Human behaviour – Why does it matter to effectively manage risk?

By Luc Albert, Ard W. Valk and Déborah Carlson-Burkart

Organisations are exposed to risks

In September 2011, Kweku Adoboli was arrested, after having caused a loss of over US$ 2 billion for UBS by unauthorized trading at the group’s investment bank. In the following month, the bank’s CEO admitted that the computer system at UBS had detected Adoboli’s unauthorized trading activities beforehand. Although the system had issued a warning, the bank had failed to act upon it.

Over the past two decades, the financial industry has been regularly shaken by cases of such nature. These occurred despite strong regulation, as well as the existence of robust risk frameworks. Underlying causes included fraud or bad intentions, but also human mistakes and mis-interpretations of duties and responsibilities.

In April 2010, the Deepwater Horizon Drilling rig exploded in the Macondo Prospect oil field about 40 miles southeast of the Louisiana coast. The explosion resulted in human casualties – 11 workers died and 17 were injured – an oil well fire and a massive offshore oil spill in the Gulf of Mexico. A BP-report, released in September 2010, revealed a series of design errors, operational malfunctioning and human mistakes as main causes for the catastrophe. In September 2014, a US District Judge ruled BP was guilty of gross negligence and wilful misconduct. Transocean and Halliburton, two other companies involved, were fined alongside BP, which was apportioned the bulk of the blame.

The oil industry is known to apply rigorous risk management, given the nature of its operations and potential exposures to its environment. In this industry as well, multiple examples can be found of significant accidents, major pollution and human tragedy, which couldn’t be prevented despite these frameworks.

The Enron scandal publicized in October 2001, resulted in substantially more regulatory scrutiny and led to the implementation of the Sarbanes-Oxley Act. The downfall of Enron was caused by wilful human misconduct, incentivized by asymmetric compensation schemes, creative accounting facilitated by the firm’s auditor and a corporate culture focused on misleading internal and external stakeholders.

Risk management framework: a foundation for risk mitigation

A sound risk management approach provides a framework, which typically allows to identifying particular events relevant to the organization’s objectives, assessing them in terms of likelihood and magnitude of impact, while determining a response strategy and a monitoring process, including regular reporting on its design and operating effectiveness. By identifying and proactively addressing risks and opportunities, organisations can protect and create value for their stakeholders, such as owners, employees, customers, regulators, and society at large.

The company’s executive management is responsible for the establishment and implementation of an appropriate risk management framework. Ongoing oversight is sometimes enforced via a dedicated risk management function, led by a member of the executive management team. Today, this is a standard approach for strongly regulated sectors like the financial industry. Internal audit provides assurance.

The board, which has ultimate fiduciary responsibility for determining the company’s strategic direction, plays an important role to assure that risks are appropriately identified and effectively mitigated. After being inducted into the firm’s risk management framework, board members merely receive regular reports from executive management, the internal audit function, as well as external auditors, including ongoing risk assessments, identified exposures and mitigating actions. Applying its collective expertise and experience, the board facilitates identification of oversights and blind spots.

Does this allow the board to effectively fulfil its supervisory role in risk management?

A survey conducted among our IDP 29 cohort members about their own experience revealed a wide variety of risk management  approaches in the companies they are engaged in as board members. Not surprisingly, regulated industries appear to have more robust risk frameworks than non-regulated ones. The same applies for larger, more mature companies in comparison to start-ups or smaller companies. Information received is different in quantity, quality and regularity. Moreover, it is often not easy to assess. The amount of time boards dedicate to risk management also differs between companies and industries. Developing a thorough understanding of the company’s core processes as a pre-requisite to fulfil the board’s role turned out to be a common denominator.

Although the examples at the beginning of this article derive from different industries, human behaviour seems to be a decisive factor in all three of them. Whilst risk management frameworks are hardly comparable in quality, rigor and attention, their effectiveness heavily depends on how these are applied by the people involved on a daily basis.

So, why should human behaviour be of interest to board members?

Let us take a step back. The board has ultimate fiduciary responsibility for determining the company’s strategy. This includes stress testing a long-term business plan, its underlying assumptions and main risks. Whilst executive management is mandated to seek growth opportunities, drive innovation and strengthen the company’s market position, it is the board’s responsibility to ensure that the company’s going concern is not put at risk. Or as Timothy Rowley likes to put it: “An effective board acts as an anti-inflammatory, not a growth hormone.”

