The Top 10 Steps to Risk Management: The Devil is in the Detail
Risks are found even after you’ve done a risk assessment. It’s like the natural recourse of business. Starting a business in itself is a risk, and the more you run it, the more risks it faces. So where should you be aware of risk in your business? Below CEO Today hears from Jean Pousson, strategy and finance consultant for the Institute of Directors, on some of the steps to consider.
The recent high-profile failure of outsourcing giant Carillion has once again put risk at the heart of board conversations. There are many ongoing enquiries surrounding the failure looking variously into allegations of poor corporate governance, bad behaviour, suggestions of failures by regulators, external auditors and even internal auditors (that function was outsourced to Deloitte LLP).
Rather than get involved in the Carillion debate, the purpose here is to stimulate discussion by looking at some prevailing attitudes towards risk and risk management. Some of these risks are old and some are new. Some are evolving. I’m sure you can add many more of your own!
“The greatest trick the Devil ever pulled was convincing the world he didn’t exist.” – Roger “Verbal” Kint, The Usual Suspects (1995)
1. Our External Audit Provides Comfort
Not always. In fact, external auditors can provide false comfort to boards. They will tell you themselves that the purpose of an external audit is not forensic in nature. It is not geared to specifically detect fraud or other misdemeanour.
2. The Customer is Too Big to Fail
There is no such thing as “too big to fail” anymore. Eastman Kodak and Lehman Brothers were big organisations with great legacies and histories. Having the government as a customer (like Carillion) is also no guarantee of success. If anything, businesses will often sacrifice margins (and ultimately cash flow) for the apparent safety of a government contract.
3. We’re OK, we have a Risk Register
Risk registers can become sterile and predictable. What about new risks? Have they been identified? This should be a standard line of enquiry. New business models bring about new risks that often take Boards by surprise. Increasingly, boards appreciate the problems of being blind-sided by fake news or being on the receiving end of digital lynch mobs as new risks.
A question that we always ask boards is “Reflecting on the last twelve months, what has surprised you? Should you have been surprised?”
4. Our Supply Chain is Fragmented/ing
As supply chains become more and more fragmented, risk becomes increasingly difficult to pinpoint. The banking crisis a few years ago highlighted that plight very well. No longer do boards need to identify and understand counterparty risk; they now need to extend the analysis to their counterparty’s counterparties. Follow that through if you can.
5. We are Competing in a Disrupted Market
“Experience is great as long as the future resembles the past.” This quote is attributed to Gary Hamel, a leading American strategy consultant. It is apt and powerful.
All the executives I talk to tell me that the dynamics of their respective industries have changed and will continue to change. Music, retailing, broadcasting – to name a few – and even taxi industries have found themselves on the receiving end of disruptive behaviours.
This raises a number of questions, one of which is, ”Do the board and management have the capabilities to compete in this new world?” Marketing and advertising used to be “spray and pray”, not anymore. A website has become surveillance, technology is playing an increasing role in marketing activities, and it is no surprise that the remit of a Marketing Director is diminishing. The Coca-Cola Company has recently dispensed with that function by the way.
6. Teasing out All the Risks
Have the risks been sufficiently interrogated and separated out?
Cyber risk is not one risk but can manifest itself into a multiplicity of risk outcomes. We can add to this many other risks that often get a very generic description only without being fully understood eg legal, political etc…So has each risk item been analysed with a good deal of granularity?
7. Competitors can do the Craziest Things…
So often these are not sufficiently considered. Questions like, ”What is the craziest thing that our competitor(s)could do? What if we have to offer our product for free? Who could the new and future competitors be? If we were to be the subject of a takeover bid could we comfortably defend it to our shareholders on the basis that we could create more value?”
8. Worst Case Scenario
Far too often, when boards consider downsides, even their worst case scenario is too comfortable. Boards need to go to the dark side from time to time and explore serious doomsday situations.
It’s no exaggeration to say that whole markets can disappear.
The UK Regional airline Monarch saw its main tourist markets evaporate because of security fears. By the time it redirected its flights it was too late, and it could not compete with existing players who had superior offerings.
9. Unknown Unknowns…
Uncharted territories mean just that. The famous “unknown unknowns”. You simply do not know so, as a consequence, boards need to remain vigilant and constantly learn.
Boards and directors also need to “learn to unlearn”. The toolkit that may have worked in the past may not necessarily work in this new environment.
10. Risk Reviews
Over the years I have been involved and witnessed many of these. How about trying something different?
Create a project team under the guidance of your Chief Sarcastic Officer (we all have one J) with the following brief, “What would you do to bring this company to its knees – physical vandalism excepted?” This will expose your risk frailties and may turn out to be the best (and cheapest) such exercise that you will go through.
Good luck!
Jean Pousson is a strategy and finance consultant for the Institute of Directors. Jean spent 15 years at Barclays Bank and has a further 30 years’ of management consultancy, training, facilitation and coaching experience. He has sat on many boards, worked in more than 30 countries and has directed a number of change initiatives.
