Analysis: Balancing risk and reward at board level

The bridge between risk managers and board members is a crucial one when keeping up with the fast pace of legal, regulatory and commercial changes in their industry. Board members need to be kept abreast of best practice regarding risk management as business models evolve but how can organisations balance out accounting for risk while ensuring growth and profitability?

One way is to make sure board members are educated in risk management so they understand what they are talking about at both a generic level and the risk pertinent to the organisation. John Ludlow, CEO at the Association of Insurance and Risk Managers, explains: “All board members need to understand that their job is to achieve the objectives of the organisation by balancing both risk and reward.”

Boards, however, have got busy agendas. Ludlow argues that both short and long-term strategic risks should be discussed at the highest level but regulatory and operational risk is a “down in the weeds conversation”.

Horizon scanning and emerging risk assessment should be a standing board agenda item to provide context for strategic decision making, risk/opportunity assessment and tracking, adds Philip Songhurst-Thonet, head of risk consulting, commercial risk solutions, at Aon. “This approach is most effective when there is clear support from the senior executive team and where risk management is linked to overarching business performance and strategic objectives,” he says.

Away from the board

In addition, chairmen need to be willing to invest in committees and sub-committees for managing risk in order to have some of these discussions away from the board. Furthermore, if there is one big risk, setting up a working group can help. “Be a bit flexible,” Ludlow says. “Don’t be ‘this is what the textbook says’. You are running a battle, you are not running something that’s static. People get rigid about risk management. It’s not rigid. It’s dynamic.”

Regular communication between technical experts and board members is crucial. Dan Carr, chief innovation officer and cyber lead at Occam Underwriting, says: “The challenge is how you categorise the experts. They might be an expert in understanding the technical risk. For them to make the leap into how this fits into the wider operation of the business, it doesn’t really work, because their brain isn’t really wired that way. They are not plugged into the importance of the wider business strategy and how it is knitted together from business units and an operations perspective.”

The board, in turn, don’t always understand the technical risks. Andrew Beckett, managing director at Kroll, explains: “For a lot of boards, the problem is that they can’t see the wood for the trees. They feel unsure of themselves because they don’t know the questions to ask or how to interpret the answers when they get them.”

He says boards are increasingly appointing people with a cyber background as non-executive directors, who can ask the right questions, hold risk reports to account and interpret the answers, while the board is growing expertise internally.

“You have to find a common language,” Beckett says. “Do not talk to the board in ones and zeroes. They don’t understand binary and hexadecimals. You have to define it in terms of risk and the kind of risk they will understand.”

Collaborative communication

Another way to bridge the knowledge gap is for risk managers to collaborate with individual board members to work on mitigating risk from the perspective of their department. This requires regular collaborative communication outside the normal cadence of committees and sub-committees, constant iterative enhancement of the reporting styles to those committees, and, ultimately, good joint judgment on key areas of board focus, Matt Kimber, chief risk officer at Aon, says: “CROs can add significant value by being the ‘bridge’ to the board, using their judgement to escalate relevant matters early that could become issues, to arranging board ‘teach ins’ on emerging topics, for example blockchain, which could affect future business models, to NED briefing sessions on subjects such as the firm’s cyber posture.”

Jonathan Brown, risk team manager for Cega Group, agreed saying risk managers should ensure they are an integral part of a business, not just an external ‘check’ on processes. “They should work across an organisation, rather than simply imposing measures on the board that involve financial outlay and effort,” he says.

“Often this will involve building consensus around both cultural and procedural changes that create improvements for everyone. It will also mean being aware of business-wide targets, pressures, challenges and current projects. Understanding what others are doing will better enable risk managers to recommend measures that support the wider aims of the business and to win greater support for integrated risk management. Above all, risk reporting and mitigation should not be an isolated item on the agenda that is handled separately from other business matters.”

Carr believes organisations should really be focusing spend and efforts on things that would be most impactful to the way the business is structured but they won’t get that insight solely from the technology specialists. He says the best solution is to embark on an exercise, maybe with third parties, that are capable of seeing both views. “Metrics are really the way you can communicate and track that,” he says.

This is where insurance can be part of the solution. “Insurance should be helping to identify, of the types of coverage that exist, which one they really need,” Carr says. “They might have a different idea about where they see their real exposure. It might be more beneficial if coverage was more modular.”

Ludlow adds: “Risk managers need to identify and assess the issues, but they can work with insurers and brokers that have huge amounts of data across industries. They can then work with a dataset that is bigger than their own business and that can be compelling.”

Among larger companies there is a growing appetite for insurers to work with risk managed clients, he says. “The clients with well-managed risks should be talking to their insurers and partnering with them.”
“We are starting to see insurance products starting to evolve to satisfy the needs of today’s businesses better. Insurance is a solution. Don’t let it be just a product.”