Once the strategy for a given time period has been approved, the board’s role moves to regular “health checks” which are to a large extent defined by the company’s risk management framework. However, as it appears, it is not enough to have a cognitive understanding of the risk management, processes and controls, as their operating effectiveness ultimately depends on how “risk management is being lived” in daily operations.

As Plato stated in 340 BC: “Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws”. A crucial element – besides tools and systems – therefore is human behaviour, which is best captured in the risk culture that the company has developed. A vast majority of employees go to work with the best of intentions, using their skills and talents to contribute to the company’s going concern. Setting aside those few who engage in wilful misconduct, fraud or even criminal activities, staff and executives at all hierarchical levels will use their intelligence and judgment to “do the right thing”. At the same time, mistakes are inherent to any human intervention.

Understanding the human factor and risk culture in a company is crucial for the board to effectively operate. Some of the questions that board members should keep in mind: How does the human factor affect risk management in the company? Are mistakes openly addressed and useful lessons learned, leading to improvements of risk management behaviour? What do I, as a board member, have to know about human behaviour and risk culture across the organisation?

In a second article on this topic, we will further assess how understanding human behaviour and risk management culture can be captured as a crucial element for board effectiveness.

Luc Albert, IDP-C is an Independent Board Member.

Ard W. Valk, IDP-C, is a risk manager, Independent Board Member and Independent Risk Advisor.

Déborah Carlson-Burkart, IDP-C, is a lawyer and Independent Board Member.

From risk to resilience: A new paradigm in board risk oversight?

By Regine Slagmulder (IDN alumna & former INSEAD faculty member)

The Covid-19 pandemic has been an unexpected shock that is creating extraordinary challenges for companies and their boards on how to navigate uncertain and turbulent times. Previous viral outbreaks rarely made it onto the busy boardroom agendas, but the sheer scale and impact of this crisis has called for undivided board attention. While high-impact/low-probability events are usually very difficult – if not impossible – to predict, it is never too early to start thinking about how to weather the next storm and come out stronger than before. This article argues that boards must spearhead companies’ transformative change in today’s business environment, which is characterized by high velocity, complexity, ambiguity, and unpredictability.

Risk management as a necessary but insufficient condition

As part of their oversight duties, the board of directors is responsible for making sure the company has put in place the necessary risk management capabilities to deal with the negative consequences of unforeseen events. Many companies have made significant progress in implementing adequate risk management systems and procedures, especially in the aftermath of the 2008 financial crisis. They are now better equipped than before to handle incidents through well-established risk registers for identifying risks, information systems that provide appropriate transparency on the downside impact, and contingency plans ready to be enacted whenever disaster strikes.

However, there is a major difference between risk events with well-known consequences, such as an industrial accident or a cyber-attack, and unprecedented disruptions, such as the Covid-19 pandemic. The former situations, as overwhelming as their occurrence might be, can be expected to return relatively quickly to the “old normal” after proper recovery measures have been taken. In contrast, the latter events typically do not lend themselves to an existing playbook approach to risk management and are likely to have a lasting impact – not only on individual companies but possibly on entire industries and geographies. While there are clear benefits to putting in place formal risk oversight arrangements, such as quantitative risk analysis and risk committees, to handle the “known” risks, these established mechanisms are insufficient in an environment of deep uncertainty characterized by “unknown unknowns”. Boards must, therefore, elevate their risk oversight role from a routine exercise in operational loss prevention and compliance, to acting as an enabler of long-term corporate resilience.

Boards must, therefore, elevate their risk oversight role from a routine exercise in operational loss prevention and compliance, to acting as an enabler of long-term corporate resilience.

Building resilience: from fragile to agile

While most companies suffer considerably from dealing with an external shock such as the pandemic, some organizations appear to come out of the crisis remarkably resilient. To achieve effective governance, the boards of directors must ensure that the necessary “resilience capabilities” are in place that allow the organization not only to bounce back from a high-impact disruption but also adapt to the new reality more quickly than their peers. These capabilities relate to two key aspects of resilience – preparedness and agility.

