Nine thoughts about risk

Overseeing the strategy of a company requires an understanding of the risks involved in what you are doing and an understanding of the company’s risk appetite.

Strategy and risk are two sides of the same coin. Any discussion on strategy can be turned into a risk discussion and vice versa. The two should be so entwined that it’s impossible to have a discussion on strategy without talking about the risks.

A static approach – with risk strategy reviewed perhaps once a year – is simply not enough. A more dynamic model is needed, in which risk and risk management are not viewed as back-up adjuncts to the business – but are continuously at the heart of strategic thinking and planning.

The risk landscape has become ever harder to navigate in recent times, with COVID-19 spawning new threats and opportunities for companies and boards. Is the time now right for more boards to have a standalone risk committee in addition to the audit committee? Such committees are de rigueur across the financial services sector but relatively rare in other sectors.

While experts in accounting, audit and financial controls, audit committee members might not have the deep operational expertise required to evaluate risk in other areas. Risk oversight – whether exercised by the board, risk committee or joint audit and risk committee – needs people with experience in areas such as cybersecurity, IT, compliance, data privacy and reputational risk.

Whichever committee takes the lead, their aim is to facilitate focused and informed board discussions on risk-related matters. The board retains ultimate accountability for the adequacy and effectiveness of the organization’s risk management arrangements. 

The oversight of risk calls for a high degree of rigor and judgement, and decision makers must have dependable access to whatever material they need to enable them to discharge their responsibilities.

However, the tendency when making strategic decisions to keep asking for more and more data should be resisted. Don’t paralyze the organization by always asking for more data and refusing to act – at some point decisions have to be made.

Sound risk management information needs to inform, provide insight of trends and underlying themes but also provoke questions and challenges as to the firm and its environment. 

It is important that risk management and control are not seen as a burden on business, but rather the means by which business opportunities are maximized and potential losses associated with unwanted events reduced.

Risk, derived from the early Italian risicare or to dare, is an ever present aspect of the business world. Companies set themselves strategic and business objectives, then manage risks that threaten the achievement of those objectives. Internal control and risk management should supplement entrepreneurship, but not replace it. Increased shareholder value is the reward for successful risk taking and the role of internal control is to manage risk appropriately rather than to eliminate it.

The current environment underlines the fact that risks are not contained and cannot be considered in isolation. The world of risk is dynamic. Risks change and mutate as the world changes – and they are amplified further through the ‘network effect’.

Our world has become a series of interlinking networks – of capital, foreign direct investment, financial instruments, supply chains, technology and communications, people and travel.

These networks change and heighten risks because they now become interconnected, so that a downside event in one can trigger ripples and knock-on effects in others.

Mapping out which other risks a given risk could trigger, and how rapid and severe the effects of that would be is key to understanding the connectivity of risk and identifying those risks that are really significant to the execution of the board’s strategy.

Read more: Dynamic Risk Assessment

The power of collective thinking to address some of the limitations of traditional risk models should not be over-looked. Extensive research has repeatedly found that, if you ask a diverse range of people about their views of the future, the results are more accurate than the results of probabilistic models during times of rapid change.

Think about harnessing the people in the organization who are likely to have the most accurate views about the future and future risks – the ‘super-forecasters’. Think about how best to elicit their insights, both individually and collectively, around the principal risks facing the business. Get them to help quantify the likelihood of each risk identified, along with the severity, velocity and interconnectedness. 

Many seemingly opposing things can happen at the same time. For example, the future doesn’t have to be about one superpower dominating every aspect. Multiple countries can lead in different spheres of the global order.

In the context of the post-pandemic world, the new reality is not going to be about just change for the good or utter devastation. There will be several positive changes for many and severe setbacks for others. Among positive changes, we can expect to see a new wave of entrepreneurial activity. There will be lots of money chasing businesses built for the new reality. On the flipside, some people might experience a second ‘Great Depression’. 

Corporate culture – what a company does, and how it does it – permeates virtually every aspect of a company, from strategy, innovation, risk, and compliance, to business processes, employee performance, and long-term value creation.

And, as many companies have experienced (or will) first-hand, the radical transparency enabled by social media and the ever-sharpening focus by customers, employees, investors, regulators, and other stakeholders has put culture on display as never before. Pay particular attention to potential risks posed by tone at the top, culture, and incentives. Does the culture align with the company’s strategy and encourage behaviors that are essential to the execution of that strategy? Is the board continually gauging not only tone at the top, but the mood in the middle and the buzz at the bottom? 

It is all too easy to become overly focused on today’s headline crisis – whether that is COVID-19 or a cyber-attack. But, boards need to look at risks as a whole – and their interconnectedness. The ongoing threats are always there.

Original source: KPMG Board Leadership Centre UK

The Board Leadership Center offers non-executive and executive board members and those working closely with them (including CROs and Heads of Internal Audit) a place within a community of board-level peers. It also offers access to topical seminars and more technical Board Academy sessions, invaluable resources, thought leadership and lively and engaging networking opportunities.