Getting the board on board

To create a better relationship between the risk function and the board, risk managers need to stand up and show their bosses that they are not just the ‘insurance buyers’ that some senior leaders perceive them to be.

Australia-based multinational shopping centre company Westfield Group’s chief risk officer Eamonn Cunningham (pictured) says that risk professionals can show their true worth by developing and displaying a methodology that is applied in a consistent way.

“This should create an environment within which risks, appropriately assessed, can be brought to the attention of the executive committee or straight into the boardroom,” he says.

“Best in class risk managers would at the same time propose a mitigation strategy for discussion and debate.”

For their part, boards need to open their eyes and realise the value of the talent they have at their disposal.

“For the simple reason that without it your business will die,” says international corporate governance and board development consultant Professor Bob Garratt.

“The world is so turbulent and uncertain that there is an increased urgency to have at the top of your organisation – by which I mean the board, not the executive – a group who are frequently horizon scanning and beginning to bring their thoughts on what is changing into the organisation for discussion, from which the executive function can begin to adjust their plans.

“Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so; they don’t have any means of doing so, never mind ways of bringing their information into the business.”

Quality questions

It is in this space that risk managers can prove their value and improve their relationship with the board. Director of governance, risk management and compliance at Thai-based supermarket chain Big C Phatchada Muenthong says that “quality questions” from the Board are highly important.

“Many boards just start by posing a simple question like ‘Can the risk manager help us understand what the company is doing on risk management at the enterprise level?’, then the board can undertake its supervisory role,” he says.

By finding their place at the crossroads between senior leaders and the executive, risk managers can demonstrate their importance to the board. Muenthong again: “The risk manager should initiate a discussion with the executive to identify the major areas in which risk can be avoided if the work is done better.

“For example, when there was political unrest in central Thailand, logistics teams had to explore alternative routes to distribution centres and stores as roads were often blocked by protesting farmers.”

Robust discussion

Cunningham says that to be truly effective, a risk manager needs to have a good relationship with the CEO and/or CFO. “The clearer the line of communication, the more likely it is that there can be good open robust discussion about what is on the risk horizon, its relevance to, and potential impact on, the corporation,” he says.

The risk management function needs to look at what – and how – it communicates, shifting the emphasis from planning and strategising to implementation and action. Cunningham again: “Risk managers need to have a proven ERM framework that truly works in practice and is therefore likely to be accepted by the business. This gives you more buy-in from all functions and will result in the identification of a more complete list of risks that is relevant to the enterprise.”

Of course, risk managers shouldn’t be reporting anything without offering suggestions of how to deal with it. However, as the vice-president of risk management at Genting Singapore Steve Tunstall explains, any solution to a problem must be endorsed if not supplied by the business unit head who is accountable for delivering the solution.

“Otherwise the risk manager has to be superman and demonstrate perfect knowledge of all functions – a position which is clearly untenable,” he says.

Muenthong says that while a risk manager may have some expertise in a particular subject matter, risk mitigation actions should come from “executives who have their feet in the operations on a daily basis”.

“Risk managers can give options on best practice, but executives will confirm the fit with their functions,” he says. “Once actions are implemented, risk managers can monitor if the risk control works well.”

New area of risk

Companies are increasingly being asked to enhance their traditional ways of reporting and formally adopt triple bottom line reporting – opening up a new area of risk and bringing risk managers into the theatre of governance.

Triple bottom line reporting, first developed in 1994 by British consultant John Elkington, requires companies to prepare three different bottom lines. The first is the traditional measure of corporate profit, the bottom line of the profit and loss account; the second is the bottom line of a company’s ‘people account’– how socially responsible an organisation has been; the third is the bottom line of the company’s ‘planet’ account – a measure of how environmentally responsible it has been.

“Increasingly international law will be requiring these things, and the question is how are we all going to muck in and make this happen?” says Garratt. “Increasingly in emerging economies, we are seeing the emergence of a licence to operate, and the decision to grant these will be based on these principles. Risk is at the heart of all this.

“These are interesting times. A lot of the traditional ways of operating are up for grabs.”

It’s important to note that, post 2008, risk is increasingly at the heart of emerging legislation on corporate governance – another area where risk managers have a chance to prove their value and develop the quality of their conversations with the board.

Failures in corporate governance can land members in court, there’s the Bribery Act to think about and security risk is “everyone’s responsibility”, says Damian Thompson, region security director at Control Risks International SOS. “Because when things go wrong, the board is in the firing line.”

“But they usually fire the risk manager first to get a little breathing space,” Tunstall adds wryly.