Management / Risky business: The dangers of underfunded risk management

Risky business: The dangers of underfunded risk management

Firms continue to underestimate the cost of “risk management failures”, despite an increased sense of awareness following the financial crash, an influential global body warns.

The Organisation for Economic Co-operation and Development (OECD), a forum used by governments around the world, claims that although companies have a greater awareness of risk, their practical understanding of this is still falling short in many cases and potentially leaving them vulnerable.

The OECD’s 2014 report, Risk Management and Corporate Governance, warns that companies and boards should work to increase their understanding of risk and the “catastrophic” threats they could encounter, even if these have a small probability of actually materialising.

It also notes that some businesses are too narrowly focused on risk in a financial context and not more broadly.

The report looked at the rules and practices around risk management in 27 of the jurisdictions taking part in its corporate governance committee, including Norway, Singapore and Switzerland, all three of which provided more in-depth case studies.

The report acknowledges the importance of risk in business operations but warns that the practicalities around controlling risk need to be better understood.

It reads: “The review finds that, while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated, both externally and internally, including the cost in terms of management time needed to rectify the situation.

“Corporate governance should therefore ensure that risks are understood, managed and, when appropriate, communicated.

“Following the financial crisis, many companies have started to pay more attention to risk management. This is, however, seldom reflected in changes to formal procedures, except in the financial sector and in companies that have suffered serious risk management failure in the recent past.

“It appears that most companies consider that risk management should remain the responsibility of line managers.”

It adds: “Listed company boards need to be provided with incentive structures that appropriately reward business success, as well as awareness and management of risk.

“Existing risk governance standards for listed companies still focus largely on internal control and audit functions, and primarily financial risk, rather than on (ex ante) identification and comprehensive management of risk.

“Corporate governance standards should place sufficient emphasis on ex ante identification of risks. Attention should be paid to both financial and non-financial risks, and risk management should encompass both strategic and operational risks.”

The report also extends its analysis to boards, and argues that top executives should place greater emphasis on major potential threats – even if these seem highly unlikely.

It reads: “It is not always clear that boards place sufficient emphasis on potentially ‘catastrophic’ risks, even if these do not appear very likely to materialise.

“More guidance may be provided on managing the risks that deserve particular attention, such as risks that will potentially have large negative impacts on investors, stakeholders, taxpayers, or the environment.

“Boards should be aware of the shortcomings of risk management models that rely on questionable probability assumptions.”


Get our latest features in your inbox

Join our community of business leaders