Executive boards have a responsibility for good governance and responsible stewardship, yet persist in treating risk as a control function, not a decision process. A board is required to take collective responsibility for the organisation’s risk appetite, yet in most board meetings risk is treated as the privileged domain of the Head of Risk, or Chair of the Risk & Audit Committee. Other directors defer to this person as a risk ‘expert’. Consequently risk is confined to imaginable threats to business continuity, a very limited perspective especially as most crises result from unimagined incidents.
Consider two very different unimagined incidents: Ratner jewellery in 1991 and United Airlines in 2017, years apart but with a common theme. In Ratner’s case, a disparaging flippant remark, intended for the financial press, reached the tabloid press where Ratner’s customers took offence and boycotted the brand. In United’s case, an incentive scheme to encourage over-booked passengers to move failed to motivate a customer, who as a result was removed by airport security. In each case the consequences were never imagined because the situations were not itemised on any risk register.
In the past 30 years almost every reputational crisis of note was caused by an incident that had not been foreseen or imagined. This is not a fault of risk management itself, but of how myopic boards have become in their perception of risk. Risk is future uncertainty, good and bad, opportunity and threat. Risk has become a discrete function rather than a vision of future outcomes and bedfellow to Strategy. The same happened to Corporate Responsibility in the recent past: a collective responsibility was identified, attributed to an owner, who became the expert at the board table. What is it in the psychology of boards where authority is sought but collective responsibility is shunned?
Risk as a discipline lends itself to ‘expertise’, largely because of the influence exerted by the insurance industry. Here risk is calculated as potential financial loss based on a correlation of incident severity (cost) and incident occurrence (probability). Where both are high then damage is likely and insurance cover more expensive. Risk management as a corporate function creates systems and control processes to avoid loss caused by business interruption or damage. There are two fundamental flaws to this: the first is that risk is future uncertainty and so defies control, and the second is that certainty itself is an illusion, there are only differing degrees of uncertainty!
The answer to why so many scandals and crises still occur decades after risk became a hot boardroom topic is because boards are looking at risk the wrong way. It also explains why so many communicate it ineffectively. To investors and sponsors risk is presented as a commercial opportunity, the precursor of reward; but to regulators and customers it is presented as something under firm control, a threat that has been confidently mitigated. The language of risk is muddled and so boards need to develop collective risk literacy. This is necessary to articulate not only the board’s shared appreciation of risk, but also its powerlessness to offer certainty about the future.
The boardroom is an environment where behavioural economists see classic group dynamics at play: there are at least three psychological drivers beyond the personalities and character of individuals on the board. The first is loss aversion, we fear losses more than we value gains and in a group caution will usually win out. The second is exaggerated optimism, where in order to promote our pet scheme we will tend to over-estimate benefits and under estimate costs. The third is cognitive bias and the tendency to seek consensus through a shared mind-set or ‘Groupthink’. Is it any wonder that the collective board attitude to risk is so compromised?
What is the best way to develop risk literacy? The first step is to shake off the fear of uncertainty and this might seem unnatural. Boards feel they are expected to deliver certainty to investors, customers and a variety of other stakeholders in order to retain their mandate to operate and instil confidence. Nevertheless certainty about the future is a dangerous place and it has been said there are only two types of forecast – lucky and wrong! Admitting uncertainty is not a sign of weakness or incompetence, provided of course it is qualified. Effective risk literacy requires an appreciation of the different degrees off uncertainty, from known-knowns to unknown-unknowns and all the intervening stages.
In dealing with uncertainty there are many reference points but a good place to start is Ann Kerwin’s ignorance map now over 30 years old which features ‘six domains of ignorance’. This is helpful when considering strategic futures and forecasting as it distinguishes different types of uncertainty, once you recognise the nature of uncertainty then you can begin to reduce it as a core competence. Boards seem instinctively driven to deliver future certainty, while knowing secretly that this increases the risk of being proved wrong. Like lemmings they seem to know of no other way forward, but there is a way in risk literacy, but it does require time spent in discussion which many board meetings don’t allow.
Improved risk literacy among boards will reduce the risk of performance getting significantly out of line with promise. In the case of Ratner and United a gap opened up between what investors & customers expected and what proved to be reality. This is the gap into which reputation falls. In Ratner’s case customers learnt that he believed his products were ‘crap’ and by implication they were gullible. In United’s case customers believed the airline ‘flew the friendly skies’ but video footage of a customer being beaten up quickly disabused them of this notion. In both cases discovering reality was a complete shock: in 1991 through mainstream press and in 2017 by social media. It is ‘dissonance shock’ that damages reputation: trust flees with value not far behind. Reputation is how you behave.
A higher level of risk literacy in boards would also help to address the dissonance when different parts of an organisation exhibit different approaches to risk. This is most common in the public sector but can also be found in the private sector. Public services like schools and hospitals tend to have a risk-averse culture, implicit in the nature of their duty of care. An imposed management level tasked with cost cutting or revenue generation imposes a higher appetite for risk than the operational culture because it will be looking for commercial gain. The clash of risk culture between management and operations can be recognised and tackled with higher levels of risk literacy in the boardroom.
The amount of risk literacy in a board will depend on the industry sector and the extent to which risk is or is not an intrinsic part of the operational environment. Most organisations already know whether they have a risk seeking or risk avoiding culture, the challenge is to ensure the board has the right balance of viewpoints to equip the enterprise for the future operating environment. The statutory requirement to report on risk appetite is a good start, and most professional organisations accept that appetite will vary according to a variety of internal and external factors so report it accordingly. There does however need to be greater attention to strategic as opposed to operational risk by the board.
Strategic risks should be discussed by the board but are often unseen or unspoken, either by accident or design. Unseen risks include those which cannot be attributed such a reputation, and those which are simply too complex or political. Some risks are unseen because they are so obvious they have become invisible such as culture itself. Unspoken risks include those which powerful members of the board do not want discussed or which for legal reasons cannot be openly discussed. Some unspoken risks remain unvoiced because to do so would question the ethics of the organisation. Nevertheless both unseen and unspoken risks fall to the category of strategic risk which the board should discuss.
In conclusion, boards could improve risk literacy through taking collective responsibility for decisions about the organisation’s future direction (strategy) in tandem with uncertainties relating to this (risk). Perception of risk as threat or opportunity will vary among individual board members in accordance with their personalities, disposition, outlook and experience but collectively it needs to be corralled into a consensus view in terms of both perception and attitude for the organisation as a whole. This will probably require a CEO or Company Secretary to pull together the consolidated opinion of both executive and non-executive board members, but in the long run the organisation will be in a healthier place and earn greater respect from investors, customers and other stakeholder sources of income.