I don’t suppose any of us fully anticipated what we, and the rest of the world, have experienced in these last few months.
Most of our boards have well considered and often colourful risk registers, which they review regularly. So why was this coronavirus such an ambush? How many registers contained something like: ‘Global pandemic, forcing us to close our business, and generate zero revenue for several weeks’? Perhaps many Chief Risk Officers were too nervous to present anything quite so apocalyptic to their board (note to self: reality check on our board’s culture, and how we respond to bad news from management).
I wrote a few weeks ago (The Wisdom of Wimbledon, Covered Are We) about one organisation that did understand the consequences and acted on it. But, if we’re honest, this virus took most of us by surprise – not least with how fast it turned our lives upside down: airlines and tourist operators, struggling to manage excess demand only a few months ago, were suddenly starved of cash, almost overnight.
In the spirit of ‘Never waste a good crisis,’ this may be time to take a fresh look at how we identify risk. Most of us have extensive risk registers and associated ‘heat maps’, where we plot the likelihood of a risk materialising and the impact or severity if it does.
A 2012 article in the Harvard Business Review was one of the first to explain why we can’t treat or manage all risks the same. Since then, my colleague Vaughan Renner and I have developed the authors’ approach into what we call The ART of Risk Governance™:
‘A’ is for Appetite. Many boards have a carefully crafted ‘Risk Appetite Statement.’ Mostly, they lie.
‘Risk Appetite’ is curried prawns from a side-street vendor in Mexico City. The common definition of ‘appetite’ is ‘a desire or liking for something.’ Unless you’re quite perverse, you don’t have a desire or liking for most of the risks in your register. However, you do need to identify them and decide how to treat them.
For some risks, though, ‘appetite’ is the correct term. These are the risks we choose to accept, or even seek, because we hope the benefit or return will be greater than the likely cost.
Banks, for example, set a ‘credit risk appetite,’ which they hope will generate a level of lending where the overall returns to the bank are maximised, allowing for a certain number of bad debts. Other businesses may set a risk appetite for acquisitions or other strategic moves – big enough to make a significant difference, but small enough that they won’t kill the company if they fail.
We need to agree the board’s risk appetite and set limits around these strategic choices.
‘R’ is for Resilience. Even if we’d had the foresight to include ‘Pandemic’ in our Risk Register, most of us couldn’t have prevented it or stopped its rapid spread across the world.
Risks like this are normally related to external events. We have no ‘appetite’ for them and we usually can’t stop them, but we do need to be resilient, so we can survive when they occur.
These events may be:
- Short term – natural disasters like flood, drought or cyclone, or geological, or biological, like the pandemic.
- Medium term – often the result of economic or political changes. Our boards need to consider a range of scenarios and ask, ‘What if?’ – ‘What if we do have a change of government?’ … ‘What if we don’t?’
- Long term – can be some of the hardest to address – such as long-term demographic or economic changes: what might our world, our market, our customers, and our competitors look like in 20 or 30 years, and how can we evolve to take advantage?
‘T’ is for Tolerance. Most of the risks on our register (health & safety, data loss, internal fraud, and so on) have an operational focus, and they offer no strategic benefit. Yet they usually fill much of our risk register, because they lend themselves to quantification, and to controls that we can implement, to reduce the probability of it happening (say, defensive driving courses for our employees on the road), or the impact if it does (regular file back-ups and duplicate sites for our data).
We could, if we chose, mitigate or eliminate most of these risks. But we’d have no money or resources left for anything else … you could probably build a crash-proof aeroplane – but it would be too heavy to leave the ground.
Some risks we may simply accept, as part of what we do. For the rest, will we reduce or eliminate them, transfer them to someone else, or, finally, avoid them altogether? And let us do so to the extent that it is practicable and cost-effective, while still allowing us to achieve the organisation’s goals.
From my experience with many boards, it is this third category – internal, operational and at least partly controllable – that frequently dominates when we review our risk registers.
Some internal fraud or the loss of a key person, or a data hack, are annoying, and can be expensive and distressing, but they don’t usually kill the company. But many boards don’t spend enough time considering the longer term, or the external, strategic environment, where the risks fall largely into the first two categories. Yet these usually contain the risks that can put us out of business.
When your board takes its next ‘deep dive’ into Risk, try identifying your main exposures in three separate sessions: one for each of these three categories. You may discover a ‘richer’ trove than you’ve probably considered before. Then consider how you will approach each:
- For which do you have a genuine appetite, and need to apply some limits?
- Against which do you need to build your resilience? And...
- What level of tolerance have you for those risks that you can actually manage?
Welcome to Level One in The ART of Risk Governance!
If you’re reading this post on LinkedIn and want to follow my blog, you can do so at my site chairingtheboard.com