Should non executive directors be the risk managers?

Berrymans Lace Mawer LLP corporate risks partner Helen Grimberg on why boards need to do more

Corporate directors have a clear duty to establish how their company responds to risks. According to the Combined Code on Corporate Governance, "the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives." However, research published this autumn by the Chartered Institute of Internal Auditors (CIIA) suggests that UK boards are still falling behind best practice in their management of risk. It joins an impressive recent spate of research which points the way towards a sensible risk management approach.

Must try harder

The CIIA surveyed heads of internal audit, receiving responses from 141 of its members, predominantly from firms with turnover above £50 million (86% of respondents). The selection of questions appears to have been designed to elicit the involvement of non-executive directors ("NEDs") in risk management. Some of the questions received broadly positive responses: 72% of respondents thought that the quality of NEDs had improved in the last five years, and 83% agreed that the NEDs thought and acted with sufficient independence from executive management.

However, other questions uncovered a troubling picture. Some 66% of internal audit heads thought that the NEDs were "very dependent" or "entirely dependent" upon executives for the information they receive, while the remainder thought the NEDs were "quite dependent" (not a single respondent thought that the NEDs were "not at all dependent"). Over a quarter of firms (28%) did not have a formal procedure for determining or appraising their appetite for risk, which is a significant failure to implement the Combined Code and the Turnbull guidance. Furthermore, while the survey demonstrates that a direct relationship exists between the NEDs on the audit committee and the internal auditors, 63% of respondents reported that internal auditors did not have meetings with those NEDs outside the audit committee, and 59% did not have meetings with their company's chair.

If these responses are a fair representation of British corporate governance, then the impression is that the resources of the internal audit team are under-utilised by NEDs, who may be undermining their independence by taking advice on risk management through the executive directors. This was certainly the theme of the quotes from respondents provided in the research, one of whom said "NEDs are very much driven by the risk process within the organisation, i.e. they respond to what the executives put to them."

A panoramic view

If the CIIA research suggests that boards could do more, the outlines of a more comprehensive involvement emerge from other recent research. The MacTavish Report published in March explained how a "forensic" risk assessment across the full panorama of a company's activities is necessary to ensure that material risks are disclosed to insurers. The alternative is that insurance could be void in the event of a major claim. Furthermore the impressive 'Roads to Ruin' report recently commissioned by AIRMIC details how boards' 'risk blindness' has contributed to well-known corporate crises. As that report emphasises, boards must give full attention to non-financial risks, such as safety, environmental and political risks, to avoid crises which engulf the entire business. The examples of Railtrack and BP demonstrate the harm that a failure to oversee a robust safety culture can do to corporate reputation and shareholder value.

In order to ascertain risks across the spectrum, boards need to assert their ownership of risk issues, regularly review risk, establish means of monitoring achievement and establish targets. Any change in business operations should be considered alongside safety and environmental issues that arise. What would facilitate this process would be the establishment of a separate board level structure to ensure NED ownership of risks issues. While regulations do not currently require firms to have separate board committees that are charged with overseeing legal, regulatory and political risks, best practice implies that they should. Only then can the board ensure that proactive steps are taken, such as ensuring that a "crisis plan" exists in the event of a catastrophic accident. It also avoids the problem, implied by the CIIA's findings, that boards might be concentrating on financial risks to the exclusion of non-financial risk.

Having such structures in place would additionally avoid a problem labelled by the 'Roads to Ruin' report as 'glass ceilings' which prevent risk professionals within firms airing their concerns to the top echelons. The indications that NEDs may still - despite the improvements in training and independence of recent years - not be directly communicating with the wider risk professionals within a firm, suggest that the glass ceilings have not yet been smashed. What should ideally be seen is direct engagement been NEDs and all of the internal risk functions within a company, such as in-house lawyers, public relations and health and safety experts, as well as internal auditors.

Ultimately all of these risks facing a company must be linked together, and one place this must happen is at the board level. Without a map of the dangers which is thought through before a crisis hits, firms may find themselves unprepared, uninsured and rapidly losing good will from customers, regulators and business partners.

Helen Grimberg is joint head of the corporate risks team at national law firm Berrymans Lace Mawer LLP (helen.grimberg@blm-law.com)