Executive boards have a responsibility for good governance and responsible stewardship, yet persist in treating risk as a control function, not a decision-making process.
A board is required to take collective responsibility for the organisation’s risk appetite, yet in most board meetings risk is treated as the privileged domain of the head of risk, or chair of the risk and audit committee. Other directors defer to this person as a risk “expert”.
Consequently risk is confined to imaginable threats to business continuity—a very limited perspective, especially as most crises result from unimagined incidents.
Consider two very different unimagined incidents: Ratners jewellery chain in 1991, and United Airlines in 2017—years apart but with a common theme. In Gerald Ratner’s case, a disparaging flippant remark, intended for the financial press, reached the tabloid press; consequently, Ratners’ customers took offence and boycotted the brand.
In United Airlines’ case, an incentivised request for passengers to get off an over-booked plane resulted in one customer, who refused to move, being forcefully removed by airport security. In each case the consequences were never imagined because the situations were not itemised on any risk register.
In the past 30 years almost every reputational crisis of note was caused by an incident that had not been foreseen or imagined. This is not a fault of risk management itself, but of how myopic boards have become in their perception of risk.
Risk is future uncertainty, good and bad, as well as opportunity and threat. Risk has become a discrete function rather than a vision of future outcomes and bedfellow to strategy.
The same happened to corporate responsibility in the recent past: a collective responsibility was identified, and attributed to an owner, who became the expert at the board table. What is it in the psychology of boards where authority is sought but collective responsibility is shunned?
Risk as a discipline lends itself to “expertise”, largely because of the influence exerted by the insurance industry. Here risk is calculated as potential financial loss based on a correlation of incident severity (cost) and incident occurrence (probability). Where both are high then damage is likely and insurance cover more expensive.
Risk management as a corporate function creates systems and controls processes to avoid loss caused by business interruption or damage. There are two fundamental flaws to this: the first is that risk is future uncertainty and so defies control; the second is that certainty itself is an illusion—there are only differing degrees of uncertainty.
Scandals and crises still occur decades after risk became a hot boardroom topic because boards are looking at risk the wrong way.
It also explains why so many communicate it ineffectively. To investors and sponsors risk is presented as a commercial opportunity, the precursor of reward; but to regulators and customers it is presented as something under firm control, a threat that has been confidently mitigated.
The language of risk is muddled and so boards need to develop collective risk literacy. This is necessary to articulate not only the board’s shared appreciation of risk, but also its powerlessness to offer certainty about the future.
The boardroom is an environment where behavioural economists see classic group dynamics at play: there are at least three psychological drivers beyond the personalities of individuals on the board.
The first is loss aversion: we fear losses more than we value gains, and in a group, caution will usually win out. The second is exaggerated optimism, where in order to promote our pet scheme we will tend to overestimate benefits and underestimate costs. The third is cognitive bias and the tendency to seek consensus through a shared mindset, or “groupthink”.
Is it any wonder that the collective board attitude to risk is so compromised?
What, then, is the best way to develop risk literacy?
The first step is to shake off the fear of uncertainty, but this might seem unnatural. Boards feel they are expected to deliver certainty to investors, customers and other stakeholders in order to retain their mandate to operate and instil confidence.
Nevertheless, certainty about the future is a dangerous place, and it has been said there are only two types of forecast—lucky and wrong. Admitting uncertainty is not a sign of weakness or incompetence, provided of course it is qualified.
Effective risk literacy requires an appreciation of the different degrees of uncertainty, from known knowns to unknown unknowns and all the intervening stages.
The gap between expectation and reality
Improved risk literacy among boards will reduce the risk of performance getting significantly out of line with promise. In the case of Ratners and United Airlines, a gap opened up between what investors and customers expected, and what proved to be reality. This is the gap into which reputation falls.
In Gerald Ratner’s case, customers learned that he believed his products were “crap”, and by implication they were gullible. In United Airlines’ case, customers believed that the airline “flew the friendly skies”, but video footage of a customer being beaten up quickly disabused them of this notion.
In both cases, discovering reality was a complete shock—in 1991 through the mainstream press, and in 2017 by social media. It is “dissonance shock” that damages reputation: trust flees, with value not far behind. Reputation is influenced by how you behave.
A higher level of risk literacy in boards would also help to address the dissonance when different parts of an organisation exhibit different approaches to risk. This is most common in the public sector, but can also be found in the private sector.
Public services like schools and hospitals tend to have a risk-averse culture, implicit in the nature of their duty of care. Management tasked with cost-cutting or revenue generation imposes a higher appetite for risk than the operational culture because it will be looking for commercial gain.
The clash of risk culture between management and operations can be recognised and tackled with higher levels of risk literacy in the boardroom.
A balance of viewpoints
The amount of risk literacy in a board will depend on the industry sector and the extent to which risk is or is not an intrinsic part of the operational environment. Most organisations already know whether they have a risk-seeking or risk-avoiding culture; the challenge is to ensure the board contains the right balance of viewpoints to equip the enterprise for the future operating environment.
The statutory requirement to report on risk appetite is a good start, and most professional organisations accept that appetite will vary according to a variety of internal and external factors, so they report it accordingly. There does, however, need to be greater attention given to strategic as opposed to operational risk by the board.
Strategic risks should be discussed by the board but are often unseen or unspoken, either by accident or design. Unseen risks include those which cannot be attributed, such as reputation, and those which are simply too complex or political. Some risks are unseen because they are so obvious they have become invisible, such as culture itself.
Unspoken risks include those which powerful members of the board do not want discussed, or which for legal reasons cannot be openly discussed. Some unspoken risks remain unvoiced because to do so would question the organisation’s ethics. Nevertheless, both unseen and unspoken risks fall to the category of strategic risk, which the board should discuss.
In conclusion, boards could improve risk literacy by taking collective responsibility for decisions about the organisation’s future direction (strategy), in tandem with uncertainties relating to this (risk).
Perception of risk as threat or opportunity will vary among individual board members in accordance with their personalities, disposition, outlook and experience, but collectively it needs to be corralled into a consensus view in terms of both perception and attitude for the organisation as a whole.
This will probably require a CEO or company secretary to pull together the consolidated opinion of both executive and non-executive board members, but in the long run the organisation will be in a healthier place and earn greater respect from investors, customers and other stakeholder sources of income.