Operating in line with the risk appetite – About black swans, governance and getting to grips with uncertainty in a fast-moving risk landscape
The board wants to assure that the company operates in line with the set risk appetite. But given the record-breaking speed with which risks are evolving, could the board be taking a bite too big to chew? On the other hand, a ‘low’ or ‘no’ risk approach is not the solution.
Outliers, silent risks and problems stemming from the use of poor or void probability assessments. Talking about knowing the unknown, we often refer to ‘black swans’. The concept seeks to illustrate a high impact event that is difficult to predict and that we assume will not happen, before we realize that they actually do. Typically, when the black swan is a fact, the reflection in hindsight is that it was all rational thinking and unavoidable anyway.
The concept was explored by the former option trader and risk analyst Nassim Nicholas Taleb in his 2007 book “The black swan – The impact of the highly Improbable”, which gained global attention. Fast forward to 2024, and it is a fair statement that companies have never as many new and emerging risks as now. Cyber and financial crime stand out as material threats across business sectors. Then we add ESG reporting requirements, data privacy and AI. And with these cards at hand to play, the requirements on the board to navigate through a maze of KPIs and compliance requirements grow.
Asking the right questions to detect high impact risks and ensure adequate governance and controls are totally uncontroversial expectations on the board. No one wants to be subject to black swans.
Does the board have a fair chance to know if a company operates in line with the set risk appetite? The greatest governance and control issues right now include the increasingly complex regulatory environment, managing risks and maintaining transparency and accountability. The shift in technology and cybersecurity stand out as particularly top of mind as is sustainability and financial crime prevention.
For sure, what make up the greatest challenges in internal governance and control can vary depending on the size, industry, and complexity of an organization. There are however some common denominators worth discussing again, and again.
Performance data and moving targets
Boards are served with a varying and sometimes overwhelming amount of performance data. While we know that less is more holds true also from a board perspective, organisations continue to struggle with establishing appropriate metrics, to measure the effectiveness of governance and control systems, designing purposeful internal controls including ensuing monitoring and auditing.
At face value, it all is logical and reasonable, right? In practice, the challenges are abundant. Based on ample of use cases, too often boards are presented with lengthy reports and routine controls which offer limited help in actually understanding the current risk exposure of the company.
Therése Marcks von Würtemberg, Managing Director at Advisense and long-term board advisor, says that growing expectations on the board to keep up with regulatory changes and deliver results must be matched with corresponding expertise and experience in order to request key information and evaluate whatever it is presented with.
Each board and company is unique and needs to find its own way, however with fundamental premise that it has the necessary capabilities to identify and appropriately act on relevant risks. This places new demands on the entire organisation, including at board and management levels. One way forward is to tap into key expertise through committees and advisory boards.
Tick the box compliance a show-stopper for efficient risk management?
We have heard it before, but it still holds true. Companies have historically often tended to, and continue to, focus excessively on specific risks based on specific regulations, commonly known as a “silo mentality”, says Therése Marcks von Würtemberg. Taking a holistic view of what risks that a company is exposed to is something most people agree is truly key, but fewer have been able to implement fully and successfully. Breaking down the silos presupposes thoroughly understanding the inherent risks within the business model, how these can be mitigated, and what residual risks that senior management and the board want to monitor closely.
The further issue is about establishing a common understanding of both financial and non-financial risks and setting a well-defined risk appetite. This is really the core of how the board is able to ensure effective governance and subsequently that business is run in line with the risk appetite.
The risk appetite ultimately needs to align with the company’s business plan and be critically reviewed and challenged. Clear requirements are a prerequisite for clear processes. Based on the stated risk appetite, make sure there is adequate and proper intelligence so that the evaluation of risks are consequent and properly bench-marked, that processes and routines for monitoring and following-up are effective, and reporting of material issues goes all the way up to the board.
For example, a company that wants to be a disruptor and create a partially new market might consider whether this can be sustained with an overall low appetite for non-financial risk. It is also important to conduct an impact analysis and understand what is required in terms of competence, resources, processes, and routines to adhere to a low risk appetite compared to a somewhat higher appetite.
Consequently, a more in-depth analysis of the various risks is necessary as well, since the appetite may be higher for some risks than for others. For instance, there are likely few companies that would actively set anything other than a low risk appetite for the risk of being misused for money laundering or terrorist financing.
Not a no-go to all high risks?
Nassim Nicholas Taleb humorously referred to the black swan concept also as the ‘the turkey problem, i.e. the problem of induction. By no means is it about promoting withdrawal or extreme scepticism. And by no means is it suggested that one would advise boards against setting a low risk appetite for non-financial risks, says Therése Marcks von Würtemberg. However boards would want to be fully aware of what it takes in terms of good governance and controls within the business to operate in line with the set risk appetite. The flip side can involve losing sight, a false sense of security for the board and ultimately to unwanted and unintentional risk-taking.
All else equal, the board is ultimately responsible for setting the risk appetite of the company and ensuring that the business is acting in accordance with that, with demonstrated measures and reporting. If reports submitted to the board fail to provide a sufficiently clear and actionable view of current risks, it might be time to consider going back to the drawing board.
Read more about Risk Management here.