Effective corporate risk governance
by Guillaume Rominger, François Kassel
December 2017
Mastering risk governance in an increasingly uncertain and fast-changing world

Failures in risk governance are visible on a daily basis through “breaking news” stories which demonstrate limitations in the effectiveness of typical approaches to risk management. The evolving business environment – breakthrough innovations, new security risks, accelerated diversification of business activities, changing regulatory landscapes, etc. – requires boards to adopt robust but agile approaches to keep threats under control and embrace opportunities. Our experience suggests that a handful of relatively simple key principles and tools can be valuable when designing or reviewing corporate risk governance arrangements, in order to provide agile but robust value-based risk management.

Why generic approaches to corporate risk governance have limited impact

Boards’ interest in risk management is evolving under the pressure of both internal and external threats, as well as keenness to exploit opportunities. Companies seeking to go beyond risk management in functional silos draw upon a number of different generic frameworks for enterprise-wide risk management. In our view, efficient risk management should be built around four key principles: maintaining strategic alignment, focusing on vulnerabilities, facilitating decision-making, and building a dynamic risk culture 1 . However, the design and implementation of risk management frameworks usually fail to deliver against these four pillars.
Conventional risk management deals poorly with complexity, is slow to adapt to changing circumstances, and overemphasizes risk reporting. Such approaches provide comprehensive information and reporting of risk data, but little information that truly shapes decision-making. They also frequently assume that business operates in a steady state. Few real companies today operate in such static environments, and changes driven by company strategy or operating conditions greatly influence the risk profiles.
Recent events show that developing an agile, value-focused, risk-based approach is increasingly required to mitigate threats, as well as to make timely decisions to exploit potential opportunities. The media report a constant stream of events, such as cybersecurity (WannaCry, Petya/NotPetya), political and geopolitical tensions (Brexit, the US, North Korea), natural disaster (fires in California, Portugal and Spain, Hurricanes Irma and Harvey), and terrorism. Such risks can have huge impact on businesses, and behind the front page, new business risks are emerging. We briefly review some of the commonly encountered situations and weak signals here.

Growth and expansion

Growth by acquisition is a common strategy for corporations, but presents certain risks. Outside of finance-related risks (such as asset valuation and currency volatility), which are usually carefully assessed and monitored, other strategic risks are often underappreciated – or worse, not visible to boards. For instance, in acquiring the Texas City Refinery as part of its merger with Amoco in 1999, BP failed to address unsafe process systems – issues that had been identified and understood well under the previous ownership. These issues ultimately contributed to an explosion that killed 15 people and injured more than 180 others. BP paid more than US$1.6 billion to compensate victims.

International supply chain

Outsourcing and supply-chain expansion have delivered great benefits in efficiency and agility, but businesses operating across geographical barriers, social disparity, and working cultures are exposed to potential disasters. The Dhaka Fire (2012, 117 fatalities), the Pakistan Garment Factory Fires (2012, 257 fatalities) and the Dhaka Rana Plaza Collapse (2013, 1,127 fatalities) illustrate how shortfalls in corporate risk management can lead to loss of life, business interruption and reputational damage.
Increasingly complex and extended supply chains also generate significant risk because of difficulties in traceability. These are well known in the food industry, but the problem exists across a wider range of industries. For example, in 2011, an investigation found a huge number of counterfeit parts in the Pentagon’s spare-parts stock, which led to a security and safety risk for the US and its armed forces.