The Need To Rethink Risk Governance

The need to rethink risk governance

By Pedro B. Agua

The approach to corporate risks is a growing concern within corporate governance. Excessive attention to compliance and too much focus on financial risk is a risk in itself. There are several categories of strategic risks, which can collapse or seriously harm organisations, stressing the importance of addressing the risk subject in a multidisciplinary and systemic way. The current pandemic effort illustrates how human organisations, even States, are not well prepared to deal with risk. A holistic approach backed by business policy principles, ensures better identification and management of potential risks. Starting with risk taxonomy helps in classifying several relevant categories, increasing awareness and visibility of critical areas, and helping to steer efforts towards a better approach to them.

Current approaches to corporate governance suggest that a normative approach, while necessary, is not sufficient for effective risk governance. A prudential and multidisciplinary approach is needed. The issue of risk appears to have been overlooked in many situations, from missed opportunities to innovate, when faced with technological change, to major disasters arising from technical accidents. The recent Boeing aircraft accidents or the BP Deep Water Horizon spill in the Gulf of Mexico a few years ago may suggest space for improvement in approaching risk. Governance codes address the responsibility of directors, but do so from a normative perspective, when in fact it is necessary to go beyond mere compliance, since the “realization of a company’s future is a matter of initiative, not optimization” [1]. Or let’s think about the new paradigm that digital transformation and cyber threats entail, specifically a whole new set of risks that haven’t existed in the past.

“The work of leaders is to act to achieve a future situation for the organization, better than the current one in relative terms”, which requires a holistic approach on the subject of risk [1].

Cyber risks, for instance, with its increased complexity that “emerges” from systemic effects is a subject that does not recognize physical borders, and where technology, social and geopolitical effects shape a whole new world of risks whose impacts can barely be estimated. A board of directors that is not aware of these risks is probably not fulfilling its responsibilities con-cerning the governance of the organizations they are responsible for. As someone stated “The work of leaders is to act to achieve a future situation for the organization, better than the current one in relative terms”, which requires a holistic approach on the subject of risk [1]. Financial risks gained immense media coverage and attention during the last decades and were consequently subject to increased regulatory efforts, a positive action. There are, however, many other types of risks that need similar attention in order to avoid “blind angles” in what concern our organizations. For example, the current pandemic has caught the overwhelming majority of businesses unprepared, ill-prepared health systems, or countries with ineffective economic strategies, which have been exposed to the consequences of risk materialization.

The current risk approaches are further aggravated by cognitive limitations resulting from our limited ability to estimate results [2], as shown by some classic examples in the following table [3].

table 1

The mentioned cognitive limitations give rise to erroneous estimates regarding potential outcomes. For example, the invention of the digital camera, which seems not to have had enough attention by Kodak’s board of directors a few decades ago, might be an example of a failure by the board in identifying a critical technological risk. The tasks that the board of directors should address are essentially those that determine the prosperity and sustainability of the business, accepting an “adequate” level of risk, and taking a multidisciplinary approach to decision making. The best decision-making process in the world will not be good enough without adequate information, and regardless of how good the executive management team is, the information the convey into the board will always be “filtered”. Hence board directors also need adequate information channels, both internal and external to the business, as well as formal and informal ones. A business policy approach will call attention to its four governing areas: the business, the directing structure, the incentive systems and the institutional configuration.

Compliance – a necessary condition, however not sufficient

The invention of the digital camera, which seems not to have had enough attention by Kodak’s board of directors a few decades ago, might be an example of a failure by the board in identifying a critical technological risk.

A business encompasses a trade-off between profit and assumed risk. However, taking too much risk sometimes has a high potential to harm or even collapse the business. Some authors suggest that the growing demand and accountability of directors is not limited to the issue of risks, but to their role as responsible for organizational directing, with the potential consequences that many directors may tend to depart from such roles [4]. Recent trends in approaching corporate risks include the growing introduction of a Chief Risk Officer, who is becoming directly accountable to the board of directors. Although such situation may be somehow uncomfortable for the CEO, this figure can help the board of directors towards a better approach to risk governance.

