ArcelorMittal risk manager Adrian Clements and Cass Business School corporate governance expert Bob Garratt explain how to make directors take notice

To create a more effective relationship between the risk function and the board, risk managers must stand up and show their bosses that they are not simply insurance buyers, as some senior leaders perceive them to be. For their part, boards need to realise the value of the talent they have at their disposal “for the simple reason that without it, your business will die”, says Bob Garratt, corporate governance and board development consultant and visiting professor at Cass Business School. 

“The world is so turbulent and uncertain that there is an increased urgency to have at the top of your organisation – the board, not the executive – a group who are frequently horizon-scanning and bringing their thoughts on what is changing into the organisation for discussion,” says Garratt.

“Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so. They don’t have any means of doing so, never mind ways of bringing their information into the business.”

It is in this space that risk managers can prove their value and improve their relationship with the board. “We all have complex supply chains that are slow to adapt and lean management teams that mean there are too few people in place to spring into action during a crisis,” says Adrian Clements, general manager for asset risk management at steelmaker ArcelorMittal. “If you ask one section of the business ‘How long until we are back on line?’, you will get one answer; ask another section and you’ll get another. Unless you [as a risk manager] combine bottom-down and top-up effectively, you cannot resolve this contradiction.”

By finding their place at the crossroads between senior leaders and the executive, risk managers can demonstrate their importance to the board. An increasing focus on interrogating the business model at the heart of a firm, for example, demands the active involvement of the risk function.

“The risk management function has to deal with a whole host of risks – political, economic and so on – but the key issue for them is to do with business model choice,” says Charles Baden-Fuller, centenary professor of strategy at Cass Business School. “If the risk management function has good people, its job is to tiptoe up to the board and say: ‘Excuse me, perhaps I can help you analyse and then communicate some of these risks, because we both share the same agenda’.

“This can be quite a difficult process. We all understand there is a hierarchical relationship between the risk management function and the board of directors. If the board has a good relationship with the chief executive and the chief executive has a good relationship with the risk management function, this process can be simple. Of course, this isn’t always the case.

“Risk management is difficult, but many boards do not have the resources to fully analyse the problem. They need help. Often, there need to be clear lines of communication between the risk management group (suitably resourced with strategy expertise) direct to the board, especially around discussion of the business model.”

To do this effectively, the risk management function needs to look at what – and how – it communicates and really challenge the board’s approach. Colin Coulson-Thomas, professor at the University of Greenwich and a director of ACCA’s governance, risk and performance global forum, says:

“There is a whole range of people-reporting risks rather than doing much about them. Risk managers need to up their game. They need to shift their emphasis from planning and strategising to implementation and action.”

Daniel San Millán del Rio, risk manager at Spanish infrastructure company Ferrovial, agrees. “Senior managers need to know that ERM [enterprise risk management] is a tool that will put a huge amount of information at their fingertips, on their laptop, their iPad, wherever they are – in a plane, in Africa, in Asia. This is the tool that will enable them to make the right decision.

“You have to explain what you are going to do. Everybody has to understand that this is not just another process – we have enough of those. It is a special project.” 

Advantages of ERM

The focus should be on key and frontline work groups that expose an organisation to risks and give them the support to deal with risk. Risk managers should make it easy for them to do what is required. 

When risk managers talk to the board members, they should explain that a great ERM approach will make their lives easier and their decision-making more effective. 

“The key issue is to convince the board that this tool is going to provide them with the information to make the correct decision on time,” says San Millán. “If you have a business with 100,000 employees in 40 or 50 countries, it’s not easy to always know what’s going on with the business line, and the board knows this. But with a properly integrated ERM, it has all the concerns of its people in its hand. It can make quick decisions before a risk becomes a loss.”

But risk managers shouldn’t report anything without suggesting how to deal with it. “If a board meets once a month, it can’t add much value if it is dealing with huge wodges of analysis without suggestions for action,” says Coulson-Thomas. 

It’s also important to note that since 2008, risk has increasingly been at the heart of emerging legislation on corporate governance – another area where risk managers can prove their value and develop the quality of conversation with the board.

“The new version of the corporate governance code has a section on the regular interpretation of the business model by the board – and this is quite revolutionary,” says Garratt. “Risk managers should be aware of this. Everyone needs to understand the purpose of the business – and from that the business model, and from that horizon-scanning and risk management.”

In addition, companies are increasingly being asked to enhance traditional ways of reporting and adopt triple-bottom-line reporting, opening up another new area for risk managers, in the theatre of governance. Triple-bottom-line – an accounting approach developed in 1994 – requires companies to prepare three bottom lines. The first is the traditional measure of corporate profit – the profit and loss account; the second is the company’s ‘people account’ – how socially responsible it is;  the third is the company’s ‘planet’ account – a measure of how environmentally responsible it is. 

“International law will increasingly be requiring these things. And the question is: how are we all going to muck in and make this happen?” says Garratt. “In emerging economies, we are seeing the introduction of a licence to operate and the decision to grant these will be based on these principles of triple-bottom-line reporting. Risk is at the heart of it all. 

“These are interesting times,” he adds. “A lot of the traditional ways of operating are up for grabs.” 

Another big concern for the board is that risk managers stay on the right side of the law. This means avoiding failures in corporate governance, complying with the UK Bribery Act 2010 and making security risk “everyone’s responsibility”, says Control Risks International SOS region security director Damian Taylor. “Because when things go wrong, the board is in the firing line.”