David Denyer, Professor of leadership and organisational change, Cranfield School of Management
Julia Graham, Technical director, Airmic
John Ludlow, Chief executive, Airmic
Mary O’Connor, Chief risk officer, KPMG UK
Chyono Flynn, Vice president of enterprise risk management, Pearson
Tim Murray, Group director enterprise risk, Serco Group
How is the digital revolution changing the way boards talk about risk?
CF: In the past, you had maybe two years’ warning before big changes such as new regulations. But with digital transformation, disruptive technologies, you’re having to react month to month. Our biggest digital transformation programmes are on every single audit committee agenda which are well attended by our board members.
MO: There is an enormous amount of execution risk. How do you deal with that? It’s a very difficult thing for boards to measure because you have to get quite granular to really appreciate what’s happening. If you’re not a technological, transformation expert, it’s actually very hard to do that.
JG: I agree. You would never in days gone by consider having a director who didn’t have financial literacy. I think it’s getting to the stage where you wouldn’t consider having a director unless they also have a degree of technology literacy. Otherwise, how do you ask the questions? How do you exercise oversight and governance if you don’t understand that part of what you’re governing?
I don’t think oversight of digital is something you can pin on one individual on a board, which I think some organisations have tried to do, albeit expert capability can be a good thing to have in addition, especially in technology-oriented sectors.
TM: But it’s not just digital transformation. Digital transformation shows the need for new and emerging ways of thinking; the need to understand the connectivity of risk. It should be a catalyst for a change in thinking.
JL: The board needs to make sure it has a much better relationship with all its stakeholders so if something goes wrong, they’re not calling on an empty relationship. So I think the whole technology agenda feeds into the trust agenda.
DD: I think for all these things – artificial intelligence, automation, machine-learning – the future is uncertain and I think that creates quite often a defensive mindset in organisations. The level of uncertainty and risk aren’t known, so although they talk the language of digital, they can’t really understand the ramifications of some of the changes that are coming.
I used to have conversations with people responsible for risk who would tell me there was a group or committee with responsibility for cybersecurity or information security. Now I’m seeing much more of an enterprise-wide conversation; it’s about the whole organisation.
I think we should use language more around resilience than just risk management, not only stopping things from happening, but looking at the ability of the organisation to anticipate some of these changes, prepare for them, adapt and to respond.
Pure data will not do it; you have to provide a summary and translate it into usable information
Can boards be bolder if they have a better grasp of digital transformation risk?
CF: At Pearson, the shift in the conversation about digital is that risk isn’t necessarily about avoiding something bad, it’s also about maximising opportunity.
DD: I’ve recently seen much more of a strategic-level conversation that’s not just about prevention, but more “How do we leverage the opportunities?” But equally, there’s a lot of discussion around impact tolerance and risk appetite. What if your IT system goes down and you have people caught in the forecourt of a garage unable to pay? How quickly do you need to get that up and running? What’s the damage to the customer, to the brand, to our reputation from an event like that?
MO: You have to assume you’re not going to get it 100 per cent right, because you’re doing something by nature that no one’s done before. So you’re going to make mistakes. The key is communication and fixing them.
What’s the best approach when risk professionals talk to the board? Should they talk about return on investment or storytelling?
MO: I think you need to do both.
JG: It’s about taking academic excellence and topping it up with strategic, horizon-scanning and storytelling skills, and becoming a true business partner because the worst thing you could do is go to a board meeting and produce all these colourful risk heatmaps, which you think are wonderful, but the board get quickly bored with. They want to talk about what really matters and those are probably not things that you find on many heatmaps.
TM: Yes. Pure data will not do it; you have to provide a summary and translate it into usable information.
CF: Our board are engaged and will challenge me on risks in audit committee meetings. Individuals sometimes have specific risk interests and the more emotive risks can get more attention, so you have to go in prepared to tell the story on which risks they need to focus on.
JL: Risk managers are dealing with a very tough subject. But the culture is that nobody wants to talk about it. Therefore they need to be ninja warriors in terms of getting board attention. It probably means seeking out individual directors, going to have breakfast with them, coffee with them, wherever they are; getting your point across long before you ever get to the boardroom.
TM: As well as being a ninja, you need to get across that risk management is not a blocker, it’s not a policing function, it’s more of an enabler. The skillset requires persistence and diplomacy.
The board needs to make sure it has a much better relationship with all its stakeholders so if something goes wrong, they’re not calling on an empty relationship
Is this a common problem? Are risk experts seen in the boardroom as whingers or people who don’t “get” digital?
MO: Good risk management is just good management, right? At the end of the day, companies that manage risk well are going to be more successful. You can’t be a kind of observer or a pointer-outer of bad things. You need to be a leader. You need to drive the change.
TM: That’s probably one of the good things about the profession that there are so many touchpoints within the business it crosses many, many functions. And it crosses many horizontal and vertical levels. You have conversations at the top and the bottom and in-between.
JL: I agree. You can be inside the business. You could be outside the business in the supply chain, in the wider ecosystem. It’s a great way of actually getting the dark side of management information that nobody wants to give you.
Does it help to talk to the board about near-misses, serious problems that were narrowly averted?
MO: Absolutely. Learn from these. If you don’t have an open dialogue, you’re potentially exposing the company.
DD: The interesting thing about the near-misses is they often identify where someone has noticed, anticipated a problem and has usually intervened in the system in some way to fix it. They are really a window of opportunity to look up what’s the positive human contribution to the system that’s enabling us to manage those risks.
