"Will the real Risk Managers stand up please!"

One cause of the failure of financial structures in the current recession is considered to be inappropriate risk management. For many organisations, risk management processes and procedures have failed to accomplish what was expected.

So, what exactly is risk management? Historically it evolved out of the insurance industry. But today it is far broader than just insurance management. The Institute of Risk Management defines it as "the process which aims to help organisations understand, evaluate and take action on all their risks with a view to increasing the probability of their success and reducing the likelihood of failure". Risk management has grown out of the original concept and most companies, of significant size, today employ a risk management function - although the seniority of the position may vary from organisation to organisation.

Management of risk should be part of the overall business process, though ultimately, the management of risk is the responsibility of the Board. This is enshrined in the Directors' duty Òto promote the success of the companyÓ and was reinforced in the Business Review legislation, which requires companies to identify and report on their principal risks and uncertainties.

In reality, most companies do little more than provide a list of risks (sometimes with well thought out mitigations).This reflects a 'tick the box' compliance approach. In a recent Sunday Times interview with John Buchanan, Chairman of Smith and Nephew and Deputy Chair of Vodafone, he commented that one reason boards failed to assess risk properly, before the current crisis, was because they were distracted by governance legislation like Sarbanes Oxley which caused them to lose sight of bigger picture aspects such as risk and opportunities.

A key question for any Board is whether they can be certain their risk management systems are fit for purpose, and recent evidence would suggest this may not be the case.

Legislators are starting to investigate the whole area around corporate governance, part of which involves risk management. The Walker independent review on the governance of banks will place particular scrutiny on their risk management. Similarly, the Financial Reporting Council has been consulting on the effectiveness of the Combined Code and one area of interest is "The board's role in relation to risk management". The ICSA's response to this consultation includes a recommendation for there to be more focus on the board establishing "appropriate risk parameters" for operational use, and emphasise that this task should not be delegated by the board to a sub committee.

But, legislation on its own will not be sufficient. Buchanan questioned whether there was adequate attention on "the behavioural aspects". A recent article by Professor Birkinshaw in a London Business School journal suggested three steps in improving the quality of risk management: high quality insight on the part of those managers making risk based decisions; personal accountability for risk management; and a supportive culture to ensure risk based decisions can be made in a transparent and non threatening manner.

Clearly there are concerns that risk management may not receive sufficient support and priority within companies. Much of the criticism of ineffective risk management is not aimed at individual risk managers, who may be becoming increasingly frustrated as their views have not been listened to in a strategic business context.

Risk management is at a cross roads. Where it goes from here has important implications for not only risk management practitioners but also the ways all managers integrate risk in their business decisions making.


One day Alice came to a fork in the road and saw a Cheshire cat in a tree. "Which road do I take?" she asked. "Where do you want to go?" was his response. "I don't know" Alice answered. Then, said the cat, "it doesn't matter." Alice in Wonderland, Lewis Carroll

The same could be argued for risk management!

Risk management needs to link to the corporate strategy and help the business to achieve its aims in an effective manner -
it is not a stand alone function or a 'tick the box' activity. Recognising the needs of stakeholders and their expectations
is also an important consideration and part of the way risk management can better serve the organisation.

Having a risk manager or director in position and expecting them to take sole responsibility for risk is not the solution. Scottish and Southern Energy have commented in their Annual Report that some "very high profile organisations with apparently textbook approaches have been overwhelmed by fundamental failures which well documented systems and processes appeared powerless to prevent".

Risk has to be understood and embedded throughout the business for its management to be effective - behavioural aspects are as important as systems in ensuring effective risk management. Human Resources (HR) offers a good analogy. Managing people is the responsibility of line managers within the business, not that of the HR manager or director. They provide expertise and advice and will usually help determine the corporate agenda to ensure that appropriate systems are in place but cannot (and neither should they) carry out the day to day management of staff. Risk managers are no different - they are a source of expertise, part of setting the risk agenda and ensuring that appropriate systems are in place so the process
is embedded throughout the organisation.

In this context, as Buchanan suggests, the behavioural aspects of risk management need to be addressed. There is evidence that whilst risks were identified, they were not perhaps adequately analysed. Identification of risk alone is not sufficient; measurement and understanding are the elements that add value to the risk exercise. Boards too need to understand this, as their responsibility for management of risk cannot be abdicated. How can non executives be assured that they have an adequate understanding of the risks affecting the future success of their company? How can a Board be assured that they have a robust system of risk management in place? Traditionally the Internal Audit department will have a role to play here but they tend to focus on the process perspective, paying less attention to the behavioural aspects.

Boards need assurance and at The Virtuous Circle we are well versed in stakeholder management and verification of corporate responsibility and other reports. It has been a natural evolution to develop an assurance process that examines the risk management processes to give the Board some confidence that their risk management process is not only robust but also compares well with other organisations in the way they approach risk management.

Risk management is evolving - the current recession has been a major catalyst for this - and will require different approaches to be effective in the future. It is time for risk managers to not only stand up but also to be counted - counted as a discipline which is taken seriously not only in the financial services sector but amongst all organisations.

If you would like an objective and impartial view on addressing CSR, risk management or business review reporting issues.

contact Tony Hoskins - thoskins@thevirtuouscircle.co.uk
or Ian Redington - iredington@thevirtuouscircle.co.uk