Changing the pattern of risk management

There is currently a rich seam of content available in the public domain which addresses key aspects of the changing risk landscape and the specific risks that the Executive Team, Audit Committee, and the Board should consider as part of their half-year and full-year risk discussions. These risks include for example, AI, concentration, complexity and uncontrollables such as sustained inflation and geopolitical uncertainty.

Based on recent client discussion and interactions, one of the topics that have arisen is whether the risk discussions to support half-year and full-year disclosures are leading to improved decision-making and behavioural change. If this is not the case, it would appear that organisations are focusing too much on meeting governance code requirements rather than leveraging the insights and outcomes of the risk discussions to turn the dial on performance, both from a managing downside and exploiting upside perspective.

It is useful to step back and consider whether the above hypothesis applies to your organisation as we are rapidly approaching the half-year point for businesses with December year-end reporting. Firstly, as set out above, it seems that the focus of many risk processes is to achieve a degree of compliance with rules and regulations rather than focusing on how the effort invested in identifying and assessing risks feed into day-to-day planning and decision-making. Secondly, despite the increased complexity of the risk landscape and the emergence of multiple external (e.g. geopolitical) and disruptive (e.g. business model) risks, many risk processes are overly focused on business-as-usual risks, often characterised by high frequency and low impact. This is reflected in the risks that organisations are focusing on as well as the reluctance to invest time on risks that might have one of more of the following characteristics:

• High impact and low probability (tail risk)
• Impact can be direct and indirect (and the indirect might be significantly more important than the direct)
• Organisations can’t control or influence the probability of the risk occurring (e.g. the risk response is to increase resilience)
• Risk has previously been under the radar (e.g. concentration risk)
• High complexity in assessing and modelling the risk and its interaction with other risks (e.g. limited or unstructured data on risk and correlations)
• Mitigation might include strategic re-positioning (e.g. near shoring or diversification)

If some of these characteristics are present, it is very unlikely that a compliance or code-based approach will generate additional insight and changed behaviour for these risks. Somehow the organisation needs to find a new way of looking at the risks without being constrained by the existing risk inventory, or a perception that the risk process only has value because it maintains or meets the licence to operate requirements.

A forward-looking approach to risk identification, anchored in the strategic and commercial reality of the organisation, has a much better chance of shifting the focus away from business-as-usual to a more strategic look at the context in which the organisation is seeking to deliver its strategy, commitments and objectives. A pre-mortem discussion should, if well crafted, bring previously unidentified risks to the fore, in particular external, strategic and disruptive risks.

The outputs should also provide a more robust basis for scenario analysis and the consideration of the aggregate level of uncertainty from the risks – this would also help to improve the viability modelling to support the disclosures that listed companies have to make at year-end.

However, on its own, the pre-mortem will not change behaviour unless the organisation is willing to consider the appetite for these risks. Many organisations that have expressed their preference for the level of risk they are willing to take to achieve their objectives, do not explicitly test the impact that business cases and decisions could have on the utilisation of risk appetite. Or in the extreme, are they sanctioning business cases or decisions that contradict the organisation’s appetite for risk? From the Board’s perspective, encouraging and incentivising management to address risks where the exposure exceeds appetite is a critical element in discharging their responsibilities as well as supporting sustainable value creation.

Organisations that perceive that their risks discussions are ‘thought provoking and interesting’ should also test whether they are putting in place the enabling mechanisms to demonstrate a clear commitment to incorporating the outputs and learnings in planning and decision-making. In previous articles on risk management and governance, Carl Sjöström and I have set out the need for aligning risk management intentions with how reward is structured to ensure that the right behaviours are signalled to deliver the intended outcomes. In this context, our article on risk and reward might be of interest.

Businesses that are seeking to move their risk management process from a periodic ‘meet the requirements’ activity to embedding it in planning and decision-making, should consider the following steps:

• Incorporate risk analysis and risk appetite into the business case discussions and decision-making criteria, be that for organic and inorganic growth, R&D, tech & AI investments, innovation or market entry decisions
• Anchor decisions in the agreed risk appetite for the business
• Have robust discussions about the mitigations for risks with exposure above appetite
• Make risk management an explicit item on the Exco agenda

These simple steps would make risk management an integral activity to underpin both value protection and value creation. The importance of Exco role modelling both in terms of its own agenda and the questions that they ask in performance reviews and decision-making fora, is a key signal of intent and demonstration of the behaviours they expect.

In summary, this article makes the case for revisiting how the risk management process is conducted currently and some of the changes that can add considerable benefit to performance management and value creation. It also emphasises the role of Exco and the benefit of risk management being an integral part of the Exco agenda and discussions.