Risk. There is a lot of it about at the moment.
Brexit-related uncertainties, data theft, disruptive technology, ‘traditional’ risks like financial mismanagement. The list of risks is so long there aren’t enough hours in the night to lie awake worrying about them all.
Understanding the risks facing an organization and making sure they are being addressed is central to the board’s ability to lead it effectively; which, in turn, means it is central to the role of company secretaries and governance professionals. This is reflected in The Chartered Governance Institute’s recently revised qualifying programme, which now includes for the first time a separate module on risk management.
Until ten or fifteen years ago, risk was often seen as something for management to deal with, not a matter for the board. There are a number of reasons why that has changed.
One is the recognition that many significant risks are ones over which organisations have limited or no influence. For example, the latest edition of the World Economic Forum’s Global Risks Report identifies extreme weather conditions and the failure of climate change mitigation as the top two global risks in terms of likelihood. The report also highlights macroeconomic and geo-political risks.
None of these risks can be controlled by conventional risk management systems (as important as they are), but all have the potential to derail or destroy an organisation. They need to be understood and to inform the strategy the board pursues. As the UK Corporate Governance Code puts it, the board needs to 'determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives'.
Another reason is the increased attention paid by regulators to risk management in general and specific risks in particular. GDPR is one recent example, and the Government is currently considering whether to introduce a UK equivalent to the US Sarbanes-Oxley legislation. Some of this regulation places specific legal obligations on the board, for example in relation to bribery; all of it requires boards to satisfy themselves that the rules are being complied with.
As a result, we have seen a growth in risk management functions and processes. Many more organisations now have board risk committees, particularly in regulated sectors, adding to list of committees for which the company secretary is responsible.
In parallel, our understanding of the factors that influence the quality of governance has also broadened. Much more emphasis is now placed on organisational culture, which starts with the board; this is also reflected in the Institute’s revised qualifying programme. Weak culture – such as tolerance of bad behaviour or reward systems that encourage it - not only leads to weak governance, but is also often the reason the reason that risks materialize. Governance and risk failures are usually one and the same.
There are some who still argue that risk and governance are different disciplines. If that ever was the case, it isn’t now. Poor governance generates risks, good governance can help to manage or mitigate them. Risk managers, internal auditors and governance professionals may all have different specialisms, but they have a common objective. It is important that each understand how they can support each other. The Chartered Governance Qualifying Programme is a great place to start.
The author of this article is Chris Hodge FCG, Policy Advisor at The Chartered Governance Institute. Before joining The Institute, Chris was the FRC Director of Corporate Governance.