MO: On the one hand, boards need to be firm. It’s their job to hold executives to account, to make sure the rules get followed, to make sure all the processes are there. But at the same time, they need to make sure the culture is willing to make mistakes, embrace problems, embrace mistakes and make sure actions happen on the back of them. It’s a really fine line.
JL: I used to look after quite a lot of hotels around the world. And at every board meeting we published the serious incidents that had happened in the previous month or six weeks. We used to burst the bubble right at the start of every meeting. And it became their number-one read every month.
And once you do that over a long period of time, you build the trust of the company across the world. Hundreds of thousands of people know that it’s OK to say, for instance, they saw a window cleaner with no harness on, 24 storeys up or whatever.
How big is the culture issue?
JL: We used to celebrate people that managed crises well. For instance, when the Japanese triple disaster [the earthquake, tsunami and nuclear crisis of 2011] happened, we had a magnificent regional operator who managed a team right the way through that. We were the biggest hotelier in Japan, and we made a lot of people safe and carried on doing business. There was a huge celebration in the company, and part of the celebration was how did it go so well and what are the lessons for other leaders?
CF: And the other important thing is what you do with the lessons learnt. If you actually take action then the board can see you’ve done things differently next time.
I think we need to change the discourse. Everyone says ‘We’ve learnt our lessons’, but have they actually done anything about it?
Should you celebrate even if the crisis management wasn’t 100 per cent perfect?
JL: Absolutely. You’re dealing in chaos. But a robust leadership means that your business survives and thrives.
DD: I think we need to change the discourse. Everyone says “We’ve learnt our lessons”, but have they actually done anything about it? I’ve worked with one hospital that had six “never happen” events in six months, and after every one there was an investigation with recommendations and an action plan for implementation. It’s almost like the organisation was going through the process in a very technical way without actually learning and doing something.
TM: If you’re not careful, the processes or the compliance side will overtake the actual substance, in other words the iterative understanding of what’s really going on.
JG: There’s a tendency at the moment of saying hindsight is a bad thing and we have to look forward and extrapolate the future. But actually, you can learn so much from hindsight, we should never forget that.
How should boards be warned about more distant risks on the horizon?
CF: You have to do more scenario-modelling; you have to do more horizon-scanning; you have to do more sensitivity analysis. And then, by the way, you have to keep doing it. It doesn’t stop. You just have to because all the time your environment changes and your business is changing.
DD: I did a piece of work which was for a manufacturing company that’s been around for quite a long time, run by a traditional board. The chief executive, who I thought was one of the most enlightened I’ve encountered, asked us to run a programme taking 50 of their youngest, brightest people across the business. He told them, “We’ve run this company for the last 50 years. To ensure it’s around for the next 50 years, we want you to be the eyes and ears, and really think about what the future risks are, what the future opportunities are.”
If you give resources and support to people within the organisation, their collective intelligence is going to be much better at identifying some of these risks than the board would.
JG: I’ve an anecdote that complements that. We ran an event last year with about 100 young risk managers and we asked what are the top-ten things that keep you awake at night? And then as a separate exercise, we said, “OK, put that to one side. Now write the headline that you would not want to see on the front page of the tabloid press tomorrow morning.” And not one of them was in those top-ten risks.
One headline many companies didn’t want to see was the Brexit referendum result in 2016. What have companies learnt about risk management from this tangled process?
DD: It certainly showed you can have a disruptive event that no one saw coming. If you went back a period of time, five years ago, you would’ve said, “This is pretty implausible.”
I remember working with one financial institution just after the referendum and I said to them, “What is your plan? What are you going to say to your customers?” And they hadn’t got a plan, hadn’t even gone through any of that process, which is remarkable.
Now we all know a plan doesn’t usually survive the first engagement with the enemy, but the process of going through a planning process is what creates great value in the organisation.
JG: It’s like most potential crises. You plan for the worst and if it’s not the worst, then lucky you.
This roundtable was arranged in partnership with Airmic, the association that represents UK risk and insurance managers. Its annual conference will take place June 3-5 in Harrogate.
How can boards ensure they get an honest picture of risks to their business?
JL: I think diversity is a big part of it. I think diversity of thought is an even bigger part of it. You wouldn't just go and talk to the IT department about IT; you need to talk to the people who use IT, the people who bend the rules in the field, the people who break it.
DD: If the senior leader in the organisation’s first response to something going wrong is “Who screwed up there?” you’re immediately going to create a culture where people are not going to start admitting to mistakes. Just switching that question around, asking why it made sense to that individual to do what they did at that point in time, gets you immediately into a learning mindset.
JG: The big issue for me is courage. Not everybody welcomes the conversation. But to have courage you need confidence and confidence is enhanced by having a grasp of what you’re talking about.
MO: But you need courage on both sides. The board needs the courage to ask questions even if they are not the experts and to have enough courage to admit it. And David Denyer is right to make the point that the board needs to be able to say “Hey, we might not have got this right” and to work together to reach solutions.
Part of the answer is proper management information. Sure, you want it easy to read, but sometimes more is actually better, so you can see trends and outliers. But also, information lock is a real problem for boards. If they are getting just one view of the world, it can be very problematic. So I think it's really important that boards can get out and about, and have different sources of information so they can sense-check things.
JG: But don’t you think there’s a fine line? It’s great for directors to walk the floor, but don't do too much. You're not the chief executive. One of our members wanted to know what the role of a director was during a crisis. We said their role is being on the board. They are not managing the crisis, but are there to make sure there is executive leadership who have a plan and a team, and that both have been tested.