From shop floor to boardroom: the changing face of risk management
January 14, 2014
The past decade has seen some spectacular business meltdowns, from energy company Enron through retailer Woolworths Group PLC to the recent leadership troubles at the Co-operative Bank. At the other end of the scale, half of the start up businesses in the UK fold within the first two years. The financial and human cost when companies and projects fail is enormous. Yet risk still has to be taken as without it there will be no growth, no profit and no progress. Corporate governance requirements are becoming more prescriptive in requiring risk management arrangements to be clearly in place. Even for smaller businesses, evidence of effective risk management is increasingly being demanded by suppliers, investors, insurers and other stakeholders. Legal developments in the field of corporate manslaughter hold out the prospect of criminal prosecutions for company directors if a fatal accident occurs and they cannot demonstrate that their risk and safety management systems are robust and at least up to industry best practice. Similarly robust sanctions for directors are in prospect in relation to bribery and data protection.
The stakes are high. Not only must you have 'risk management' but more importantly you must have risk management that works.
The Financial Reporting Council recently released their draft guidance on how companies should approach the requirements in the UK's corporate governance code in relation to risk management, internal control and the going concern basis of accounting. These proposals, with which all UK listed companies are going to have to comply (and which are also likely to be highly influential in shaping corporate governance developments in other sectors) will seriously raise the bar for risk management at board level.
In future boards will be required to carry out a robust assessment of the principal risks facing the company and explain, in the annual report, how these are being measured and mitigated. The guidance also, for the first time, requires firms to give serious consideration to such matters as the extent to which the company is willing to take on risk - its risk appetite - and also to ensure that sufficient attention is paid to complex but important human factors like risk culture, behaviours, incentives and rewards. The past 15 - 20 years have seen the development of increasingly sophisticated systems of risk management, alongside more codes, regulations and processes. But the various enquiries and analyses that take place when things go wrong usually tell the same story - on paper the organisation appeared to have the right processes but these are applied by complicated and fallible human beings who may not always behave the way they are expected to in relation to risk.
The complexity of modern business also complicates the picture further - the extended and interconnected nature of today's supply chains, partnership working, outsourcing (including 'cloud computing') and new ways of delivering public services mean that the old 'command and control' model is not going to work in the new, fluid and networked environment. The problems last year with the appearance of horsemeat in various supply chains for beef products highlights the difficulties in managing risks across these extended enterprises (a subject on which a group of IRM members is currently preparing some practical guidance).
We have come a long way from the rigid 'silo' based approach to risk management of a couple of decades ago, where task based activity like health and safety was dealt with in one part of the organisation, insurance purchase in another, computer disaster recovery in another, legal compliance in another and so on, with none of these departments really talking to each other, let alone co-ordinating their risk activities. Enterprise risk management approaches have done a lot to focus attention on the broad range of threats to corporate objectives and the need for risk management to be embedded consistently across the organisation's processes, breaking down the old silos. This has included, in many organisations, the development of sophisticated quantitative techniques to measure risk. Yet, as we have seen when looking at the real life examples of corporate collapse, at the end of the day actions are taken (or not taken) and decisions made (well or poorly) by people. Understanding why people do what they do, and applying this knowledge to risk management, is going to be the hot topic of the next decade.
Carolyn WilliamsTechnical DirectorThe Institute of Risk Management
About The Author
Technical Director,The Institute of Risk Management UK
Introduction by Shiwei Jin, Global Programs & Captives Regional Director APAC, AXA XL, a division of AXA
Global insurance programs are an essential tool for many multinational companies, and their features and benefits have been documented extensively.
Lets Talk: Construction boom boosts demand for expanded contractor's equipment coverage
December 10, 2019
Shawn Langenegger says, “Building a business is an adventure.” Since joining AXA XL in 2014, he and his Inland Marine team have been on a five-year adventure, growing AXA XL’s Inland Marine business year after year and building out underwriting resources locally for more personal attention. Here’s how
Savvy global travelers have a trained eye on Political Risk
December 03, 2019
The next time your travels find you in a foreign country, look around. Chances are you will find clues to that country’s political and credit risks.
Because I am an underwriter of political risk and credit insurance, I constantly analyze macroeconomic trends and data sets of countries where investors