Simon Laffin, an experienced company chairman, finance and non-executive director (NED) joined the PAIB Advisory Group meeting to discuss better solutions to enhance corporate governance and the role of board directors. Simon has writtenextensively about his experiences as a NED and lessons learned for improving corporate governance and risk management.

Simon shared his perspective of how company and governance failures can form a more empirical and informed discussion with regulators and others on ways to improve corporate governance. A key message is that more regulation related to both boards and auditors typically does not start from an understanding of the root causes of company failure nor  does it achieve desired outcomes.

Greater learning and understanding of company failures would help to provide directors with more useful education and support. It is necessary to resist political and media pressure for easy answers and allocating blame, and instead properly investigate, understand, and learn from failures.

Why do companies fail?

  • Some company failure is inevitable in a capitalist system - companies operate in complex, dynamic markets. Companies, like any complex and interrelated system, are inherently prone to failure. Effective risk management is needed to reduce the likelihood, and the damage, caused by failures. No system will give perfect assurance that there will be no failure.
  • Companies and boards tend not to assess risk rigorously, as robust planning and risk management take a lot of time and effort, and risk management can be siloed and compartmentalized in risk and audit committees.
  • Boards do not always have a deep understanding of their businesses, and for NEDs this is a particular challenge due to having less information and more time constraints. In the Great Financial Crisis of 2007/8, for example, a key factor was that many boards in the banking industry did not understand the risks of the derivatives being developed and traded.
  • Executive incentives too often reward short-term success and reward performance irrespective of risk. Remuneration Committees don’t often look at risk-adjusted performance.

Simon highlighted his experience of Northern Rock as a failure in effective risk management that led to the first run (when many customers withdraw their deposits at the same time) on a UK bank in 150 years. In this case, a key risk that it faced in relation to a wholesale funding shortfall and liquidity gap was stated in its annual report. But then the unthinkable took place, and a series of related and interconnected risks and events brought down the bank. 

What can boards do about it?

Although there is no magic solution, fundamental improvements would include improved education about risk management and utilizing better frameworks for assessing corporate risk. This requires:

  • Placing risk at the heart of every business case and decision
  • Investing more time in thinking about risk, especially worst cases. There needs to be a greater focus on both preventative actions that deal with threats and recovery barriers that deal with consequences. Given barriers have weaknesses, there is a need for multiple lines of defense
  • Mandating proper risk processes, and require evidence of process, rather than requiring more boiler-plate risk disclosures
  • Directors declining to approve actions they do not understand
  • Guarding against perverse management incentives
  • Greater sharing of best practices rather than introducing more regulation. Directors are humans and will make mistakes - either because they do not know enough, make misjudgments, and face difficult or impossible situations
  • Learning from risk approaches and methods developed in safety-critical industries
  • Avoiding relying on auditors as a failsafe.

Stepping Up Risk Management

Risk is a fundamental enabler of value creation - not a side-effect. Done poorly it leads to value destruction. Companies fail when they get the risk equation wrong. A deeper root cause approach to understanding risk also leads to opportunity identification and a greater chance of success.

Consequently, understanding corporate and financial risks is a critical part of what boards need to do. Effective risk management processes add value to decision making and help to deal with uncertainty.

There are generally five reasons why risk management goes wrong:

  1. Risks are missed
  2. Risks are thought too unlikely to bother
  3. Risks are much worse and thought
  4. Risks are inter-related
  5. Risks are known but subject to ineffective risk management plans.

 Existing corporate approaches to risk are often inadequate or flawed in various ways, including:

  • Risks being unspecific and too general. Good risk management is specific about what, when and why.
  • Insufficient focus on barriers - preventative and recovery. Most mitigation actions in companies focus on reducing likelihood rather than putting in place well-thought through preventative and recovery barriers.
  • Mitigation actions are often generalized (e.g., a risk response that simply states the adoption of rigorous policies and processes as a mitigating action), and confuse preventative and recovery barriers. 
  • Little focus on escalating factors, which are things that make barriers less likely to work such as a poor culture. Escalating factors are usually driven by the interrelationships between risks.

The corporate world needs to take lessons from the risk management approach in high-risk safety-critical industries, such as aviation, marine, chemicals, and nuclear, which involve deeper analysis than the traditional risk, impact, and mitigation approach to risk management. In industries where failure is a matter of life or death, the “bow-tie” risk model is used to identify hazards and events, and their causation – see How a bow-tie can smarten up corporate risks (and boxout).

 

Bow-Tie Model Terminology 

Hazard – The general area of risk
Threats – A cause of the event
Preventative barriers – things that detect the treat and aim to reduce or eradicate it
Event – The moment you lose control of the hazard and related threats (i.e., the risk crystallizes)
Recovery barriers – things that may reduce or eradicate the consequences
Escalation factors - things that make barriers less likely to work
Consequences – the results of the event happening

For further reading on the accountant's role in risk management, see related IFAC resource:  
Enabling the Accountant’s Role in Effective Enterprise Risk Management