How company boards can govern risk - and what you can do to help

By Gillian Lees

With my ‘governance specialist’ hat on, I’ve had the good fortune to meet and even work alongside some of the big names in British industry.  I used to think that the concerns of industry leaders would be way beyond the comprehension of the rest of us.  But I’ve discovered that their worries are very recognisable and I have only met one CEO who claimed that there was nothing that kept him awake at night. (I didn’t believe him anyway!)

If there is one issue that comes up time and time again, it is the issue of how boards can govern risk effectively.  And it looks like this is true on a global level with McKinsey research showing that most board directors don’t feel they spend enough time on strategy and risk while the work of US governance experts such as Harvard’s Jay Lorsch and Ram Charan flags the challenges faced by businesses as they seek to move their governance ‘from compliance to competitive advantage’. 

Broadly speaking, boards have a dual role.  First, they must make sure that nothing terrible is happening in terms of fraud and other serious wrongdoing; the sort of thing that brought the likes of Enron and WorldCom down and led to the Sarbanes-Oxley Act in 2002.  But they also have to ensure that the organisation remains sustainable now and into the future - and that means understanding the strategy and business model.  They must also ensure that the management is competent enough to run the business well with a strong focus on opportunities and risks.
While it’s relatively easy to look at case studies and pick over the bones of the companies that got it wrong, it is much more challenging to offer constructive solutions – especially when you consider the very real limitations that boards have in terms of their time and their non-executive status, making it hard sometimes for directors to get under the skin of what is going on.  With the ever growing complexity of business, the task is getting harder.

But to deliver some practical advice was the challenge that  I was set with my fellow members of the Tomorrow’s Company Good Governance Forum.  And we have recently published a new report, The boardroom and risk, which also includes a toolkit to help boards understand how they can take a leadership role on terms of the organisation’s approach to risk.
One specific issue that needs attention is the so-called ‘risk management glass ceiling’ where there is a disconnect between the board and the operations – and it works both ways.  The board is often focused on strategy and understands the strategic risks, but it may not have a sufficient understanding of operational issues that have potential to cause serious reputational problems (for example, supply chains).  On the other hand, risk and operational managers might not always appreciate the full strategic implications of some risk exposures.  As you’ll see from the toolkit, a key remedy lies in the right tone and culture being set by the board.

But the next real challenge to address is how to get the right information to the board at the right time – that helps boards to ask the right questions without being swamped with information.  Sounds like a good job for a management accountant.  As part of my research and continuing work in this area, I would be keen to hear what works (or doesn’t work!) for you and your organisation.