The business opportunities are well understood, but are the risks also understood?

It’s 4pm on Friday and you are beginning to think about the weekend that you have planned. You are looking forward to a reunion with some old friends.

It’s been a busy week working on a consultancy project and completing a thorough review of the Board papers as a Non-Exec Director.

The board papers include some interesting cap ex requests for approval that clearly emphasise a number of opportunities to improve the bottom line. In spite of feeling well prepared for Monday’s board meeting, you feel slightly uneasy about some of the potential investments. The papers are very positive about delivering the results with little or no comment on the potential downside risks. Can these investments all be risk free with no downside? It sounds too good to be true.

Although you had planned a weekend away from work, the unease increases and you decide to take a few more hours over the weekend to reflect. You are not alone.

Good business decisions require a clear understanding of both opportunity and risk.

Three recent reports: a Forbes/Zurich survey (1), a survey by McKinsey (2) and research published by Airmic (3), the UK risk managers association indicate that as Executive and Non-Executive Directors deal with the opportunities, they do not always feel confident in their understanding and management of the business risks.

While the studies each involve different market/geographical areas, the conclusions are similar:

From the Forbes/Zurich survey: “Executives don’t have a total grasp of their company’s exposure to risk or of its risk-management strategies”.
The McKinsey survey commented “While respondents say their boards are taking more responsibility for strategy, risk management is still a weak spot—perhaps because boards (and companies) are increasingly complacent about risks, as we move further out from the 2008 financial crisis.”
The Airmic report commented “Boards, particularly chairmen and NEDs, have a large, important blind spot in this dangerous area (business risks). Without board leadership, these risks will remain hidden because only boards can ensure that enough light shines on these hard to see risks.”

According to the studies the reasons behind these conclusions include complacency, lack of experience/skills, insufficient allocation of time, difficult inter-relations within the boards and senior management.

Improved management of risk helps deliver better decision-making

If NEDs and Executive Directors have clear oversight of the key risks to delivery of business plans, an understanding of the controls in place and what levels of risk are acceptable, the board will be able to make better decisions about the operation of the organisation.

Here is an example: The company’s IT systems have not kept pace with the business growth. A new IT strategy requires an important investment, changes in behaviour with regard to security and outsourcing to third party suppliers. The investment is based on the improved efficiency of the systems. Some board members see little or no value in the upgrade and do not want to agree to the expenditure. The current situation creates many key risks to the support and continuity of the business. The proposed solution may resolve some risks but create others. Without a clear understanding of the business risks related to the IT systems, it is difficult to make a good decision.

The benefits of effective risk oversight by the Board

Once a board has good oversight of the business risks and their management, a number of benefits accrue:

Improved predictability of results against planning and forecasting. Stakeholders will see that management deliver what they promise.
Fewer unwanted surprises. Unseen or unplanned incidents impact results as well as the reputation and integrity of the company and its management. The last few years have seen company brands or reputation severely damaged through either poor management or poorly handled incidents.
Improved compliance with laws and regulations. This will reduce the risk of investigation or falling foul of legal authorities, keeps costs under control, minimise reputation damage and keeps directors out of jail.
Enhanced brand and reputation. While it is easy to destroy a reputation or brand through the handling of a single incident, building and enhancing that reputation takes consistent and predictable long term performance as well as careful building of its brands.

Steps to more effective risk oversight at Board level

The following points will help ensure that risk management is integrated into board agendas and decisions. The above mentioned benefits will flow naturally from this framework.

  • The Board and senior management should lead by example. This necessitates Board and Executive level challenge of the business risks and their management as part of decision-making. If the Board doesn’t require risk reporting or ask the right questions, then management will follow their example. If risk management is embedded in business processes then risk will be considered at board level. The processes include strategy, mergers, acquisitions, disposals, capital requests, medium term planning, budgeting, project management, operational management.
  • Clarify and delegate what levels of risk are acceptable. Most companies have delegated financial authority but the delegated authority for business risks is not so well defined. Defining and delegating acceptable levels of risks provides clarity and freedom to act in an organisation.
  • Minimise box ticking compliance processes. Increasing regulation in many areas of business requires an increase in compliance processes. This often leads to “sleep-walking” through risk assessment as the focus moves from the content and quality of the analysis to the format of reporting. A challenge of compliance processes can refresh, simplify and provide a more effective way of complying as well as adding value to decision-making.
  • What gets reported gets managed. Define and use risk management maturity to set deliverable targets for process integration and cultural change. Link progress to managers’ and executives’ personal incentives and rewards.
  • Training and education should be ongoing. While the “School of Hard Knocks” provides some training and education, a focussed programme will ensure a consistent and appropriate level of knowledge throughout the organisation. This should cover cultural/behavioural as well as process training. According to the 3 studies, this applies as much to Boards as it does to senior management.

Professional development for NEDs is provided by a number of organisations.Many provide training on statutory and regulatory requirements and personal risk. RCN Risk Management Resource has created a workshop that deals with hands-on management of real boardroom situations rather than legal obligations and regulatory frameworks. It is specifically for NEDs to provide them with the skills and knowledge to provide the needed risk oversight at board level.

For more information, see the RCN website:

To book your place for the 21 May 2014 session in London:

Paul Taylor

Non-Executive Director,

Risk Management Advisor at RCN and Risk Management Options Limited

This email address is being protected from spambots. You need JavaScript enabled to view it.


The Sharp Side of Risks – Forbes Insights
(2) Improving Board Governance – McKinsey and Company

(3) Roads to Ruin – Airmic

Success Stories