Corporate governance codes generally suggest the implementation of some risk management system; which performance should be periodically assessed. Efforts have been made towards a better understanding and managing of corporate risks, from the introduction of the ISO 31000 standard to the spending of hundreds of millions in any currency on ERM (Enterprise Risk Management) systems, often with results that fall short of expectations. ERM systems, by trying to cover each and every of the identifiable risks in a company, end up generating an overwhelming amount of data, which ends up distracting those responsible for risk governance. Most of these systems treat risks as independent of each other, when this is not necessarily true, and may produce amplified effects – systems emergence – when such risks materialize. Additionally, due to their mere existence, ERM systems introduce a “false” sense of safety, a risk on itself.

Problem Solving

It is within this balance between risk and profit that the approach to corporate risk governance entails, which requires greater involvement and responsibility on the part of those responsible, discarding old fashion boards, sometimes referred as “Rubber Stamp” boards, much in vogue in the past. An effective board of directors proactively engages in supporting company executive management, and effective risk governance. Such attention shall go beyond board information channels and be proactive in gathering information, not only through formal information channels but also informal ones, and both from within and outside of the organization, visiting the organization’s facilities and operations, asking management the appropriate questions, and questioning their answers.

An excessive attention to financial type risks

Despite the focus on financial risks, there is a wide range of non-financial risks that besides strategic may seriously affect businesses. Starting with a taxonomy of risks, grouping them into categories, brings visibility on potential “blind angles” [5].

table 2

It is legitimate to question whether the board focus should be mainly on financial risks, sometimes of short-term nature, or, instead, on technical, operational, reputational, among other typologies of risk, which are real risks that can dictate the fate of organizations. The way risk is addressed by most organizations may suggest some underestimation, barely taking into account cause-and-effect systemic interrelationships, behind the observed problems. Questioning the above-mentioned areas of the business policy can support a more holistic approach to risk governance, by raising questions such as:

  • How does risk X affect this business?
  • What is the relationship between risk X and company structure?
  • What is the relationship between incentive systems and risk?
  • Are incentive systems inducing less ethical behaviour?
  • How does the organisational culture affect the risk or is affected by it?
  • What is the level of initiative and innovation across the company?

By means of systematic questioning, a responsible board of directors can generate additional visibility over potential corporate risks, covering bind spots, and assessing how risks affect and are affected by the above four governing areas [1]. The tasks that the board of directors should address are essentially those that determine the prosperity and sustainability of the business in the presence of various risk typologies. An excessive focus on financial risk as well as an overly normative approach focusing on compliance may be contrary to the organization’s sustainability. Compliance ensures achievement of minimum compliance standards, but it is practical wisdom, prudence and good decision-making that aspire to maximum business performance. Codes of good governance are a necessary condition, but not enough to prevent disaster, and a holistic approach is needed in order for tomorrow’s business to be better than today’s ones.

About the Author

Pedro B. Agua

Pedro B. Agua is a Weapons and Electronics Engineer, and currently a Professor of General Management at the Portuguese Naval Academy and Senior Teaching Fellow at AESE Business School in Lisbon. Professor Agua has authored many articles and book chapters featuring various systems and business policy subjects. He combines his teaching profile with an extensive business background of more than 27 years dedicated to cutting edge industries like defence, telecommunications and subsea engineering. Pedro holds a Ph.D. in Engineering and Management awarded by the University of Lisbon.


  • [1] Calleja, R., Melé, D. (2017). Valero’s “Enterprise Politics”: A model of humanistic management and corporate governance. Journal of Management Development, 36(5), 644-659.
  • [2] Simon, H. A. (1957). Models of man, social and rational. New York: Wiley.
  • [3] Cerf, C., & Navasky, V. (1984). The Experts Speak. New York: Pantheon Books.
  • [4] Ormazabal, G. (2016). Risk oversight: What every director should know. IESEInsight, issue 28 1st Quarter.
  • [5] Bromiley, P., & Rau, D. (2016). Strategic risk management. A better way of managing major risks. IESEInsight. Issue 28, 1st Quarter.


Please enter your comment!
Please enter your name here