Is my board growth or risk focused?

How should boards organise their thinking around risk?

The Financial Reporting Council’s (FRC) recent governance code update is very clear on this point – and the expectations of stakeholders whether investors, regulators, partners, staff or others. As such The Code provides a good guide to all organisations.

The hierarchy of logic outlined by The Code starts with Purpose (the North Star), Objectives, then Key Risks & mitigations, controls, assurance and reporting.

Assurances are for ourselves as accountable directors. making commitments we need to stand behind, then to be shared with stakeholders committed to the journey with us.

While the FRC code applies to large, listed companies, there is a clear trickle-down of good practices to smaller listed (optional QCA code), private companies (via The Wates Principles – a set of guidance now also owned by FRC) and through mission-driven ‘Not For Profit’ organisations – including the public sector, charities and others in our board portfolios.

Experienced INEDs tell me that they were often held away from risk debate, as risk was considered too negative and technical for the board agenda. But increasingly risk is integrated with Purpose and delivery, so discussed at most, if not all, board meetings.

The recent launch of ‘Raising your Game’ risk guidance for all sizes and sectors of boards supports a principles-led and proportionate approach that boards are now applying for the necessary integrated oversight and assurance.

Is risk an issue for the board as a whole or a specific board committee?

Through my comments on the code and purpose above, it must be clear that the main board remains accountable for risk. However board meetings have tight agendas and there is considerable real work to be done here which is probably better achieved through ‘a committee responsible for risk oversight’. That role may be combined with audit or another committee, with terms of reference that delegates responsibilities, perhaps also budgets etc through the committee chair. Regular reporting back to the whole board can be achieved through a short summary from the committee chair, whether written or verbal, for the board to challenge then support.

We are currently in the midst of a high risk economic and geopolitical environment – What would be your advice to boards on how to address this from a risk perspective?

Post the 2008 ‘crash’ the Risk Coalition’s research revealed that most boards would spend the majority of time and resources addressing known risks. In recent years that has changed. Board members now tell us that perhaps 50% of time and resources might be applied to Emerging risks – a huge change in focus. This is probably because volatility of supply chains has increased, we are also told that the deployment of digital processes makes swings occur faster and become more material to risk and performance changes.

A diverse board and risk committee membership can be far more effective at identifying and preparing for emerging risks than an infrequent one-day planning session could ever be. It’s even better if you can collaborate with your value chain partners (who probably have a shared purpose) to identify and mitigate these risks in appropriate ways. Professionals I’ve worked with often ‘drill-down’ into the details of an entity for their board, but the board usually knows we should look across the value chain and encourage our professionals to do the same with and for us.

What are the key risks facing boards at the current time?

These seems to depend on the geography, sector, stage of development etc but there are some common risks that seem to be on every organisation’s key risk list.

As a chair myself (and having listened to the JCB chair on radio a few weeks ago), I’m also focused on the organisation’s plan, 5+ years in his case and probably 2-3 in ours as a Fintech. We have a high level of confidence we can achieve that, but it doesn’t stay fixed as the board has to  remain aware of external factors both positive and negative. For my firm that has opened an opportunity to acquire another entity along the value chain at short notice, through a combination of share swap and new capital, for JCB the Chair said that means moving more production to the US and working with his supply chains to support that, a the new President Trump encourages on-shore production.

So in summary to stay focused on your plan, but be aware and flexible and agile too!

If organisations don’t continually improve they risk becoming dinosaurs. Key existential topics right now are obviously AI and Cyber, for innovation and for resilience. Both require reflection on purpose, consideration of competitors and regulators, and board decisions on skills & investment

One process I’ve seen demonstrated recently was reduced by 80% cost and time through AI. Would we want to be a first mover here, or can a fast-follower do well enough?

Reflecting on what was said earlier, there needs to be far more attention on emerging risks, alongside known risks. There also needs to be an agile capability, as deployed for crisis management, when the unexpected happens. Are we practised and ready?

How useful is scenario analysis and stress testing?

Absolutely. These board decisions are ‘grey’, so no right or wrong answers. Board judgement is key, requiring information collection, advice taken, scenario exploration, choosing the best option and making it better from others. The board collaborates to decide, then to MAKE IT WORK. Judgement processes are key, used over and over.

Donald Rumsfeld made the following comments:

How does this help us to think about risk management?:

Emerging risks are appearing with stronger and faster effects, with less time to respond. Our value chain partners help us to identify them, but we should anyway put in place ‘no regrets’ infrastructure that can be re-used or added to as needed. When needed our value chain partners should be incentivised to pull together with us, rather than go elsewhere – back to what we learned about good relationships through Game Theory.

If we don’t know what we don’t know (yet), we can still take deliberate and useful actions rather than await the surprises! Prepare for the consequences if not the event?

How can IoD members and other board members improve here?

The FRC Code update has reminded boards to refocus on Purpose, Objectives, Key Risks, Controls and Reporting, but not only as an entity as we share purpose delivery with others along our value chain. In financial services the FCA recognises this too.

The board chair can use the Ris Coalition’s Risk Principles (‘Raising your Game’) to remind the board of their personal accountabilities and areas to focus board time and attention for decision making, resource allocation and progress tracking.

It usually proves helpful to have a working committee, led by INEDs, which leads risk oversight for the board, this may be merged with an audit or other oversight committee.

For identified Key Risks, look for reliable and timely assurances. What ‘sources of assurance’ can you put in place using capable and INDEPENDENT internal and external resources? Through cross committee working how can the board achieve good coverage and close any gaps?

Board and committee reviews (whether self or independently assessed) can determine the maturity of relevant risk oversight and risk management capabilities, helping the board to prioritise and work on capability improvements over time.

Focus first on the next steps that pay back, it rarely proves practical to jump maturity levels, although with help you can accelerate through them to gain benefits early.

The risk capabilities of the boards I’ve joined have varied widely, depending most on the previous experiences of those around the board table. Using standardised risk guidance enables a better conversation and more practical self-development plan.

As capabilities develop there is always more to do so the guidance continues to be challenging. Be sure to watch out for the Risk Coalition’s imminent online survey to understand the maturity of each of your boards, also what might be useful to do next!

Author: Bryan Foss

Bryan chairs Hope Macy Ltd, the UK’s fast growing Credit Reference Agency for vulnerable people. Over 20 years he has had multiple INED roles across various sectors in listed, private and NFP organisations of all sizes. Bryan is a Visiting Professor with Bristol Business School, has been a regulatory advisor and contributed to the development of risk guidance for boards, available for free download at www.riskcoalition.org.uk  The views expressed here are not those of the IoD, although Bryan is an active Fellow and Chartered Director.

www.linkedin.com/in/bryanfoss