CMCE Showcase 2 May:  People-centric Organisational Change
CMCE Virtual Workshop (2nd of 5) 9 May:  Next Gen2.0: Risky Business
20th Anniversary Celebrations 25 May:  Save the REVISED Date
Click here for our rolling calendar or here for City events

In pursuit of better Risk Management....

The Financial Reporting Council's latest guidance on Risk Management becomes binding on listed companies from October 2014

The climb to better risk management is still going on, and we haven't reached the summit yet. This month sees the publication of the Financial Reporting Council's latest Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. Although little has changed from the previous consultation drafts, it becomes binding on listed companies from October 2014.

According to the guidance:
• "the board must determine its willingness to take on risk, and the desired culture within the company;
• risk management and internal control should be incorporated within the company’s normal management and governance processes, not treated as a separate compliance exercise;
• the board must make a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment the board should consider the likelihood and impact of these risks materialising in the short and longer term;
• once those risks have been identified, the board should agree how they will be managed and mitigated, and keep the company’s risk profile under review. It should satisfy itself that management’s systems include appropriate controls, and that it has adequate sources of assurance;
• the assessment and management of the principal risks, and monitoring and review of the associated systems, should be carried out as an on-going process, not seen as an annual one-off exercise; and
• this process should inform a number of different disclosures in the annual report: the description of the principal risks and uncertainties facing the 
company; the disclosures on the going concern basis of accounting and material uncertainties thereto; and the report on the review of the risk 
management and internal control systems.
 
What the guidance makes clear is that good risk management starts at the top of an organisation, with a conscious decision on how much risk it is acceptable to take. An entrepreneurial company will typically take more risks, and expect higher rewards, and they are not afraid of failure. A more conservative organisation, by its nature, will choose to take less risk and be more worried about consequences. 
 
The latest development calls on companies to be even more explicit about "what is our risk appetite" when coming up with their strategy, and then being more transparent when communicating that stance to others. This in turn places greater emphasis on another important attribute, which is the ability to control risk. Taking more risk demands a better understanding of the downsides, and better safeguards and mitigation for when things go wrong. Good crisis management is digging yourself out of a predicament; good risk management avoids the crisis in the first place. It is too easy to get carried away with enthusiasm when a business is performing well or considering a new opportunity, and forget to explore "what could go wrong". Straying outside risk appetite could put a company into territory where its risk management capabilities and control systems are unable to cope.
 
Another aspect of the guidance is the introduction of the Longer Term Viability Statement. We are familiar with going concern statements that appear in the annual accounts, where it is necessary to demonstrate a company can meet its liabilities as they fall due, and the time horizon for this is typically twelve to fifteen months. The viability statement pushes the time horizon out much further, over a period to be determined by the directors, and it demands a reasonable expectation of the viability of the business model in the face of principal risks over that period. It is much easier to think about the risks one faces today, and much harder to foresee the risks one will face three years hence. 
 
Boards of directors face pressure to "up their game" in order to meet these new requirements and to make the appropriate public disclosures. Insightful management information and debate on risk are needed in the boardroom to support disclosures made by the directors. Plus there is a dilemma. Whilst sharing these insights may satisfy investors' demands, too much disclosure can lay bare some commercial sensitivities that can be exploited by competitors and may undermine confidence. The new regime expects greater transparency, and it is proving difficult to get the balance right. 
 
In the months ahead, the increased requirements at the helm of the organisation will no doubt work their way down into the engine room. A lot of development has already taken place over the past two decades to create better risk management frameworks, policies, models, reporting and analytics. But these tools are only as good as workmen using them. The heightened expectations from the top will, in turn, raise the bar for better quality delivery from Risk Managers and fuel the demand for Risk Consultants to advise them.
 
The climb to the summit continues. 
 
Freeman Malcolm McCaig
Non-Executive Director
 
Assignments and adventures