At the recent Practical Law Managing Risk Conference, it was obvious from the diversity of speakers and delegates that businesses truly understand that managing risk and staying compliant is the responsibility of the whole company and not just the domain of the in-house lawyers. There were lawyer delegates, but also company secretaries, risk professionals, compliance professionals, risk and compliance professionals, CEOs, managing directors and financial controllers. The speakers were equally diverse − providing a truly 360 view of the strategies that companies do and should deploy to navigate complex business environments.
Risk appetite vs risk tolerance
The first panel session of the conference, with speakers including a risk and compliance director of a FTSE 100 company, a GC of a financial services startup and a CEO of a risk management software vendor, debated how businesses should calibrate their risk appetites. The panel identified that the term ’risk appetite’ posed an ontological problem. If one were to ask the question of a business, what is your risk appetite? The answer would conceivably be fairly binary: appetite or no appetite, therefore risky or risk averse. Since it is improbable that most businesses would want to be perceived as ’risky’ – and therefore not worthy of investment – then the only alternative would be to self-identify as ’risk- averse’. Alas, this is also not a good badge, somehow conveying the lack of entrepreneurism and innovation (which again, does not convey the right message to investors).
’Risk tolerance’ on the other hand, implies a spectrum against which specific categories of risk can be ranked. The term invokes a different mind-set, asking ’what risks can we take in order to make the most of the opportunities’?
Operationalising risk management
One company at the conference explained that their methodology for ranking risk involves:
- Identifying what is the target position for a category of risk
- Identifying what is the current risk position
- Identifying whether the current position is within or exceeds tolerance
Other methods were discussed. However, the panel were aligned in their advice that the only way a risk identification process can become an effective risk management process is for there to be business owners assigned to and owning specific risks. In addition, if the nature of the risk is one that should be on the board’s radar, then it would also be a good strategy to link the risk to budget and budget decisions wherever possible.
Making risk management part of the day job
For companies in some regulated sectors, stringent and formal requirements by regulators can turn risk management processes into check box exercises. For example, companies in the financial services space are required by their regulators to identify specific risks on their risk registers whether or not these risks are even applicable to the company in question. In these circumstances, a separate process is necessary in order to understand, and act upon, the real immediate and emerging risks specific to the business – regardless whether or not they have been identified by the regulators.
Where possible, identified tactical risks – the ’known knowns’ – should be on everyone’s radar and incorporated into daily processes and routines so that there is continuous monitoring and assessment at all levels of an organisation. For example, if failure to comply with health and safety legislation is an identified operational risk for a construction company, then a daily health and safety briefing on site with construction staff would be much more effective than the best written health and safety policies.
What about the known-unknowns?
The day’s packed agenda covered many of the known-unknowns, including geopolitical risks, data privacy risks, and cyber security risks, among others. Risks are becoming ever more present and serious in uncertain political climes, as we enter the digital age and enjoy the connectivity permissioned by the internet of things.
Navigating the known unknowns was described as being analogous to walking across the street looking backwards. There was some tactical advice provided by the speakers like making sure you have the right insurance in place, and bringing in experts to help horizon scan. For example, parliamentary consultants, who have friends in high places and are able to provide insight from the business community and government.
There was also more philosophical advice when navigating the known unknowns – keep looking for connectors, especially connectors that may not always be immediately obvious. Perhaps the antics of the North Korean government appear disturbing but distant. Yet, it might be worth noting that the whole of the Korean peninsula is a commodities hotspot, South Korea is a large producer of steel and the main Chinese shipping ports are but a short distance away.
And then there are the black swans…
Black swans (a term coined by Nassim Nicholas Taleb in his 2001 book, Fooled by Randomness), are ‘unknown unknowns’. These are events with major impact that cannot be foreseen from past experience and yet once they’ve happened, are explainable and therefore become retrospectively predictable. Black swan events can have both positive and negative impact. Where the impact is negative, then a well-planned and well-rehearsed crisis management response is probably the only defence available to a company. While by definition, black swans cannot be predicted, the fact that crises will occur is a given, and being prepared to deal with a crisis is imperative for the survival of any organisation.
Finally, as the saying goes, never waste a good crisis. Learn from your own black swans and those belonging to other businesses, as it may be Equifax in the dock today but tomorrow it could be anyone.
