Ten most common mistakes boards make about risk management

1. Failing to place risk at the centre of business

Boards often fail to put risk at the heart of the business because they underestimate the extent to which potential risk touches all aspects of the company’s operations. There is a tendency to treat it as a silo topic instead of making it an integral part of the board’s thinking and decision-making process. The chairman is responsible for the board’s overall risk.

2. Neglecting to identify and understand risks

Failure to identify major risks on the company’s risk register and to understand how they affect operations is a common misjudgement. If boards do not understand the risks they are exposed to then they cannot put the right controls in place. Risks such as cyber threats, data privacy protection, outsourcing exposure and currency risks should be among these, but top-performing boards will look beyond these to reputational risk and failure to engage with stakeholders, especially shareholders and customers.

3. Board refusal to exercise oversight

A frequent mistake is to delegate risk responsibility to the audit committee rather than to involve the whole board in the risk management process. In his 2016 research paper on board risk oversight*, Thomas Keusch, INSEAD assistant professor of accounting and control, says that when the whole board is involved in risk oversight it has a significant impact on the business. A survey of nearly 300 publicly quoted companies, in 28 countries, shows that boards with greater board risk oversight involvement tend to have more mature risk management practices and achieve better operating performance in the future.

4. Lack of clearly defined roles

Boards sometimes omit to clearly assign risk roles to committees such as audit and risk and the senior risk officer. The combination of strong board oversight working together with specific members of the risk committee and risk officer will achieve the best risk management practices.

5. Misjudging risk appetite

The 2018 UK Corporate Governance Code principles on audit, risk and internal control, state that the board should establish “procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.” Getting the board to agree on risk limits is a difficult process as is ensuring that shareholders have the same expectations.

6. Getting communication wrong

Failure to obtain and share timely, good-quality communication leads to heightened risk, whereas good information flow mitigates it. Without the right information at the right time, boards cannot assess or respond to potential risk. Effective communication lines are vital between the board, audit and risk committee and senior risk officer. The chairman must be well informed as it is his/her duty to obtain the necessary information from management. It is also up to the chairman to challenge the CEO if this does not happen. A board is only as good as the information it has to work with.

7. Avoiding difficult questions

Another pitfall is director reluctance to ask difficult questions on risk issues. Board members should challenge any areas of concern and work through them with management and risk committees until they are satisfied with the answers. Don’t be afraid of asking, and repeating, tough questions and drilling down until clear facts emerge. Directors can be put off pursuing information by being told it is too complex or technical to explain.

8. Becoming complacent

The best way to avoid this error is to conduct an independent audit of risk management that provides professional, objective feedback on how the board manages risk and to continually update risk reviews to keep up with global risk challenges. Keep asking what could damage customers, products, services and reputation. Boards should also pay close attention to internal risk audits.

9. Tunnel vision

An inability to see the bigger picture and how global risks, including environmental, social and governance ones, have an impact on the company’s risk perspective is a common mistake. The World Economic Forum’s Global Risk Report 2017 states that ESG risks account for four of the top-ten interconnected risks in its annual Global Risks Perception Survey, including water crises and failure of climate mitigation and adaptation. It is easy to dismiss these issues as not having direct relevance to a company because of a narrow focus.

10. Failure to learn from mistakes

Boards, like most of mankind through history, are slow to learn from past errors. In the financial industry, the actions of individual employees—from traders to chief executives—who have bypassed internal risk management controls and brought companies, markets and, in the case of the 2008 financial crisis, the world economy to grief, continue. Companies and directors often fail to learn from their internal mistakes and rash decisions, or from those of peers. Not least of these errors is the failure to identify the root causes of risk and how to avoid them in future.

*”The Influence of Board of Directors’ Risk Oversight on Risk Management Maturity and Firm Risk-Taking 2016″ (see Why the whole board needs to be on top of risk management).

This article has been produced by Board Agenda in collaboration with Mazars, a supporter of Board Agenda.