4th March ICSA: The Governance Institute was delighted to partner with Marsh to host a focus group discussion on operational risk and resilience.
The event was a lively roundtable discussion with varied opinions about the significance of operational resilience to boards and included contributions from David Styles of the FRC on how risk is addressed in the UK Corporate Governance Code and from the Department for Digital, Culture, Media and Sport about the role the government is taking in assisting boards to address cyber security.
The discussion begun by reflecting upon the changing nature of how risk is understood. It was noted that the Royal Bank of Scotland’s outage in June 2012 led to an industry shift in resilience as both the banking regulator and the British public began to alter their perceptions of what risk means for business. The fallout from the computer failure left RBS with a £56 million fine from the Financial Conduct Authority, but ultimately resulted in the banking sector making significant improvements to their attitudes towards risk. This has left the public with a perception that the banking industry is more advanced than its peers but, as the focus group discussion uncovered, many other industries are doing impressive work-just less vocally.
Crisis management was highlighted as another key area for consideration surrounding operational risk. It was noted that companies which were good at crisis management received, on average, 5% share price improvement post-crisis, but firms which had failed to invest in resilience prior to the crisis suffered an average 12% share price loss. The conversation highlighted the fact that the majority of firms are investing in crisis prevention, however, comparatively few are investing in resilience.
This was seen amongst the group as an issue - bridging the gap between IT and finance departments. A unity between the two is needed for a successful risk management programme. Additionally, it was noted that companies who were doing the best work, do so through combining scenario planning, which is business led, and exercising, which involves the board.
David Styles highlighted the fact that the Wates Principles bring together all the general principles of governance into one package and reflected upon the way that the Corporate Governance Code defines corporate culture, seeing it as something that doesn’t just exist within the boardroom but rather as much broader in scope, permeating the whole organisation.
The attitude to risk has to be important to investors and, therefore, the role of annual reports was seen by the group to be of utmost importance, acting as an intention statement, log of activities and an outcome report.
The impact of good resilience programmes was felt to be often missed by companies, which can be more focused on events. Governance and risk management are seen as second line but it was agreed that they should become a first line function; whereas other functions are becoming more agile, governance is still viewed as a bureaucratic burden. This needs to change, although ways in which this can be achieved are dependent on the company’s approach, particularly in terms of whether risk is dealt with at an entity or divisional level. It was noted that there may well be differences in perception of risk, with risks that are identified at the coal face often being different from those identified as an operational risk.
What was conceded by all is that operational risk and resilience need to be taken seriously and not just treated as a box-ticking exercise. As Carillion’s collapse shows, firms need to be engaged in spirit as well as following the letter of the law.
Events like this are a fantastic way for companies to come together to show their commitment to creating a better governance landscape for the future.