How effective is your firm’s risk management culture?

The downfall of Silicon Valley Bank has demonstrated just how vulnerable any business can be if it doesn’t have the appropriate control structures, procedures, systems – and relationships – in place
A group of colleagues having a discussion in a modern office

When Silicon Valley Bank (SVB) collapsed in March, sparking turmoil in the global banking sector, it left analysts questioning why the US lender’s problems hadn’t been spotted sooner. 

Several increases in the US Federal Reserve’s base lending rate over the preceding months had reduced the value of assets held by SVB, causing big losses on its balance sheet. This triggered the run that brought it down. 

But the rate rises were by no means a surprise development. From as early as Q1 2022, it had been widely accepted that the Fed would need to make such calls to counter the unwelcome return of high inflation. Moreover, SVB supposedly had systems in place to detect risk and a board to oversee its operations. The bank’s auditor, KPMG, had even given the business a clean bill of health only two weeks before its demise.

The SVB affair has naturally put a spotlight on corporate risk at a time when trading conditions are toughening for companies of all kinds. Persistently high inflation and rising interest rates are reducing the ability of UK firms to repay loans and secure more finance, leaving them more vulnerable to shocks. 

What, if anything, should businesses be doing differently to protect themselves?

Preparing for risks of all kinds

Given the latest data from the UK Insolvency Service, it’s not surprising that financial risk is becoming the focus of concern for British businesses. In March, the agency recorded 2,457 corporate insolvencies – the highest number since it started compiling comparable monthly data and 16% up on the total for March 2022. 

A culture of healthy challenge is sometimes tricky to achieve, but it will deliver dividends

But Tina McKenzie, chair of policy and advocacy at the Federation of Small Businesses, stresses that firms should be preparing for “risks of all kinds”. By this she means both “nipping problems in the bud before they become existential threats and identifying new opportunities to save costs or potential sources of extra profit”. 

Businesses are also increasingly being held responsible for what happens in their supply chains. The potential ramifications of a compliance failure, wherever it may occur, can be extensive, warns Adam Garside, director of forensics at risk management consultancy Control Risks.

“Financial penalties aside, the reputational damage from an incident – be it a data breach, a bribery investigation or a product safety issue – can devastate an organisation and its ability to fully recover,” he says.

Stay flexible and well funded

Garside adds that the good news is that regulatory compliance remains high on most firms’ agendas and tends to be a properly funded function. Many companies also have dedicated teams whose job it is to provide an overview of the most relevant risks and opportunities while ensuring that regulations are adhered to. 

These enterprise risk management teams tend to be small, with roles within them varying according to the firm’s priorities. But they will typically engage with members of the C-suite and the board. 

Anna Walker, a director at Control Risks, adds that the risk registers that firms have traditionally kept to log the known threats to projects may no longer be fit for purpose, given the speed at which interconnected factors can develop and jeopardise an operation. She recommends exercises such as scenario planning and horizon scanning as more constructive ways for businesses to “build resilience”. 

Auditors – the third-party sanity check

Most big companies rely on their external auditors to help them manage risk. As well as ensuring that their client’s financial statements are in order, auditors are supposed to spot weaknesses in its processes and highlight potential compliance problems. Yet recent high-profile corporate failures, including that of SVB, have prompted businesses to question the efficacy of auditors and reconsider how best to manage the relationship with them.

Nelson Wootton is the co-founder and CEO of SaaScada, a banking technology platform that helps companies to manage risk. He says that a good auditor acts as a “sanity check, offering a valuable second pair of eyes to challenge the assumptions made within your business”. But he adds that the client must adopt the right attitude to get the most out of the relationship with its auditor. 

“Boards need to see auditors as trusted business partners. They must be prepared to listen to them and be open to getting challenged,” Wootton stresses. “If boards see auditing as a regulatory box-ticking exercise, rather than a way to safeguard the business from risks it may not have considered, they will gain only limited value from the relationship.”

Letting technology take the strain

Companies that have invested in the latest IT to bolster their risk management processes are seeing strong results. Systems using artificial intelligence, for instance, are proving effective in identifying threats to data privacy and regulatory compliance, reports Craig Earnshaw, senior managing director in FTI Consulting’s technology practice. 

“In an investigations context, advanced analytics and machine learning technologies are helping businesses to reduce risk,” he says. “They do this by filtering through huge volumes of data from hundreds of sources in myriad formats to uncover key facts, such as who was involved in a case of leaked intellectual property. The ability to find accurate information quickly helps organisations to understand the details of an incident faster than they could ever do using manual methods.”

Similarly, the latest AI systems can help compliance teams to scan their organisations’ communications for so-called behaviour anomalies. Some, for instance, can learn to detect signs of attempted fraud or other non-compliant activities in emails or chat messages.

Building an open working culture

Although strong risk management practices, an effective auditor and powerful technology are important, none of them will make much difference if the business using them has a culture that discourages people from putting their heads above the parapet. All employees need to feel free to report any concerns they have about a threat to regulatory compliance, say, without fear of a negative reaction. 

For risks of all kinds, “sunlight is the best disinfectant”, McKenzie says. “A culture of healthy challenge is sometimes tricky to achieve, but it will deliver dividends.”

Garside agrees, noting the importance of creating an environment where all employees “take ownership” of risk in their functions and where risk management processes are subject to “continuous review and improvement”.

He adds that developing a culture in which the leadership team “welcomes the reporting of compliance issues doesn’t happen overnight. This process should be approached with care, commitment and consistency by both the leadership and the management, particularly where it’s often in direct conflict with profitability.”