First, preparedness refers to the pre-crisis arrangements that the company and its board have put in place to anticipate and proactively mitigate the negative impact of risk events. Examples include information systems for monitoring risk indicators, robust business continuity plans, and slack resources. It also involves actively engaging the diverse set of professional experiences and backgrounds present in the board as well as regularly obtaining outside-in views from external experts. The board’s continuous outlook for what may be coming “around the corner” can significantly contribute to sharpening the leadership team’s sensing skills and detecting strategic risks before they spin out of control. Forward-thinking boards also pressure test management’s assumptions about the longer-term consequences of the virus. Combining these insights and foresights in strategic scenario planning exercises enables boards to take precautionary measures already at an early stage, thus making their companies more resilient to shocks.

Second, agility is required because it is impossible to fully prepare and plan for complex and dynamic situations, especially when it is unlikely that the situation will afterwards return to the pre-shock state of normality. Superior levels of in-crisis adaptation enable companies to take decisions quickly and get ahead of the disruption. The first stage in crisis response is usually one of creative, entrepreneurial problem-solving in real time as the events unfold to secure the company’s immediate survival. Then, as soon as the crisis is under control, the board should stimulate the management team to think proactively about introducing new business models in the “new normal”, for example by accelerating investments in digitalization. As such, it is important to make a shift from the classic mindset of mitigating downside risk to becoming more opportunity driven. Board members need to proactively engage with their executives to discuss how even highly adverse events, such as the Covid-19 crisis, might be leveraged into strategic opportunities to be exploited in the longer term. For example, companies might consider acquisitions targeted at growth in previously underdeveloped market segments, such as a specialty chemical company diversifying into the medical hygiene products business. Effective risk oversight in the context of a major disruption thus requires boards to rise above their traditional monitoring role and develop a strategic stance to dealing with risk. Companies whose board members consider risk as an integral part of their business strategy rather than as an after-thought, are bound to have a competitive edge in building resilience for the future.

Effective risk oversight in the context of a major disruption thus requires boards to rise above their traditional monitoring role and develop a strategic stance to dealing with risk.

Adopting a long-term view

While extreme circumstances require that the board’s immediate attention be directed towards ensuring the company’s survival, directors must also adopt a long-term perspective, with a clear focus on strengthening the organization’s resilience in a sustainable and purposeful manner. Maintaining a long-term perspective might entail a delicate balancing act to reconcile the interests of shareholders and other important stakeholders (employees, customers, suppliers and the broader community), as well as responding to calls for greater clarity on the organization’s ultimate purpose. Take, for example, the recent public outrage about several financially strong international groups that (ab)used governments’ emergency response to the Covid-19 crisis to defer rent payments on their shops, with potentially detrimental consequences for small store owners. In times of severe turbulence and existential anxiety, it is particularly important for boards not only to protect their company’s short-term financial and operational performance, but also act as a beacon with a long-term view for the future on corporate purpose, social responsibility, and reputation.

On Risk – It’s the Reputation, stupid!

By Frans Cornelis, MBA83J, IDP-C

Risk management is one of the “big three” attention items for non-executive directors, along with strategy and talent. And the current COVID-19 crisis has left many scratching their heads, wondering what lessons one should draw from this highly unpleasant experience.

Previous worldwide crisis situations that virtually no-one had planned for gave rise to concepts like “The Black Swan”. So is COVID-19 a “Black Swan”? Probably not – to quote Michele Wucker, it is more like a “Grey Rhino”: a known risk, rare but by no means fully extinct, and with very destructive properties.

So what is a non-executive director to do? Classic “risk management” often has a financial and statistical focus. One can and should insist that an organization maintains sufficient reserves. Of all types. And it is obvious that the idea that if you have less than your maximum leverage you are inefficient or in some way not maximizing things for your stakeholders is probably overdue for a rethink. One organization I am involved with, and that had to close down completely for almost three months, is now very happy with the fact that they did not go anywhere near the limit, and that they are therefore surviving where others have already gone bankrupt.

Over the decades, “Risk management”  has almost been developing in a specialized science. In many if not most major businesses, there are elaborate schemes to assess risk; usually on the financial side (interest rates, policy changes, but also things like fashion change etc.). Mostly drawn up by accounting people. As a non-executive director, you could be forgiven for thinking that you have done your job well when you have scrutinized, probed and discussed the typical complex and serious report on “Risk Management” that has been produced for inclusion in the annual report.

