Risk managers must protect business from catastrophic failure in a way that does not stifle growth, writes Alex Cardno
UK businesses may be experiencing a long-awaited recovery, but tackling the risk landscape has never been more important.
Risks can often be inherently difficult to anticipate, yet their effects can often be devastating.
Take as a recent example, the Poly Implant Prothese (PIP) scandal, where it was discovered that silicone implants sold by PIP for breast augmentation procedures contained unauthorised filler that doubled the rupture rate of other implants.
What followed was a media frenzy and an international health crisis, resulting in criminal convictions for the founder of PIP and four other former PIP executives, and compensation for affected women.
In the UK, the scandal caused the government to order a review of whether better regulation of cosmetic surgeons is needed.
Changing culture and behaviour to make businesses more risk aware is where the key challenges lie
Although an extreme example, it reinforces the need for risk management executives across all sectors and industries to put in place good governance to deal with risk threats.
Indeed, the financial crisis of 2007 and beyond has increased calls for better risk reporting by businesses from investors, shareholders, lenders and other stakeholders.
This matters, or should matter, to C-suite executives because, in theory, better risk reporting increases the chances of business success and decreases the likelihood of business failure.
And, as a recent report published by Cranfield School of Management and Airmic argues, companies with confidence in their own risk management structures often have the flexibility to be more enterprising and entrepreneurial.
This is where risk management matters to chief executives. For C-suite executives, corporate governance must, therefore, play a huge part in ensuring an effective risk management culture is embedded from the top of an organisation to the bottom.
As the Airmic report attests, the key to achieving resilience is to focus on aligning the culture and behaviour of individuals within a business with good risk management.
However, changing culture and behaviour to make businesses more risk aware is also where the key challenges lie.
Where problems often emerge is in the differing behaviour, approaches and decision-making of risk management executives, and the boardrooms they report to.
Risk managers understand the risks facing a business because that is what they live and breathe, whereas boardrooms make the final decisions, but often do so without a full understanding of the risks.
Of course, taking the best course from a risk management perspective may not always seem like the best course from a growth, expansion or profit perspective, and this is where the tension between the C-suite and the boardroom often lies.
Is it, therefore, the responsibility of the risk management function to not only proactively identify risk, but to also effectively communicate it to the board of directors in such a way that convinces them to take good risk management decisions.
This is an enormous shift because not only does the risk manager have to perform their usual role, they must also devise and “sell in” their approach in such a way that doesn’t expose their business, but allows it to flourish.
There are some interesting new approaches to this concept. Peter Bonisch, of Paradigm Risk Consulting, cites a “three lines of defence” model, pointing to three distinct defences operating to protect a business at any one time.
This theory has been endorsed by authorities, including the European Banking Authority and the Basel Committee on Banking Supervision.
As Mr Bonisch says, the first line of defence is effective risk management processes for predicting and dealing with risk situations as they arise.
The second layer is an appropriate internal control framework, while the third and final layer is an internal audit function to provide an independent view of the first two.
At the front end of a business is where the first line of defence lies; client-facing teams take on risks within the limits of pre-agreed exposure, and are thus responsible for identifying and controlling risk in the business.
However, it falls to the risk manager to create their own way of impressing the correct thinking on other departments in a way that does not stifle the business, but crucially doesn’t expose it either.
This demonstrates the fine line risk management individuals or teams must tread and the fundamental shift that needs to happen if businesses are truly to become better at risk management.
The Institute for Chartered Accountants in England and Wales says careful consideration needs to be given to how risk management should be improved and how far the expectations of those calling for change can be met.
After all, business failures are inevitable in any economic cycle and even better risk reporting offers no guarantee of preventing future mistakes.
For some the process of improving risk management will be straightforward, but for many the changes required will be an enormous shift. With the economy on the cusp of recovery, it is time for businesses to step up.