With payday lender QuickQuid following High Street travel icon Thomas Cook onto the latest list of corporate failures, CEOs may be left asking ‘who next?’ To navigate this uncertainty, business leaders need an approach to risk management that provides visibility and helps them make better decisions, more quickly and with fewer regrets.

Kim Horsburgh, Senior Relationship Manager at Criticaleye, believes we are in for the long haul when it comes to uncertainty and disruption. “The current speed of change is not going to diminish – it’s going to continue to increase. The risk processes you put in place today must be able to adapt and withstand that,” she says. 
 
However, Boards and execs shouldn’t let themselves become overwhelmed in the face of today’s fast-paced environment. Adam Green, Chief Risk Officer at Equiniti, says: “There are currently many moving pieces in the wider risk environment, but it’s important to precisely define the uncertainty you are facing before you can assess whether the true risk has really changed.”   
 
While he notes increasing concerns around the environment and changes in both politics and technology, he points out that not all businesses will be impacted to the same extent. “People can easily feel very uncertain when the risk of change arises. In terms of your business, you have to be clear about how you are exposed to a risk and in what way it may specifically impact staff.  
 
“The best way to manage through strategic uncertainty is to take some time to define the specific issues of concern and communicate clearly how the business will directly address these,” he says.
 
Niamh Higgins, Group Conduct Risk and Regulatory Compliance Director for Legal & General, states: “Even during times of uncertainty there is a lot that’s known and that doesn’t change. In terms of what may change, such as customer contact centres being inundated, if you’ve done good scenario and business-continuity planning you will have prepared for a lot of these or similar events.
 
“That’s why scenario planning and thinking about disaster recovery is so important – it gives you resilience and it’s a risk management tool of its own.” 
 
But it isn’t just about identifying and mitigating risk, you also need to embrace it. Criticaleye Board Mentor Matthew Lester, who is an NED and Chairs the Audit and Risk Committees of both Capita and Man Group, explains: “You need people who are capable of understanding the difference between risk that you must take because you need to do business, versus the risk you can’t take on as you don’t have the financial capacity to withstand the consequences. 
 
“People with judgement and clarity of thought are vital in this area. The very best risk managers don’t wrap themselves up in policies and procedures. They are clear that risk is a fundamental part of how we operate,” he says. 
 
Matthew draws on his experience as the former CFO of Royal Mail, where the leadership team had to ask searching questions about their appetite for risk as they rebuilt the business. “The nature of the DNA was risk averse in terms of making mistakes and damaging the brand,” he says. “We could have just stuck to the knitting, and cost reduction was an important way of getting to financial security.  
 
“But the velocity of change meant we might not have that luxury anymore and so we had to experiment in terms of our products and their features,” he says.  
 

Room for Improvement 
 
So, where do things fall down and leave organisations exposed? Mark Castle, Deputy Chief Operating Officer at Mace Group, says that a business can outgrow its established approach. Since he joined the global consultancy and construction company he has seen it expand its workforce from 1,400 to 6,500 people. “As the business has grown organically over the last 10-15 years we have taken on larger projects. That creates an increased level of risk to our operating performance and balance sheet,” he says.  
 
“We recognised as a Board that we needed to [create] a higher level of transparency and risk review because, if you’re not careful, as the business gets bigger the leadership team gets more remote from the field of play. So, you have to make sure your governance and processes are good enough to spot problems before or as soon as they happen.”  
 
Andrew Duff, Director of Financial Services Advisory at EY, also finds that risk functions, particularly within the financial services sector, can struggle to keep pace with the business planning process if they are reliant on slow-running, stress-testing processes. “One solution is to do some of that risk work upfront and present a number of risk appetites and scenarios that the business can develop plans against,” he says. “Or they can invest in quicker, more summarised stress testing that’s suited to a planning cycle rather than full regulatory needs." 
 
Andrew also frequently hears Boards complaining that they get so much information on risk that they can’t get through it all. They also say they know the key issues are in there somewhere, but they can’t find them within their paper-based packs or static PDFs. “There are lots of ways that risk information could be made more accessible to Boards, such as through automation of dashboards and reports to provide the ability for them to drill down into the data themselves. This would let them see more detail when they need to,” he says.  
 
“That would allow NEDs to really challenge the Executive, whereas if the execs are producing and providing the information then there’s a potential asymmetry. The Board can only challenge based on what they’ve been given.” 
 
Seeing risk management as a tick-box exercise is another sure-fire way to fail. In contrast to this, Adam places great value on discussions. “One of the reviews I took the Executive and Board through at Equiniti was to look at the natural divergence of views between all the senior staff on certain risks," he says. 
 
This approach involves briefly discussing complex risks and then getting everyone in the session to privately record on paper where they think each sits on an impact / likelihood matrix.  When subsequently plotted out, some risks are closely grouped and other dispersed. Adam then finds that simply asking the question: ‘What does this suggest about our understanding of this risk?’ at a subsequent feedback meeting can lead to useful insights that improve risk understanding and management.  
 
“I find you get higher-quality risk discussions, and so better-quality decision making, when people discuss their understanding of a risk alongside recognition of their colleagues’ and peers’ perspectives, and then seek to explain the differences," he says. 
 
Ultimately, executives must take accountability for the risks and opportunities identified. Matthew says: “Risk management is a fundamental part of running a business, and I’m constantly surprised by how many people who run divisions don’t have a good appreciation of it. They assume that someone else will manage risk for them. I often encounter people who are 20 years into their career and say ‘that’s what Risk, Finance or Group does’. No, that’s what you do.” 
 
He continues: “There needs to be an explicit conversation about who sees themselves as ultimately responsible for risk in the company. The answer should be the CEO. They can then choose to delegate that activity to someone else or not. The chief executive needs to make a choice and then have a clear plan of action.”
 
 
Emma Carroll, Senior Editor, Criticaleye 
 
Next week’s Community Update will look at the issues surrounding length of tenure of today’s CEOs.