Boards of directors have been forced to pay increased attention to organisational risk and due governance. It is intuitive that the risk focus from the boardroom is not exactly the same when it comes to the executive management, at least for intermediate management echelons. It is then legitimate to ask, “What makes the risk approach from the boardroom different?” This article discusses this from a holistic standpoint, the only one truly relevant for the boardroom.
Corporate governance and the duty of care
Looking into risk from the perspective of the boardroom demands a note on the concept of corporate governance itself and the resulting implications. Shareholders are the principals and need to have their rights protected; management is nominated and put in place to implement the strategies demanded of them, and take care of the business on a daily basis. However, the well-known “agency problem” may arise between the shareholders and management, typically due to a number of reasons: (1) shirking – inadequate duty of care on the part of the executive management; (2) self-dealing – the use of company assets for personal benefit; (3) taking perks – management taking non-legitimate advantage of the position they hold; (4) management entrenchment, or (5) so-called empire-building, not always aligned with the principal’s interests. To overcome these typical problems, the common mechanism is for the shareholders/owners to put a board of directors in place to supervise and look after the shareholders’ interests.
However, regardless of the board directors in place, there is a growing demand for a special duty of care relating to organisational risks, and the role the board of directors has in taking responsibility for it. Moreover, these days some board directors or candidates view board director positions as less attractive, because at this stage in their career, they may not be keen to take the pressure that current risk governance implies, regardless of the safeguards in place . But what is meant by “risk” from the boardroom perspective?
Approaching risk from the top
Business is about taking risk. There is no such thing as a risk-free business. Companies take risks, and strategies generate levels of risk that need to be well understood right from the beginning. Actually, the core engine in financial businesses is that “the greater the risk that is taken, the greater the rewards that can be expected, and vice versa”, up to a point where the risk threshold makes such a statement invalid. This is what some call the “sweet spot”, the optimal amount of risk that maximises the returns on the strategy. The risk threshold may be assessed from distinct domains: (1) as a person, (2) as a team, or (3) as a whole organisation.
The board should have a robust view of the material threats to the firm and its ability to deliver the strategy. It is a board accountability to set the risk appetite that will drive investment decisions and business execution. Many board directors do not run the company on a day-to-day basis and yet it is key to ensure a line of sight and appropriate alarm mechanisms for the early detection of critical deviations. Risk governance is about setting the scene for everyone in the organisation to understand their role in taking and managing risks while pursuing their business goals. While each corporation operates within its own sector and specificities, ISO 31.000 has proved useful to propose principles, a framework, and a process for managing risks. Board members are recommended to read it and try to benchmark their own organisation against the standard recommendations.
Risk deals with uncertainty, and uncertainty can and should be modelled. Senior leaders are not expected to excel in statistics, but they do need to understand the basics of probability and have the minimum quantitative skills in order to interpret risk reports, ask the right questions, and be aware of problematic assumptions underlying models. Notions of “value at risk”, “earnings at risk”, “Montecarlo simulations”, or “log returns” shouldn’t sound like Greek to people in senior positions, even though there is a chief financial officer (CFO) and there may be a chief risk officer (CRO) with full technical skills.
The impact of mind bias and personality
Two subjects to take into account when approaching risk and decision-making are the effects of mind bias, and of personality.
Mind biases are many and diverse. Although there are some 200 identified mind biases , some are more common and pervasive than others. To provide a sample, let’s look at Table 1. These are particularly common to those at the top of organisations.
It is not atypical for the board to underestimate the effect of biases, and the potential impact they may have on the materialisations of risks. Detecting and becoming aware of our own biases is not always easy, so individual board directors will be more apt to detect the effects of bias on others than on themselves. However, a positive organisational culture, where each one can detect and bring it to the attention of others when a bias is occurring, allows the improvement of decision-making and minimises risks. To overcome such biases and many more, the board of directors and individual directors need to question their assumptions and those of the executive management team, too. They need to probe with the appropriate questions, even if this is sometimes uncomfortable.
Personality is another matter of critical relevance when approaching risk and decision-making, because people have different propensities to take risks (otherwise the stock markets wouldn’t work). Personality is the “sum total of ways in which an individual reacts to and interacts with others” . It is unique to each person with his or her preferences, habits, biases, and feelings. It deeply influences each person’s relationship with risk. Understanding one’s personality and the personality of those on the same board of directors is of great help in shaping decisions in highly uncertain environments. Some people are risk-prone and others are risk-averse. It is critical for the board of directors to have a clear understanding of the accepted risk level for the organisation (risk appetite) – something that may be defined during the company’s AGM – and then ensure that the nominated managing director, CEO or executive management team respects such risk thresholds accordingly. Selecting a CEO that is risk-prone for a company with limited risk appetite may lead to disaster (if such a CEO is not fired in good time). Regardless of the biases at play and personality types, boards of directors have a duty of care and responsibility, so they need to decide how to respond to each identified risk that may impact the future of the organisations they are responsible for.