And yet…… The Covid-19 crisis should also make us think first and foremost about something the Coca Cola leadership used to say: “You can take away everything, but if you leave the brand and some of our key people, we will rebuild the business”.

And, interestingly, science backs this up. The annual AON risk management surveys have a consistent item in the #1 spot for largest risks for decades now: Reputation.  Not industrial policies, fashion, monetary policy, flooding or what have you. They all figure in the lists, but Reputation comes out on top.  Almost every time, usually by some margin.

Also, the Boston based Reputation Institute, in cooperation with the Rotterdam School of Management (RSM), runs serious longitudinal studies of many thousands of organizations worldwide measuring “Reputation”. They also point out that Reputation is closely linked to another concept: Identity.

And there are quite a few cases, with verified examples, where they can prove that a high reputation score allows you to recover quickly from a disaster, whereas a poor reputation score does not.

Studies by prof. Cees van Riel (RSM, now emeritus) also show that the actions in the initial phases by the company executives and spokespeople are critical for benefiting from that “Reputation cushion” or not. The wrong actions quickly destroy that reputation, sometimes forever.

Like in the well-known case of once world leading Perrier water, where a contamination was detected in their flagship product. While a recall was forced on the company in the USA, the management sought to play for time and declared, untruthfully, that this had been a one-off mistake. In reality, it soon became clear that water all over the world had this contamination, and that it would have had this for quite some time. In a post mortem, it turned out it was due to bad quality and process control at the source itself.  Why did management lie, did they know they were lying? Hard to tell, but certainly the attitude was one of denial, at the expense of their customers, and subsequently, the other stakeholders. The company never got anywhere near its previous market share, valuation and standing. It was sold 18 months later – to a direct competitor.

So does this mean that non-executive directors should also insist on better PR people, or that they should have probed the quality systems at the core processes better? That cannot be the right answer, as they would end up firmly on the chairs of the management.

What it does mean is that we should all be aware that while Reputation is the key risk, it is very closely linked to the actual Corporate Identity. That Identity is defined by norms, values, ethical choices, character. Not so much the beautiful words in the corporate statements, but the real actions and the actual paradigms.

What it does mean is that we should all be aware that while Reputation is the key risk, it is very closely linked to the actual Corporate Identity.

What you do in a crisis will be seen by all stakeholders, and they will immediately notice when, faced with a tradeoff between the interests of various groups of stakeholders, the company chooses against its customers.

This “Identity” (the actual one, not just the one on paper or in advertising slogans) is something formed over many years, and ingrained in the character of the employees. It is heavily influenced by the actions and personal examples of the management. The “value statements”, “purpose statements”, “brand” or whatever they are called are certainly important, and one has to start from somewhere, but actual behavior is the deciding factor.

That Identity is, as the Germans like to say, “Chefsache”. So yes, a Risk Analysis does deserve the full attention of good non-executive directors. If the report does take Reputation into account, so much the better. But in my mind, great non-executive directors have also made sure that the core values inside the organization, what people feel they stand for, and the ways the outside world perceives the organization, have been carefully defined and strengthened.

When a highly appreciated Identity as externally perceived is aligned with the “employer brand”, the  “corporate brand promises”, the investor reputation, and the actual internal and external actions, you have a fantastic foundation that will also guide and determine the right actions in a crisis, when there is no time to weigh and ponder each individual statement or action.

In the current COVID-19 crisis, there are many examples of companies that were quick, open and transparent when they could not keep their promises. I know of some organizations where clients literally sent emails saying ”Keep my money, hang in there, and we’ll see what you can do when this is over”. But there are also many companies who leapt from promise to promise, did not follow through on the promises for many months, got into overly legalistic and “small print” conversations and lost a lot of sympathy with their stakeholders.

I have a hunch who, a few years from now, the winners will turn out to be.

So my recommendation for non-executive directors in these times is: do read your Risk paragraphs – but also do check whether the crisis actions harm or bolster the reputation of the organization. And whether there is a clear, admirable and effective “Identity”. Because once survival is more or less assured, that is what will determine how well you can bounce back – or not.

