day thinking over and above compliance to Turnbull. Effective risk management goes much further than compliance. It generates confidence in the consistency of future performance.

And there are other incentives

The field is split. Some organisations take greater risks and are capable of controlling it. Others are following a more moderate approach to risk. They recognise risk management as important but they are living well within their comfort zone. That is, until something unexpected goes wrong. It is the Chief Executive's responsibility to ensure the organisation will "always be prepared".

Longer-term evidence can also act as a big incentive. As the link between risk management and share value, consistency of performance or cost of control become apparent, Chief Executives are more likely to become convinced. Over time, as the incentives become apparent, more and more Chief Executives will move towards adopting best practice risk management.