John Crawley on the subject of Key Trends in Corporate Governance from a Risk Perspective.
“The effect of uncertainty on the achievement of organisation objectives is the ISO31000 definition of Risk. Having a Framework to oversee the achievement of organisational objectives is the backbone of Corporate Governance” - so says John Crawley FCCA CMC MIfT IRMCert, an International Risk Management Expert.
We recently interviewed John Crawley on the subject of Key Trends in Corporate Governance from a Risk Perspective.
- What is the role of Risk Management in the corporate governance structure of an organisation?
A key role of a strong risk management framework is to assist the board of directors in their responsibility to provide their shareholders with reasonable assurance that they have considered the effect of the uncertainties associated with the achievement of their business objectives. In doing so good risk management will guide the board on setting an appropriate risk appetite ( the amount of risk the organisation is willing to seek or accept in the pursuit of its objectives). This sets the tone from the top.
Classic risk management frameworks talk about a “3 lines of defence” approach.
More progressive thinking expands this to 8 lines. In this model the board are identified as having a specific role as are the stakeholders.
Boards will typically have responsibility for risk tone, appetite and tolerance setting.
Stakeholders will have a key role in setting Environment, Social & Governance (ESG) expected standards from a risk perspective.
- Are there different models around the world or in different industries?
Broadly no. Boards around the world have two models:
1. The Unitary Board: Made up of non-executive and executive members on a single board. Typically, there is an audit & risk sub-committee of the main board who, among other things, focus on risk governance.
2. Two-tier Board: A supervisory board (mainly non-executives, who, inter alia, oversee the strategic risk framework) and an executive board (who typically have operational oversight of risk).
Increasingly we are seeing industry regulators focusing on the risk role that boards play. The UK Corporate Governance Code was updated in recent times. It now imposes a requirement on boards of directors to make a long-term viability statement for their organisation along the following lines:
Taking account of the company’s current position and principal risks, the directors should explain in the annual report:
I. how they have assessed the prospects of the company,
II. over what period they have done so and
III. why they consider that period to be appropriate
The directors should state whether they have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of their assessment, drawing attention to any qualifications or assumptions as necessary.
This disclosure requirement in the directors report of the annual financial statements is in addition to the “going concern” reporting by the external auditors.
- In the UK they talk about Conduct Risk. Can you tell us a little bit more about that?
Following the collapse of the banking sector in the aftermath of Lehman Brothers regulators went of a soul-searching expedition to refocus on their key supervisory role.
The result of their deliberations was to issue guidance under a “Conduct Risk” viewpoint. Basically, Conduct Risk for their supervised entities falls into two sub-categories:
I. ensuring fair outcomes for the customer – (to avoid mis selling) and
II. fair market outcomes – (to avoid one entity bringing down the whole market)
Conduct Risk in my view is born out of culture – intuitively doing things right and doing the right thing. The board has ultimate responsibility to develop an appropriate organisational culture.
- Are you seeing it spread into other industries and how are Boards addressing it?
It’s still a discussion in other industries but over the last year I have facilitated that discussion in Oil & Gas, Telecom and FMCC companies.
- How is good governance connected to cyber security risk?
In my view good governance means that an organisation has built an operational resilience framework that is robust. Operational resilience means the ability to weather several shocks to the business and recover quickly.
If an event occurs at point (a) on the chart the ideal recovery is at point (b) i.e. strong resilience. At points (c) and (d) there is clearly not a resilient enough framework in place. At point ( e) time has run out and the organisation has failed.
Operational resilience should form an integral part of an organisation’s overall strategy. Organisations should be expected to have plans in place to deliver critical services, no matter what the cause of the disruption. This should extend beyond business continuity and disaster recovery, and should include man-made threats such as physical and cyber-attacks, IT system outages and third-party supplier failure as well as natural hazards such as fire, flood, severe weather and pandemic flu. The plans should be tested regularly on an assumption that “it has happened” rather than “it might happen” basis. The board should approve the impact tolerance levels which have been set for each of the organisation’s critical services.
- What advice would you give to a Board Member reading this interview?
I think we have finally arrived at a place where boards of directors across the globe recognise that a deep understanding of the uncertainties (risks) associated with achieving organisational objectives is imperative. My advice to a board member is to be comfortable in answering the following questions:
I. What are we prepared to do to achieve our goals? – Risk appetite and tolerance
II. What are the key strategic and operational risks we face?
III. What are our principal controls?
IV. How do we get assurance from management about how the organisation is managed? And
V. What assurance can we (as board members) give to our shareholders?