The past decade has seen its share of spectacular corporate car crashes: Enron, AIG, Lehman Brothers, and Northern Rock, to name but a few. One common factor is a failure to recognise and manage specific risks with the potential to undermine an entire business.
A new report from the Cass Business School, cosponsored by Lockton alongside main sponsor Airmic, assesses 18 major operational or corporate failures since 2000, analysing what went wrong and why. A leading cause of corporate calamity was boards unable or unwilling to pick up warning signs of trouble ahead.
The report’s lead author, Chris Parsons, notes finding multiple “cases in which the board appeared not to be in full control of the business, including cases where the board or its NEDs (nonexecutive directors) did not fully understand the business model, the foundations and assumptions on which that model was based, or the company’s reputation and the essential foundations of that reputation.”
The report singles out overbearing dominant leaders whose employees dare not speak uncomfortable truths, along with complacent nonexecs who lack the skills or the inclination to fully understand the businesses on whose boards they serve. If being an NED was once an undemanding sinecure, the role now comes with significant duties and responsibilities that should not be undertaken lightly.
The detailed expectations set out for NEDs in the Companies Act 2006 will only become more onerous as future legal and regulatory developments come into force. The 2008 Combined Code on Corporate Governance already clearly stipulates that NEDs should “satisfy themselves that financial controls and systems of risk management are robust and defensible.”
Risk management is a key phrase here, one often too narrowly defined in the past. The Cass report found that corporate employees with the designation “risk manager” often lacked the access and authority to scrutinise risk factors at board level.
The report identifies a “glass ceiling” that prevents auditors and risk managers from reporting on risks that originate above them in the corporate hierarchy. It is equally questionable whether some risk managers have the background required to assess such risks effectively. This underlines the critical role NEDs can and should be playing in averting future corporate failures.
Under ever-greater scrutiny themselves from regulators and shareholders, global companies today will simply not trade with firms whose risk management standards are not fit for the purpose. Doing so could jeopardise the integrity of their supply chains and the customer experience they deliver—which matters more than ever in a Web-enabled world where reputations can be shredded with a couple of key strokes.
Implementing sound risk management practice at every level is no longer a “nice to have” but a basic license to operate—something every firm needs if it hopes to satisfy its business partners, customers, staff, investors, and regulators.
The Cass report provides a vivid illustration of the importance of identifying and managing the underlying risks that jeopardise the future success of today’s successful companies. Purchasing insurance or risk protection without first fully recognising and quantifying these risks makes as much sense as skipping diagnosis and going straight to treatment.
Investing extra time and attention up front can significantly mitigate the scale of any future difficulties, equipping companies and their officers with the protection they will need when future challenges arise.