Typical risk responses may be categorised into five lines of action:
- Risk acceptance, where the organisation accepts the risk and its materialisation. It presupposes that the impact has been weighed against the gains.
- Risk transfer, so that when the risk materialises, it is dealt with by a third party to which the risk was transferred in the first place. A typical example would be insurance.
- Risk reduction, by means of putting in place policies and procedures or equipment, or promoting training in order to reduce the probability of occurrence.
- Risk mitigation, by using the same actions as with risk reduction, but aiming at mitigating the severity of the impact.
- Risk avoidance, for example by abandoning certain activities, markets, or industries.
The foregoing list implies specific strategies to deal with the particularities of the business, market, or industry. Trying not to oversimplify, financial risk treatment solutions usually fit into one of two categories: derivative instruments vs operational strategies. Table 2 provides typical examples of operational adjustments that many firms use to deal with common risks.
A potential model for approaching risk governance
Any risk governance model needs to take into account the organisation’s strategic objectives, alongside the accompanying business plans to attain such objectives (Figure 1). How much risk does management believe the organisation needs to accept in order to deliver the strategy? This is what literature calls “risk appetite” and most organisations fail to define it to a level that becomes meaningful for those making decisions. It also needs to be kept stable while the strategy remains the same. The reality is that most organisations either lack a risk appetite statement or just ignore it, according to the mood of the day.
Now, how can you ensure that a company operates within the defined risk appetite? This is where the notion of “risk culture” comes into play. It is about “the norms of behaviour for individuals and groups within an organisation that determine the collective ability to identify, understand, openly discuss, and act on the organisation’s current and future risk” . And, as in any other cultural process, it needs to be driven from the top and takes time to be successfully embedded throughout the entire organisation (Figure 1).
The board needs to form a view of the risk culture in the company and the extent to which that culture supports the ability of the company to operate consistently within its risk appetite. So it’s clear that the board of directors has responsibility for a robust assessment of the main risks facing the organisation and its businesses, while fostering corporate strategy implementation. This includes the alignment of a set of activities to properly manage risks. Among the structures that may help the board is the establishment of a risk committee and the nomination of a chief risk officer (CRO). Risk committees are normally led by an independent director to minimise conflicts of interests and blind spots, and help to supervise the implementation of the whole risk management architecture. As for the CRO, besides supervising the risk management function within the organisation, they report directly to the risk committee.
An organisation hardly works in a risk-free context, and corporate strategy and business plans imply the acceptance of risk. The board of directors can help the organisation reach its goals in an optimal way, while addressing risk governance. Among such measures one could refer to the establishment of a risk committee, setting up lines of defence, defining the organisational risk appetite clearly, and communicating it, all framed by an adequate risk culture. Boards need to categorise risk typologies (for example, financial vs non-financial), be aware of decision bias and blind spots, and promote the use of quantitative as well as qualitative risk models.
Risk governance implies a perspective well beyond that of executive management. Risk needs to be approached within a holistic framework, where the distinct domains (the individual, the team, and the organisation) are kept in perspective simultaneously in order to diminish the probability of blind spots as far as risk governance is concerned . After all, the subject of risk management demands special care on the part of the board of directors and setting the right risk culture across the organisation is a core responsibility of the board, in order for our organisations to have a better tomorrow.
About the Authors
Francisco Vieira is a senior manager, currently a Senior Teaching Fellow at AESE Business School, Lisbon, where he teaches risk management. Professor Vieira has a long career in the oil and gas industry, up to the level of country managing director. He combines his teaching profile with an extensive business background of more than 36 years in fields like downstream oil and gas, and defence. Francisco holds a degree in Military Sciences awarded by the Portuguese Military Academy and a degree in Engineering awarded by the University of Lisbon, together with several post-graduation programmes in the fields of risk and corporate governance.
Pedro B. Agua is a senior manager, currently a Professor of General Management at the Portuguese Naval Academy and Senior Teaching Fellow at AESE Business School, Lisbon. Professor Agua has authored many articles and book chapters featuring various systems, governance, and business policy subjects. He combines his teaching profile with an extensive business background of more than 28 years dedicated to cutting-edge fields like defence, telecommunications, and the subsea industry. Pedro holds an MBA from AESE and IESE Business School and a PhD in Engineering and Management awarded by the University of Lisbon.
- Ormazabal, G. (2016). “Risk oversight: What every director should know”. IESEInsight, issue 28 1st Quarter.
- Bias Codex. https://www.sog.unc.edu/sites/www.sog.unc.edu/files/course_materials/Cognitive%20Biases%20Codex.pdf (last accessed on 25 August 2022).
- Robbins, S., & Judge, T. (2014). Organizational Behaviour (15th ed.). Boston, MA. Pearson.
- APRA. (2018). Prudential Guide. CPG 220 Risk Management. Australian Prudential Regulation Authority.
- Agua, P.B. (2021). “Covering Blind Spots. Does the Board have the Right Information for Effective Decision Making?”. The European Business Review. September-October 2021.