Risk Management – for NEDs

Arguably the most significant adjustment to the NED role over the past seven years is that all NEDs must now be well versed in identifying and managing all forms of risk – operational, financial and reputational…

As a Chairman once described: “Risk is a massive issue now: You need to understand the risks and be clear about what the board is doing about mitigating those risk.”

So, how can you ensure that risks are being articulated appropriately and how can you probe into how risks are being mitigated, irrespective if risk management is well established within an industry or not? In the first part of this article I give some steer on how you can assess current risk management practises (governance) and the latter part covers some best practises.

Risk Maturity

If not already done within the company, you could do a Risk Maturity Assessment which gives an indication of the organisation’s engagement with risk management.

There are various models, usually with five levels of maturity (see the 5 Level Maturity Model in diagram below): from an immature Level 1 organisation where there are no formal risk management policies, processes or associated activities, tools or techniques, through a Level 2 managed organisation where policies are in place but risk reviews are generally reactive, all the ay up to the mature or ‘risk intelligent’ Level 5 enterprise where the risk management tone is set at the top and built into decision making, with risk management activities proactively embedded at all levels of the organisation.

Maturity - 5 Levels

     5 Level Maturity Model 

The outcome of such an assessment will give you clear indication of the risk management maturity level of the organisation. Dependant on how that aligns with the Shareholders’ and Board’s expected level, the needed change actions can be initiated to mature the organisation to the expected level. It will also give you measure of clarity of the rigour of process and review that is likely to have gone into the risk reporting that you see as a Board.

Risk Score/Rating Matrix

As risks are identified, logged in the Risk Register and then assessed based on likelihood of it happening and the impact to the business if it should happen, a Risk Scoring Matrix (with preferably a 5 point scal as per diagram below) is very useful to assign a Risk Score to each risk.

The higher the score the higher the priority of mitigating the risk should be.

RISK Matrix

Risk Score Matrix

As a NED you need to assess the completeness of the Key Risks in the Risk Register. Engaging with the executives prior board meetings goes a long way to get input and a feel for risks existing on the floor (day to day running/operations) of the business. You should also ask if there is something that you are talking about in every meeting that either is not on the risk register, or is rated as a low risk?  If that is true, then you need to explore why you are talking about it as a Board but management are not giving it greater focus.

Risk Heat Chart

A heat chart (as per diagram below) enables a holistic view of risks with high scoring risks in the top right (coloured red) corner and low risks in the bottom left corner (coloured green).Risk-HeatMap

   Risk Heat Map

For a board to get an overview of what the key risks are, I don’t think you can beat a heat chart.

As a NED, you can use this to sense check: Are the risks in the top quadrants, the Red Risks, the ones that the Board feel are the highest risk? Are you talking about these risks regularly and challenging the business on what mitigating actions they are doing to reduce them?

Approach on Risk Review

The popular parlance these days is a ‘deep dive’ into the highest risks, usually undertaken by the Audit Committee.

Apart from the “deep dive’ into risks usually undertaken by the Audit Committee you, as a NED, want to do your own exploring, below is an approached…

1. Current Risk Score

What is the justification for the current rating – does this feel right? The impact should be measured by the potential impact of the risk on strategic objectives, and is usually quite easy to define, but likelihood can be more subjective.

Also known as the mitigated risk rating, the current rating should recognise mitigations or controls that are already in place, and how effective these are.

2. Target Risk Score

What is a reasonable target risk rating for this risk, ie where are we trying to get to?

As a Board, you need to set the risk appetite (which equates to target risk ratings).  This may vary by the type of risk, for example, targeting a very low risk rating might be necessary on something that is a matter of compliance or safety, but in commercial matters, the trade-off between risk and reward needs to be considered, so a higher risk appetite is likely to be acceptable.

There won’t be a limitless budget to spend on mitigating every risk to a minimal level, so as a Board you will have to decide what level of risk you are comfortable with; and where the balance sits between reducing the risk and the cost of mitigation.  Why would you spend more on mitigations than the financial impact of the risk crystallising?

3. Mitigating actions

How are you going to get to your target level of risk?  Planned mitigating actions should drive the risk rating to its target level.  This is a focus area for audit committee deep dives – what actions are planned, and will they be sufficient to bring you to your target risk rating?  Progress on these actions should be monitored regularly – if no progress, ask if this risk being taken seriously enough? Or is it not as big a risk as you first thought?