We did not see it coming

By Xavier Bedoret, IDP-C, IDN Belgium Ambassador and Consultant in Corporate Governance

The arrival and subsequent impact of the current coronavirus crisis has taken many organizations and states unaware.

This phenomenon can be best explained as the appearance of a metaphorical “black swan”. The theory goes that human beings will assume that, because all the swans they have seen in their life are white, all swans must be white. It is a classic error of induction resulting from one’s limited experience in life (I have not seen it) or from one’s cognitive biases (I do not want to admit that I have seen it).

As a matter of fact, the error arises from an individual or entity having been blind, having been unprepared “not having seen it coming”, or not having considered “unknowns”, as Donald Rumsfeld put it.

Nassim Taleb, Researcher and Risk Analyst, identifies three reasons why we do not see these events coming:

  • The world is too complicated and random to understand what is really going on;
  • We are very good at making sense of events after they have happened; and
  • Putting elements into categories (which we do to make sense of things) always oversimplifies reality.

As we can see from the events unfolding today, this blindness can have a severe impact on human society.

How can companies avoid these “black swans”?

First of all, let’s make the distinction between (1) risks – that are manageable; and (2) uncertainties – that are unpredictable.

  • Let’s define risks as events that may be predicted, monitored, hedged, insured or avoided. In today’s corporate world, risks are studied, measured, and even exploited. The risks that fall into the category of “high probability and small impact” are considered part of the daily management of operations. These are the responsibility not only of the risk manager but of each front-line manager who is in charge of dealing with those manageable risks.
  • Let’s define uncertainties as unknowns. By definition, we cannot know the nature, the size, the timing, … or anything, about these unknowns. Companies cannot find on the market an insurance policy that adequately covers events with a “very low probability and a very high impact”.

The audit committee today is in charge of risk monitoring. They establish a strong communication line with the company’s risk manager to ensure the board’s risk appetite and the field risk mitigation are aligned. This will ensure that manageable risks are well monitored through sound processes. As we know, moderate risks lead to good business and a healthy company.

As the Danish proverb goes “forecasting is difficult, especially when it concerns the future”. The audit committee should, therefore, approach the subject of uncertainties in a different manner:  leaving the path of prediction and taking the path of agility, seizing opportunities, and avoiding rationality and argumentation.

  • Maintaining agility means:
    • training the muscles of the corporate strategy: design various scenarios;
    • Ensuring the adaptability of the organization: encourage speed of reaction;
    • Promoting the flexibility of the people and systems: break silos and develop networks.
  • “Chance favors the prepared” said the French scientist Louis Pasteur. Opportunities are seized by companies that are vigilant. The board should foster the company’s exposure to positive contingencies that might be as beneficial as negative contingencies might be hurtful.
  • Avoid rationality and argumentation since, as Taleb explained, relying on it is the very reason why boards and audit committees do not see these “black swans” coming.

Xavier BEDORET is a consultant in corporate governance. Drawing on his experience as a certified accountant, financial controller, internal auditor and committee chair, he gives audit committees support and guidance for improving their actions.

Why boards have a duty to reinforce resilience

By Didier Duret IDP-C, Non-Executive Director and Independent Adviser

Change is risky for firms and boards of directors must see beyond talk of disruption and innovation to ensure companies focus on their essential qualities and a handful of best practices

The current global lockdown, enforced by governments to minimise the Covid-19-led public health emergency, has led to the shelving of many firms’ multi-decade strategies to correctly allocate resources across different regions.

Boards of directors must now re-focus on their organisations’ long-term resilience. This must not be confused with short-term crisis management, which demands quick reactions, analysed relentlessly across digital media.

Prudence and strength

Resilience is a mixture of prudence and strength before a crisis and should be ingrained in firms. It is defined as “the degree of freedom we can deploy to act on events we cannot control”, by Boris Cyrulnik, French psychiatrist, author and Holocaust survivor. For most firms, it derives from a mix of efficient risk management and organisational flexibility. In order to boost resilience, boards must question assumptions, nail down governance principles and adopt sound stewardship.

The idea of resilience in business was popularised by Nassim Taleb in his 2012 best-seller Antifragile: Things That Gain From Disorder, which argued that both humans and organisations are poorly equipped to cope with shocks that accelerate change and have cascading consequences. While hardwiring to think in categories has helped our species survive, most phenomena in nature and society follow non-linear patterns with little respect for categories. Although we can model risk from yesterday’s data, we cannot apply it confidently to tomorrow’s uncertainties.

