Boards and Risk: Have we got it right yet?
Regulators have shown a growing interest in the way Boards manage and report risk, and in 2011 the UK Financial Reporting Council identified three areas for improvement:
- Responsibility for risk. Boards did not take collective responsibility for risk, with a tendency to treat risk as a specialist topic for experts like the Chief Risk Officer.
- Appetite for risk. Boards needed a better way to express risk appetite and tolerance and show that they understood the link between risk exposure and external factors.
- Information about risk. Boards were not clear why certain risks were more significant than others, or what made risk exposure rise and fall.
So what has changed in the last four years? Despite encouraging progress in some areas such as risk appetite or risk culture, the underlying problem still seems to exist, arising from differences in perception around the board table about the nature of risk. This in turn affects the way risk is discussed and used by the Board – or not. Four areas need attention:
- Perception. International standards and leading practitioners agree that risk is future uncertainty, which includes both favourable and unfavourable outcomes. Yet many board-rooms limit their view of risk to unfavourable events which threaten business continuity. As a result, risk management focuses on control systems to avoid business interruption. The risk register aims to provide reassurance that unfavourable outcomes can be avoided, managed or mitigated. The root problem is a fixation on trying to control risk, but future uncertainty cannot be controlled. Boards need to broaden their perception of risk and develop better corporate responses to risk.
- Presentation. Risk is usually presented at board-level using a two-dimensional matrix or ‘heat map’ based on probability and severity, or urgency and importance. This neatly places each risk into a box and gives the false impression that it will stay there for at least another year! But risk is not static and it is dangerous to present risk in this simplistic way. Risks increase and decrease dependent on a number of contingent factors, often with connectivity between them, and some risks are consequential upon others: risk is a complex dynamic. The way risk is presented to Boards needs to reflect this, without over-complicating the message.