Risk management has become a bit of a hobby-horse for me. It’s part of corporate governance for UK Plc’s and US corporates. I was exposed to it first when I was on the board of Tempus Plc and then again at SABMiller Plc. It’s fair to say that like a lot of corporate governance, company directors regard Risk Management as at best a necessary chore and at worst a pointless exercise. Business is at its heart a risk/benefit decision process and well-run businesses would claim that their normal management processes take care of risk assessment. Every time Risk Management came on the agenda at SABMiller, my old boss, Graham Mackay, would, with some irritation, point out that the origins of Risk Management lay with governance for banks and their particular needs rather than manufacturing businesses like ours. He had a point and to be fair SABMiller is an extremely well run business.
However, always the contrarian, I really enjoyed Risk Management (I was on the RM committee at Tempus and had to oversee its implementation for the marketing function at SABMiller). The arguments made sense to me:-
When businesses suffer serious calamity people with hindsight always say the risk could have been forseen. They are right more often than not. In fact, more often than not someone in the organization or a disaffected former employee claims they wrote a memo about it.
An exercise where you take a hard look at what could go wrong and then discuss ways of either avoiding, mitigating or insuring against it, is a fundamentally very strategic exercise. Of course you see risks but you can also see opportunities. At the very least you get fresh insight.
There are various ways to approach RM (good old Wiki lays them out) but it is essentially fairly straightforward. An experienced and accountable group of people look at all the potential risks for all aspects of the business and draw up a list. They then catagorize the list into how likely they are to happen (high, medium, low probability) and how serious the effect would be if they did (high, medium, low impact). This then gives a matrix and of course you start with the highest probability/highest impact and work your way through them. Can they be avoided by improved management processes and/or better monitoring? Can they be insured against? Is further work or more fundamental change required? Logical stuff.
The point is, the risk is brought out into the open – what is the worst that can happen, how likely is it, what can we do about it? It’s impossible to do this without getting some great insights about the business and identifying some sensible actions to manage the risk.
The reason I am so obsessed by this subject is that for me it lies at the heart of what triggered the Recession i.e. the failure of the banking system (ironic that isn’t it?). It is also the solution, for me, as to what we should do to prevent a future reoccurrence of the systemic failings in the financial institutions, and a preferable one to lots more regulation and red tape.
Surely if Risk Management had been effective – that is to say applied with conviction and purpose – at Lehman Brothers (and the rest of the banks) they would have realized that they were massively exposed if house prices turned down? Does anyone now believe that Risk Management (forget the ethical questions just focus on the good business sense argument) was alive and well under Lord Browne at BP?
We don’t need loads more legislation. We have Risk Management – we just need to ensure that it is taken entirely seriously. And whom do we rely on to do that? Non-Executive Directors, that’s who. There has been a lot of whinging and whining among that elite group NED’s on the boards of the big corporates. They complain that they carry so much accountability and responsibility for very little by way of reward as a result of all this pesky governance. How can they be held accountable, they have to rely on what the executive board tell them about a business they get involved with only 6 or 8 times a year? Bullshit.
A well chosen, vetted and experienced Non-Exec should know enough to be able to ask the tough questions and should be relied upon to see that protocols like Risk Management are taken seriously. Are you telling me an experienced banker could not have asked a few probing questions about toxic debt and the impact of a downturn in house prices (especially given how deep Lehman and others were into it)? Are you telling me an experienced oil man could not have spotted the shortcuts that BP were taking and the risk they were exposing themselves, their shareholders (which includes a lot of pensioners) and all of us to? I’m bloody sure I can in marketing which is my chosen area.
We do not need to change much. Keep the governance and regulation we have, just make sure it is applied vigorously and hold the NED’s to account if it is not. The one change I’d make is to have a potential Non-Exec vetted and approved by an independent authority. And I don’t buy the argument that any of this will put the good Non-Execs off joining a board. It is very prestigious, very interesting and already well paid. They get circa $50 -100,000 to attend 6-8 board meetings a year (and read the papers and take an active interest in the business). This fee could be increased – surely it’s worth it – but in my view that is not the issue or the barrier to having good non-execs. Breaking up the cosy club of senior businessmen and well connected retirees and opening it up to better qualified people is the issue. No names, no pack drill but I have met some truly ineffectual and disengaged Non-Execs in my time.
Business is risky and the impact of corporate calamities affects all of us. It can be made much less risky and no less profitable with a bit of common sense.
For those interested in the application of risk management thinking specifically to marketing you might like to read ‘Brand Risk’ by David Abrahams. You’ll see some contribution from yours truly but despite this, it is an interesting book from a smart author.
At least I think it is but then Risk Management is a hobby-horse of mine.