Risk Culture at the Level of the Board

Dr Simon Ashby (Plymouth University)Dr Patrick Ring (Glasgow Caledonian University)Dr Cormac Bryce (University of Nottingham)

Based on the ACCA Report: Risk and the Strategic Role of Leadership

www.accaglobal.com/uk/en/professional-insights/risk/risk-and-the-strategic-role-of-leadership.html

New Challenges: New Cultures?

The Participants

• 30 semi-structured interviews

• Large companies v SMEs approx. 50:50

• Combined experience is approx. 60 organisations, including:⁃ 17 quoted⁃ 15 NFPs

• Two focus groups to discuss findings

Main position of the interviewees

CEO Other executiveNED/board chair Other NEDBoard consultants

Current Lens of Analysis

Board level ‘risk culture’ formation as a series of trade-offs

A trade-off approach to risk culture:Power, M., Ashby, S. and Palermo, T. (2013) Risk Culture

in Financial Organisations: Final Report, Financial Services Knowledge Transfer Network, London.

Risk Culture Trade-Offs: Non Board Level

More ‘organic’ in approach

More ‘engineered’ in approach

Trade-Off 1: Board Risk ‘Philosophy’

Prescriptivemore formalised;

board agenda item;can lead to tick-box;

may avert risk excessively.

Principledless formalised;

can be more innovative;

can be unstructured;may overlook key

risks.

Regulation is a key driver for prescriptive approach, plus sector differences and

organisation size differences

Regulatory Drivers“(T)he risk appetite framework and … statements are very much something that the board seems to feed into. We are seeing,… through regulatory pressure, to evidence more what the board are actually doing in the oversight piece …” - ED“(T)here are times when you do need to tick some boxes … because you have lists of compliance matrices … and you have to show that you've followed them… and the best way of doing that is to tick a box.” - NED

2: Segregation or Separation

Principled: Separate

Prescriptive: Segregate

‘What you don't want to happen is that the chief executive is telling you everything's rosy in the garden, but when you go out in the field, you find that all the things that you've been told are rosy aren't really happening’ (NED).

‘I know the chairman of one company… they always have their lunch in with the employees, they never go and sit in a separate dining room. And when they say you can come and have a chat with me and tell me what you think they mean it…I think it’s something that a lot more boards are doing now than they ever did before. They cannot hide away in an ivory tower, they need to actually understand the business. If you’re going to govern something you must have a decent level of understanding, otherwise how on earth can you govern?’ (NED).

3: Forward or Backwards Focus

Static data

Risk-safe zone?

Complexity Timepressure

“In some areas there should be a willingness to proactively take risk and indeed that to take no risk is potentially the biggest risk of all because there’s a possibility that people innovate around you, you’re left standing, and as time goes by you become the dinosaur in comparison to the rest of the sector” (NED)

If they start talking about the 99th

risk on the register, they’re getting too much into the operational. (ED)

“the big complex ERM systems … take time to gather (information on) and information is

providing a picture of what was, as opposed to … what is currently pulsing around you in the

organisation”. (ED)

4: Challenge or Passive Board?

Organisation

Execs

Board

‘We very often think about the role of the board being fundamentally about the assurance in terms of safety of the overall organisation – reputation, cost of return on capital, all of those issues; and the executive is responsible for the “ensurance” of the way in which assets are deployed in the organisation, and how you have as a board a sensible, meaningful conversation about that interrelationship seems to me to be absolutely critical – it’s a critical space …’ (ED).

“(I)t’s really tiring to consistently put yourself in the way of asking the difficult questions ” -NED

5: Expert or Diverse Skills?

Risk intelligence as a means for coping with the unexpected. Board as a collective intelligence.

Required intelligence changes over time

“if you have an organisation, for example, that’s been a board composed of people who’ve come up through the ranks, and understand the culture of the organisation and understand what really makes it tick and how things, how politics work, and how communication really works in practice, and you have non-execs who all come from the same industry, then you have a board that is very good at understanding what I would describe as internal risk. And if they lack true exec and non-exec members who have come from outside of the organisation and ideally outside the industry, then they will lack that external perspective and there will be a lens around the board room table that is missing” (NED)

Board Discussions on Risk Culture• “…culture, strategy, risk,

it’s kind of like three sides of a triangle, and they have got to fit together…..when a board is approving strategy and deciding on strategy, and in the context of the risks that’s being taken, and as a consequence, the board should be deciding how much risk they want to take.” (NED).

“(T)he tone has to come from the top so if your …

board thinks about risk management ... as a

compliance exercise,… it will never be embedded in the

day to day work, in the day to day operating model of

the company. And therefore it will never be

part of discussion at board level.”

(ED)

“…you've got to have a definition of what you think the culture is. And then you've got to have metrics which help you determine whether that culture, in fact, exists. And those, you know, might involve employees' feedback surveys, discussions with focus groups of employees etc, etc. So, you know, there are practical steps that boards and management take to determine whether their… the culture they think they have and the culture they aspire to is, in fact, the culture that is operating in the business.”(NED)

But very few organisations did!

Conclusions

• How boards incorporate risk management into their activities is highly varied and based on past experiences and external drivers

• Board risk management activities are as cultural as any other part of an organisation

• No best culture, but there are some areas of good practice to help develop successful board risk cultures

I do think about positive risk and negative risk… negative risk is where you are thinking about the risks to the business' viability and, you know, ongoing stability and ongoing sustainability.” (NED)

“So it’s really circular so, and it’s difficult to see which, where does it start and

where does it end. But it’s all together.” (ED).

. “if you start from the premise that the culture of the organisation is a key determinant to

unlocking strategy, to delivering strategy, then, understanding the culture as regards risk is

definitely part of the oversight role of the board.” (NED)

“Understanding risk management, the risk-reward equation, is fundamental to the role of the board” (NED)

Thank You

19

Dr Simon AshbyAssociate Professor of Financial ServicesPlymouth Business SchoolDrake Circus,Plymouth, Devon,PL4 8AA

Telephone: +44 (0)1752 585720 or (0)7905 179945

Email: simon.ashby@plymouth.ac.uk