In modern corporate life, despite a professional culture that has elevated disruption to a virtue, change remains risky and unpredictable. Many start-ups do not survive, and large firms struggle to adapt. Disruptive ideas facilitated by ‘agile management’ have limited impact once they encounter bureaucratic inertia. The board is in a key position to see beyond management techniques and reflect on the essential qualities of a resilient firm.

Focus on what works

Rather than being hypnotised into a reverie of ‘innovation’, it makes sense to focus on a handful of best practices. Of these, financial resilience and access to cash is the most important. Heavy debt and weak solvency ratios undermine resilience. Boards have explicit responsibility for their firm’s capital structure and access to finance, plus oversight of remuneration and dividend and share buyback policies. In a crisis, when survival is at stake, board members may seek access to new capital, renegotiate bank loans or seek being bought out by a larger firm. Board oversight is crucial for the firm to exit a crisis with resilient, if battered, financials.

Diversification of activities, markets, products and suppliers makes good business practice. Diversity of opinions, talents and skills among management, staff and board members also contributes to strategic resilience. A mix of genders, races, cultures, languages and expertise strengthens reliability of operations and leadership competencies. External advisers and independent board members can help identify new trends signifying a paradigm shift. They reduce groupthink and corporate bias, constructing a vision differing from the past. External think-tanks or business school experts can be valuable resources for the board to refocus long-term strategy based on short-term crisis-induced changes.

Discernment through judgemental resilience is a major governance skill exercised by the board. It can be reinforced to balance quantitative resource optimisation versus qualitative operational resilience. Better data-driven “dashboards” do not mean better resilience, just as last week’s stock price does not tell us what next week’s will be. The board can ask the CEO to review crisis planning and solidity of the strategy though a qualitative-scenario lens differing from traditional quantitative-scenario planning. which, most of the time, is consensual to the industry or macro environment.

ESG goes mainstream

Environmental, social, and governance (ESG) policies have become mainstream, reinforcing resilience by reducing financial, operational, and reputational risks through selecting reputable commodity providers or avoiding financing controversial industries. But ESG-driven governance does not guarantee resilience. Recent 20-year-low oil prices are just as disruptive for power producers using wind farms and solar panels in the transition to renewable energy as for shale oil firms, radically transforming capital spending plans. But today’s unprecedented economic crisis is impacting global social and political dynamics as well as consumers’ visions of the world and leadership expectations. Authentic ESG culture may yet prove a competitive advantage in the post-Covid-19 ‘new normal’.

Humility offers a hidden dimension to resilience, counterbalancing the excessive risk-taking and corporate hubris associated with charismatic CEOs. Would WorldCom have survived with board members questioning its overmighty CEO Bernard Ebbers more explicitly? Good practice involves yearly independent assessment of performance and behaviour of the board chairman, members, CEO and executive committee. Humility does not mean timidity, as it can be courageous. An advisory board I sat on during the early weeks of the Covid-19 crisis pursued investment in strategic areas that had suffered from heavy losses through massive disruptions, but gave the CEO wide latitude to implement high-level decisions.

I believe boards of directors, by focusing more on conditions for resilience, can help firms achieve better financial, ethical and environmental results. Resilience in all its aspects, has become a strategic requirement and unless boards take a more socially-oriented and strategic outlook for their organisations, billions of people will suffer, to the ultimate detriment of these firms.

Didier Duret IDP- C is a non-executive director, an investment committee member, and independent adviser to several private family offices and foundations. 

This article was first published in the Private Wealth Management Magazine from the Financial Times on 23 May 2020, and can be found at https://www.pwmnet.com/Wealth-Management/Business-Models/Private-View-Blog-Why-boards-have-a-duty-to-reinforce-resilience

Align Risk Management with Strategy and Operating Performance, Reward and Remuneration

This blogpost is shared as part of a series of insights from INSEAD Directors Network, based on roundtable discussions held during INSEAD Directors Forum October 2018. The Directors Forum Round Table Discussions were held with IDN members led by IDN board members or IDN Ambassadors. Other Blogpost in Series shared last. 

