Dr Johnstone is said to have observed that nothing concentrates a man’s mind so much as the prospect of being hanged in the morning. It is a brutal observation, but it encapsulates a basic truth. When things are going well, people do not feel inclined to change; only when disaster is upon them do they recognise how much of what is essential has been ignored and that survival involves rethink, reform and a new way of doing things.
It is no surprise then that the 2008 financial crisis, which was the biggest economic shock in almost 100 years, has brought in its wake a complete reappraisal across business about the nature of risk and how it might be better managed. It has been a catalyst for change well beyond the Square Mile. While banks were the most obvious sufferers from the crash, there was not a board in the land which was not shaken by it and disturbed by its consequences.
The changing nature of risk
What is now much better understood is that the nature of risk has changed. It had long been thought, and taught in business schools, that the best way to control a business was to control the finances. This led to the development of risk control mechanisms which were numbers based. Performance against budget and performance against sales and production targets were closely monitored.
Variances from the norm – be that what was wanted in the budget or what had been achieved in previous years – was a signal that something was not working as it should.
But we now understand much better that numbers and performance-based systems do not go far enough.
First, such measures are silo based and take no account of how problems might impact horizontally across a business.
Second, they fail to appreciate how the nature of risk has changed with globalisation so that the challenge today is far less about managing hard assets and much more about intangibles such as reputation, supply chain issues, corporate culture, employee behaviour and now cyber attacks.
Third, the hierarchical numbers-based system assumed bad news would be passed upwards to a level where it would be dealt with, but the extent to which this genuinely happens is driven by the status of the risk professionals and the corporate culture, both of which are sometimes found wanting.
He must have the strategic nous to understand what needs to be brought to the attention of the board and crucially has the personality, panache and political support to do so
It is a fact, however regrettable, that in a world where everyone craves success, no one wants to be tainted by failure and there is still a tendency to shoot the bad news messenger.
Finally, no such system can alert a board to the risk inherent in the behaviour of the senior executive team and the board itself. If competence and commitment in the executive suite are the keys to success, character flaws at that same level and a refusal to confront uncomfortable behaviour are often the root cause of failure.
No one-size-fits-all solution
The problems at BP, at Volkswagen, at Tesco tell us not only that no one is immune or exempt, but that in an age of social media, the damage done to a business through loss of reputation can far outweigh traditional losses from fire, flood and pestilence.
Structural problems require structural solutions. Hence the idea of the chief risk officer or CRO as someone who can cut across the silos and avoid being compromised by existing reporting chains and local loyalties. He must have the strategic nous to understand what needs to be brought to the attention of the board and crucially has the personality, panache and political support to do so.
Unfortunately, people with all those attributes and with the ability and experience to command the respect of the others round the boardroom table often think they should be chief executive themselves, and this does not make for an easy working relationship at the upper levels.
It sounds a good idea to give the CRO board status, but may be impractical because the more ambitious the appointment, the less likely it is that those who are sufficiently qualified would find it attractive. This is because support functions are rarely seen as a direct route to the top.
The alternative is to have a CRO who reports to a risk committee, which like other board spin-offs is staffed mainly by non-executives. But because the requirements for the CRO go well beyond the skillset of the traditional risk professional, it is perhaps a function which would form part of the management development of the brightest young talent.
In large organisations, the best aspiring managers are already rotated round the different divisions, geographies and functions of the business. Two or three years as CRO could be seen as a vital stepping stone in such career development.
In truth, however, there is no right answer. Companies have to decide what works best for them. The point is that the essential first step in solving any problem is in recognising it exists. Companies may not yet know what works best for them, but there are very few who don’t appreciate the need.