You are here
An insight Into Risk Management
Recently, Simon Cordrey spoke to Alex Butt, former Director of Business Risk at Capita plc. Alex has been responsible for eight of the 11 divisions and around 50 businesses of Capita plc in the UK and globally. Prior to that, he spent two years as Head of Internal Audit & Risk for the Olympic Delivery Authority.
How has the business environment for corporate governance and risk management evolved in the past ten years and what are the future trends?
Since the Cadbury Committee (1992) set up the UK’s first Corporate Governance Code, there have been numerous committees (Greenbury, Hampel, Turnbull, and others) set up to review and improve the provisions of the Corporate Governance Code, culminating in the 2010 Code.
Despite changes in governance and risk practices, the financial crises of 2008-9 highlighted that systemic failures were still occurring in the boardrooms and in corporate governance and risk management, as highlighted by the failures of Lehman Brothers, Barings and Enron, companies which no longer exist!
Risk is an essential ingredient in enterprise and most, if not all, successful companies take risks. However, there is a fine line between taking calculated risks and being reckless. A key responsibility for business management is to help their company make decisions involving risk while at the same time ensuring prudent management. This involves making decisions that are approved of by stakeholders but that are also legal.
Changes in risk management and governance practices have reflected the complexity and velocity of change in an ever-increasing interdependent world. In the years ahead I believe that our lives and those of businesses will be more intensely shaped by transformative forces including shifts in economic, societal, technological and geopolitical changes. We will need to be prepared by more robust and effective risk management and governance frameworks including people who understand these changes and can support businesses to evolve.
Can you give me any examples of organisations which have benefitted from your risk input and where the governance framework has improved subsequently?
I was interim Head of Risk & Internal Audit at the Olympic Delivery Authority, at the very start of one of the largest and most complex infrastructure projects in Europe. I helped to set up a governance framework covering risk management and internal audit along with several other tasks which ranged from insurance to working with a delivery partner to undertake various programs and projects for the ODA.
One of the challenges in this role was working with and influencing a large number of stakeholders with strategies and objectives, which did not always align with our approach and objectives. Inherent in the risks were the sheer number of third parties and partners as well as the complexities of the work program that needed to be understood and delivered to a tight deadline and budget.
As we know, the infrastructure, the stadia and the games were delivered on time and on budget and were a resounding success for the country and, it is hoped, for the legacy passed on to the younger generation.
As an experienced risk director, what are the key risks facing businesses in today’s difficult economic climate?
In today’s rapidly changing and uncertain world, businesses face an incredible range of risks. But there are themes emerging which are likely to have a sustained and intense impact for business and society. Risk managers today, have to grapple with the complexities of dealing with external impacts - environmental, technological, economic, geopolitical and societal risks – along with inward facing risks – operational, financial, regulatory and strategic, in all their manifestations.
Key global risks which we all face, range from unsustainable population growth (exacerbated by food and water shortage, migration, ageing population, energy crises) to extreme climate changes and global governance failures (corruption, conflicts, terrorist activities, globalisation).
You only have to open a newspaper to read about high youth unemployment, liquidity crises in terms of banks not lending to businesses, recessionary economic conditions, and labour market imbalances. Add to this technology risks from critical systems failures, cyber attacks, data frauds or theft and you get a dystopian picture of the world we are hurtling towards.
As if the global picture was not bleak enough, businesses today face a complex range of issues and risks. Some of these derive from the wider and gloomy global picture painted above. Supply chains are increasingly complex and interdependent, increasing the risks of product or service delivery failure. Think horsemeat! The risk of key business systems failing or lack of business resilience from disasters, whether climate-related or caused by people, is on the increase and in need of prudent management. The increase in regulations and legislation has caused businesses to invest in compliance and regulatory experts but is an area of increasing concern as we embark into foreign territories, emerging risks and into unfamiliar markets. Risks of course are everywhere, and need to be indentified early and carefully managed.
How do you engage and influence businesses to believe in risk management and make it business as usual?
The key to effective risk management, I believe, is to keep it simple and integrate it with the way the business operates and with the culture of the organisation. Easier said than done, I hear you say! I have worked in diverse organisations covering a range of industries as well as public sector bodies and have first-hand experience of taking the business on a journey and making the journey worthwhile and delivering the outcomes promised.
First of all, it is important to align the strategy and objectives of the business with its risks. And, at the outset, ensure the management understand its risk appetite and tolerances. In a large complex organisation, this initial alignment is even more important and needs to be agreed at head office/group and business unit level. Risk documentation needs to be minimal but with maximum visual impact for today’s busy executives. And risks and actions need to be discussed in a risk forum (committee) which should form part of a regular management meeting, as part of the business as usual agenda.
In parallel to this, the risk culture of the organisation needs to be looked at. There are no hard and fast rules here. A ‘horses for courses’ approach is the best, not a one size fits all! In rolling out risk frameworks across businesses, it is vital to work with each business building awareness and the importance of risk management and, if possible, linking its success to their personal objectives.
How can risk and internal audit work together to add value to businesses and to management?
I am sure everyone knows about the three lines of defence in safeguarding the internal control framework. Best practice, as we should all know, is for risk management to be separated, functionally, from internal audit to enhance independence and objectivity.
I have worked as Head of Risk and Internal Audit for large complex global organisations, both as separate functions and as one combined group. One of the keys to success in ensuring effective governance, regardless of whether or not the two disciplines are separate or one, is the importance for each to work closely. Being independent does not mean planning independently nor does it mean a lack of regular communication between each function.
From a business viewpoint, it is important that there is no duplication of work or, indeed, any gaps in focus on the control framework. Management, which form part of the first line of defence, are keen to get value from risk and internal audit both in terms of contributing towards an effective control framework and as trusted advisors acting as consultants to the business. It is important also to discuss and agree key performance indicators with management. These should include both hard and softer targets.
The internal audit plan for the year ahead should take into account the key risks across all business activities and needs to be flexible enough to change during the year, as risks and circumstances change. At the Olympics, we prepared a detailed mapping of all activities and projects and put together our internal audit plan based on several factors. One of these factors was an assessment of risks in a fast changing environment with a range of partners, third parties and suppliers and a complex stakeholder map. We reviewed and changed the audit plan each quarter, as the risk landscape changed. Lessons learned about gaps in controls found during the audits were fed back to risk and the assessment of risks amended on the risk register. KPIs were used but these did not impair independence. Most of all, it is critical to communicate regularly to management and where required informally through discussion and meetings.
Alex Butt has recently left Capita to pursue a career in interim management. Should you have a requirement for Alex’s skill set or wish to discuss how we may be able to help source talent, please contact Simon Cordrey.