___________________________

(Photo: Pixabay) 

The round table discussion “Align Risk Management with Strategy and Operating Performance, but also Reward and Remuneration” was led by Susana Gomez-Smith, NED and IDN Ambassador for Portugal with the introduction

As the ultimate steward of value and overseer of risk, the board must grasp the relationship between strategy and risk and assist management, in gaining that understanding but also in putting it to practical use. The Board must also ensure that remuneration policies/practices are consistent with and promote sound and effective risk management and in line with the business strategy.

  • Why should the Board consider and discuss strategy and risk appetite in tandem? How to do it in practice?
  • What can the board do to drive greater awareness of the risks to the strategy throughout the organization?
  • “Remuneration forms part of the culture and governance priority as set out in our Business Plan. As a key driver of behavior, remuneration of senior and risk taking staff is an important area of focus for the FCA to ensure that risk and reward are aligned in firms that we regulate through our Remuneration Codes (the Codes). Whilst our remuneration rules only apply to specific groups of firms, remuneration is a key driver of behavior for all firms and individuals. Implementing appropriate remuneration policies and practices helps to ensure appropriate outcomes and reduces the likelihood of harm from occurring “
    Financial Conduct Authority, Remuneration Codes

    How can Boards satisfy themselves that firms remuneration practices lead to appropriate outcomes and risk and reward are aligned?

Pre-readings:
Strategic Risk Management: A Primer for Directors, Harvard Law School Forum on Corporate Governance and Financial Regulation
The UK Corporate Code, Financial Reporting Council (from page 16)

Roundtable discussion

The strategy and risk areas has historically kept as quite separate topic, as the risk focus has tended to be quite operational in focus. As the strategic risk has been in steep increase for many companies the boards needs to find more appropriate ways to work with the topics in tandem.  Some key insights from the board members were noted as;

  • The strategy of the firm is and has to be the starting point of all the considerations
  • The Strategy should comprise the areas of the core business and potential new business areas
  • The risk appetite for both areas has to be set and will be overseen by the Board (in a regular exercise)
  • The risk culture is set at the top of the company!
  • The second line of defence (Risk Management, Compliance) as well as the third line of defence are supporting the first line (operations) – clear definitions needed
  • Especially the Risk Management and Compliance functions must be filled with experienced and independent staff
  • With regard to risk measurement and risk identification, the right KPIs (which are rather backward looking) and KRIs have to be defined (better start with few but the most telling ones). Monitor not only your risks but also how the probability, impact of such risk is evolving.
  • The Risk Management process is not static, it is a constant effort. Risk managers should be incentivized to identify emerging risks. Some companies on the side of the regular Risk Committees perform regular exercises to reflect on emerging risks. It is advisable to include in such exercises different areas of the company and not only a closed inward exercise of the risk department.
  • At Board level, a trade-off between investments in new business areas and investments to mitigate/eliminate existing risks has to be found
  • The remuneration should be linked to
  1. Implementation of the strategy (s-t, m-t, l-t) and hence parts of the variable compensation be deferred
  2. Accomplishments in the core business areas as well as in developing new business areas
  3. Risk taking and risk management
  4. Implementation and living the risk culture in the firm
  • The Remuneration Committee should be given the power to override formulaic outcomes of bonus schemes
  • Remember: The Management is responsible for Risk Management, the Board is responsible for Risk Oversight.

Conclusion: Strategy and risk needs a framework to be jointly considered as the strategic risk is increasing for many companies, and it needs to be fully aligned also with new and balanced remuneration schemes.

Recommended additional reading;

Enterprise risk Management – Integrating with Strategy and Performance, (COSO)

Using a Risk Appetite Framework to Align Strategy and Risk, (Moody’s)

Letters to Remuneration Committee Chairs (FCA UK)

 

By Susana Gomez- Smith,

Certified Independent Director IDP-C and IDN Ambassador Portugal

___________________________________________

 

Other blogpost in this series: 

Governance in a Disruptive World by IDN Board Member Liselotte Engstam

From Board oversight of Strategy, to creating a Sustainable Business, by Helen Pitcher OBE, IDP-C, Vice President IDN

Anticipate and manage for geopolitical trade, corporate governance codes and regulatory changes by Cleopatra Kitty, IDN Cyprus Ambassador 

The impact of technology on​ Strategy & Business Models by Mary Francia, IDN Board Member

Align Risk Management with Strategy and Operating Performance, Reward and Remuneration by Susana Gomez- Smith, IDN Portugal Ambassador

Accelerate Board Effectiveness by IDN Board Member Thomas Seale

 

More insight from INSEAD Directors Network, will be shared based on INSEAD Directors Forum 2018, Round Table Discussions – Look out for more upcoming blogposts!