Good risk management should aid decision making, avoid or minimise losses, but also identify opportunities.

Let’s look now into Risk Mitigation in more detail…

Approach on Risk Mitigation

Risk mitigation can be defined as taking steps to reduce adverse effects and impact to the business while reducing the likelihood of the risk.

There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s risk profile.

four types of risk mitigation

Risk Acceptance

Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.

Risk Limitation/Reduction

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.

All of these four risk mitgiation strategies require montioring. Vigilence is needed so that you can recognize and interrperet changes to the impact of that risk.

 

NED :: Non-Executive Director’s proposition

Are you aware of the substantive and measurable value a Non-Executive Director can bring to you and your business…?

Introduction

The Non-Executive Director, no longer a role that is associated just with large organisations. There is a growing awareness of the NED role and more and more organisations are appointing NEDs of various types, and specific specialities, often within technology and digital transformation, to enhance the effectiveness of their boards as standard practise.

With the pressure on organisations to compete globally, deal with digital transformation and respond to rapidly changing market conditions, new skills are needed at board level. This leads to the role of the NED diversifying and introduces a need to refresh the NEDs as circumstances change, bringing in new specialities, experience and challenge when the organisation needs it.

A good NED can, and should make a substantive and measurable contribution to the effectiveness of the board. Do not see a NED as a consulting advisor – a NED, within the remit of the role of a company director, play a full and active part in the success efforts of an organisation. Irrespective of the skills, experience and network contacts that NEDs will bring, they must above all, provide appropriate independent and constructive challenge to the board.

Both the organisation and the NED must understand the purpose of being a NED, within the specific organisation, for the role to be effective. This includes a clear understanding of what value the NED is expected to bring. A NED’s value goes beyond just the statutory requirements.

On appointment a Non-executive director can:

  • Broaden the horizons and experience of existing executive directors.
  • Facilitate the cross-fertilisation of ideas, particularly in terms of business strategy and planning.
  • Have a vital part to play in appraising and commenting on a company’s investment/expenditure plans.
  • Bring wisdom, perspective, contacts and credibility to your business.
  • Be the lighthouse that helps you find your way and steer clear of near and present dangers.

The role of the NED

All directors, including NEDs, are required to:

  • provide entrepreneurial leadership of the company
  • set the company’s vision, strategy and strategic objectives
  • set the company’s values and standards
  • ensure that its obligations to its shareholders and others are understood and met.

In addition, the role of the NED has the following key elements:

  • Strategy: NEDs should constructively challenge and help develop proposals on strategy.
  • Performance: NEDs should scrutinise the performance of management in meeting agreed goals and objectives and monitor the reporting of performance.
  • Risk: NEDs should satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and defensible.
  • People: NEDs are responsible for determining appropriate levels of remuneration of executive directors and have a prime role in appointing, and where necessary removing, executive directors, and in succession planning.

“In broad terms, the role of the NED, under the leadership of the chairman, is: to ensure that there is an effective executive team in place; to participate actively in the decision–takingprocess of the board; and to exercise appropriate oversight over execution of the agreed strategy by the executive team.”; Walker Report, 2009

 

A non-executive director will bring the follow benefits to your company:

  • strengthen the board and provide an independent viewpoint
  • contribute to the creation of a sound business plan, policy and strategy
  • review plans and budgets that will implement policy and strategy
  • be a confidential and trusted sounding board for the MD/CEO and keep the focus of the MD/CEO
  • have the experience to objectively assess the company’s overall performance
  • have the experience and confidence to stand firm when he or she believes the executive directors are acting in an inappropriate manner
  • ensure good corporate governance
  • provide outside experience of the workings of other companies and industries, and have beneficial sector contacts and experience gained in previous businesses
  • have the ability to clearly communicate with fellow directors
  • have the ability to gain the respect of the other directors
  • possess the tact and skill to work with the executive directors, providing support and encouragement where difficult decisions are being made
  • have contacts with third parties such as financial sources, grant providers and potential clients

Looking for a NED?

Now that you understand what a NED can do – What are you waiting for?

Contact Renier Botha if you are looking for an experienced director with strong technology and digital transformation skills.

Renier has demonstrable success in developing and delivering visionary business & technology strategies. His experience include Mergers & Acquisitions (M&A), major capital projects, growth, governance, compliance, risk management as well as business and organisation development. From startup to FTSE listed enterprise, the value Renier can bring as NED is substantive, driving business growth.