15 Mar The Principal Risk Discussion: what’s it for?
For many boards this is the time of year for finalising the Annual Report. So that means, at least for UK listed companies, that it’s time for the principal risk list. But after the upheavals and stresses of the past year, this time round boards have been prompted to ask “what are we looking to achieve with this? What’s it trying to capture?”
Few (if any?) had global pandemic on the list after Sars faded into the dark shadows. If that wasn’t picked up, what else is being missed? Have we got the right approach? Boards are asking questions about the whole process of determining principal risks, and about the picture that emerges. And they’re asking how the concept can be made more useful. Even if it’s too late to restart this year’s process, all should be looking ahead and thinking through how they are going to approach their discussion of risks in future. Here are some tips on what to think about, along with pointers on what doesn’t work so well.
Good practices to consider…
Make sure you understand how the principal risk list is to be used – by the Board, by the Executive and by the organisation. If it’s of practical value, a much more insightful and well-thought through picture will emerge. For the Board, this means that the list should provide a useful basis for strategic debate and for regular assessment of strategic positioning and the strategic risk profile.
Things to avoid…
Producing a list just because you have to put one into the Annual Report. If it’s not useful to anybody internally, it’s unlikely to be of a quality that’s much use to stakeholders.
Good practices to consider…
Work out what you’re trying to identify. Are you highlighting the things that, if they crystalised, really would be life-threatening to the organisation? Or a threat to the achievement of this year’s business plan? Or to long term value growth and sustainability? The list could look quite different depending on the answer. If it’s useful, there might be sense in producing several lists with different objectives.
Things to avoid…
Assuming that everybody understands and agrees on where you’re trying to get to. That’s unlikely to be the case, so contributions can arrive from different viewpoints and angles and then be merged into what purports to be a coherent list. That makes it difficult for readers to interpret, and reduces its value for oversight and for management.
Good practices to consider…
As well as defining the purpose of the whole exercise, be clear about what makes something a “principal risk”. How bad does something have to be to make it on to the list? And “bad” in what terms?
Things to avoid…
Allowing inconsistencies that make it difficult to understand what is being included or excluded, and on what basis. It’s important to avoid getting bogged down in definitional debate but some consistency is needed.
Good practices to consider…
Tie it into scenario discussion. Strong boards have typically carved out time to consider short-term and long-term scenarios. Those who dismiss this as speculation are missing the point – the purpose isn’t to make a forecast but to explore possibilities in order to gain a better understanding of the business model’s strengths and weaknesses. Boards who do scenario planning find it very valuable – and this is partly because they do it in a structured way, including describing the risks that are identified in each scenario. Some of them will merit further evaluation. Risks identified in scenario planning can turn out to be significant in a wide range of scenarios, including today’s reality.
Things to avoid…
Dismissing scenario discussion as a waste of time, probably without ever having tried it properly. And then failing to follow through the thinking around what could go wrong, and in what circumstances. Many boards are now asking “why didn’t we have global pandemic on the list?” It’s fifteen or so years since SARS – remember when hand sanitiser first appeared at Reception, and all the contingency planning that went on? Since then it became widely taken for granted that the threat of uncontrolled infection had gone away, but of course it hadn’t. And it’s not just pandemics of course: technological change, competitor disruption, climate change, geopolitical shifts…there’s a lot to think through.
Good practices to consider…
Stand back, at least to start with. A Board should begin with a clean sheet, with each director asking “what would be my top risks?” (This simple question is quite enough if the ground has been prepared as outlined in the first few points of this bulletin.) Do that before comparing the board’s aggregate list with management’s. Differences will arise from the different points of view and these should stimulate useful discussion.
Things to avoid…
Asking the board just to respond to a list from management, rather than doing their own thinking. (It’s the difference between an open question and a leading question.) Getting the full benefit from the NEDs’ different perspectives means creating the space for discussion, rather than starting with a collective stare at pages 121 to 125 on the portal – And if the Chair isn’t hearing each director’s opinion on the risks to the business, something’s not working, and an opportunity to leverage different experience and views is being lost.
Good practices to consider…
Use the strategy as a starting point. A lot of thinking and time has been invested in agreeing the strategy – and the risks needs identifying in order to judge the uncertainties and the risk-adjusted returns. So the principal risks need to be tied into each strategic strand and important angles, such as threats to the business model, future performance, solvency or liquidity (good practical points that are to be found, believe it or not, in the UK Governance Code. It’s worth a read).
Things to avoid…
Divorcing the principal risk discussion from strategic thinking. It may be that management started from well-linked thinking, but by the time the principal risk list is brought to the Board, the linkages can have become difficult to discern or even lost. Even if the intent had been there originally, reducing it to a small number of risks can squeeze out the strategic coherence too.
Good practices to consider…
Use categorisation to avoid mixing up risks that require quite different responses. For some, the response will be strategic – and may even need to result in fundamental changes to the business model. For others, it might be a financial or operational response around capital and financing, strengthening core processes, people… And emerging versus current is often a useful grouping too.
Things to avoid…
Confusing strategy and risk management. Of course they are interconnected. But keeping in mind the distinction will help bring more coherent thinking about risk responses, and should make the principal risk list more useful to management should some of the risks start crystalising. And don’t become obsessed with sticking to a magic number. You don’t want a long list, but the importance of any risk isn’t actually constrained by how many fingers you have…
Good practices to consider…
Tie it into the risk register. There might be different processes involved but at some point before it reaches the exco, the two need to come together.
Things to avoid…
Failing to align the two risk pictures just because they’re in different documents or emerge at different times. The principal risks don’t have to tie in verbatim but it should be evident how they form an integrated whole.
Good practices to consider…
Test the logic. Each risk should have meaning. And it should lead to development of a risk management response, with actionable steps that can be monitored. Or if the risk response is “there’s nothing we can do so we’ll keep our fingers crossed and hope for the best”, this should be made explicit so it’s a position that is taken knowingly rather than accidentally.
Things to avoid…
Making statements of the obvious or introducing tautologies. For example, if the purpose of the principal risk discussion is to assess threats to achieving the business plan, it is not helpful if the so-called risks are “targets will be missed” and “we fail to implement the business plan”. (Sadly, both are real examples.) Such “risks” can be restated as “we fail to manage the business” – which invites a rather obvious sort of response.
Good practices to consider…
Make the principal risk discussion part of regular boardroom debate. And encourage the executives to tie the issues and proposals they bring to the Board into the principal risks. If the risks are that important, directors will want to know how a major initiative or development might impact them, and if it might cause new risks to make it onto the list.
Things to avoid…
Positioning the discussion as a separate self-contained item on the board agenda. Yes, some longer-term emerging risks might wait until the annual strategy review. But some, due to their immediacy or significantly changing profile, would be better considered as part of the regular CEO Report. And if the principal risks are part of the regular risk report to a committee, make sure their strategic nature does not become subsumed as part of a process for reviewing the risk register.
On 20 January 2021 The Chartered Governance Institute published the final report arising from its Review of the effectiveness of independent board evaluation in the UK listed sector. We welcome this as a significant step forward which will help to bring about consistently high standards in a still-evolving but already important discipline, and would encourage BEIS to accept its recommendations and set out a clear timetable for implementation. We will fully comply with the new Code of Practice for Board Reviewers, which very largely accords with our current practice, but does point us to some valuable refinements. Consequently, we will be making some changes to our client contracts and enlarging our website to give more information on our credentials, approach and independence.