Anticipate and manage for geopolitical, trade, corporate governance codes and regulators changes

This blogpost is shared as part of a series of insights from INSEAD Directors Network, based on roundtable discussions held during INSEAD Directors Forum October 2018. The Directors Forum Round Table Discussions were held with IDN members led by IDN board members or IDN Ambassadors. Other blog posts shared last. 

__________________________

The roundtable discussion was led by Cleopatra Kitti, IDN Ambassador Cyprus, with the introduction

Anticipate & manage for geopolitical, trade, corporate governance codes & regulators changes

  • Anticipate: Define, Measurement, Audit
  • Proactive VS Reactive: crisis management, resonse mechanism, measurement and evaluation
  • What does this mean for the Board? (perspective, information, connecting the dots, risk measurement, scenario planning, regular review)

* Pre-Reading:

Measuring Geopolitical Risk, Dario Caldaraa and Matteo Iacoviello
__________________________

As disruption is the key word for business society and of the wider operating environment for boards, there is much discussion on how to anticipate and navigate through such a complex environment. Especially when decisions need to be taken within short, medium, and longer term horizons.

The context: The benchmarks and guide books of performance shift goalposts:  In capital markets there is much debate on assessing performance and return on investment not in quarterly results but over a longer horizon; governance codes differ region by region or country by country; whilst disruption by politics, trade wars and social movements add an additional layer of complexity for performance.

This complexity calls for strong business ethics, culture and values at the top, at board level.

Our pre-reading looked at how different global institutions and boards identify, measure and respond to risk and opportunity. How markets, politics and society interact and intercept progress. How Information flow for proactive and reactive decision making tools are important elements to board work and decision making.

The discussion: after setting the context and key parameters for our discussion, we centered on two case studies brought forward by fellow IDN directors:

  • One case study dealt with governance and decision making at board level of a sovereign wealth fund, required to decide on a cross border investment decision that had political significance with less significant investment value. This is a real time case study;
  • the other case study looked at a national, publicly listed telecommunications company where the board decision on international expansion led the company down the path of missed opportunity and eventual loss of market share.

We identified these important parameters:

  • Geopolitics is seen as a “long term” impact and usually falls outside the core competence of most directors
  • Proactive and reactive measurement tools, scorecards, or benchmarks of success are required tools for level playing field decision making
  • The unclear landscape of differing governance codes and regulations across jurisdictions creates unclear paths to decision making
  • The board must understand the “timing” element of its decision making
  • The composition of the board must reflect the differing dimensions today’s complex business environment.

 

Conclusion:  Boards are operating in an increasingly complex environment of politics, markets, trade wars and social movements, which calls for in increased focus from directors setting the agenda and decisions based on ethics and values driven by the top of the organization’s leadership.

Image: courtesy of www.ceopatrakitti.com

By Cleopatra Kitti

Certified Independent Director IDP-C, NED and IDN Ambassador Cyprus

www.cleopatrakitti.com

___________________________________

Other blogpost in this series: 

Governance in a Disruptive World by IDN Board Member Liselotte Engstam

From Board oversight of Strategy, to creating a Sustainable Business, by Helen Pitcher OBE, IDP-C, Vice President IDN

Anticipate and manage for geopolitical trade, corporate governance codes and regulatory changes by Cleopatra Kitty, IDN Cyprus Ambassador 

The impact of technology on​ Strategy & Business Models by Mary Francia, IDN Board Member

Align Risk Management with Strategy and Operating Performance, Reward and Remuneration by Susana Gomez- Smith, IDN Portugal Ambassador

Accelerate Board Effectiveness by IDN Board Member Thomas Seale

 

More insight from INSEAD Directors Network, will be shared based on INSEAD Directors Forum 2018, Round Table Discussions – Look out for more upcoming blogposts!