In February 2015, a truck careered down Lansdown Hill in Bath due to faulty brakes. Tragically, four pedestrians lost their lives in the carnage that ensued. In the subsequent court case, the mechanic cited as responsible for “wholly inadequate safety checks” received a five-year jail term. However, the company owner received a longer jail term (seven years) for “poor management … disregard for the rules and a failure to comply with routine guidelines”.
There is a salutary lesson here for company directors in terms of their legal and moral responsibilities. Too often in the boardroom, risk management has been given scant attention in comparison with other topics and is rarely used to support strategic decision-making. This is largely due to three reasons. First, risk management is often an unmetered collation of all the things that could go wrong rather than a focus on what needs to go right, causing it to be seen as niche activity and an overhead cost rather than a key enabler of corporate objectives. Second, activity defaults to static risk analysis (characterised by intermittent spreadsheet review) rather than dynamic risk management fed by an array of risk intelligence from within and without the company. Third, false comfort is derived from such static risk analysis because it is either too superficial (often accompanied by a series of traffic lights and directional arrows) or overly quantitative (with ‘reassuring’ complexity that can be difficult to interpret).
One particular area of risk attracting significant attention right now is General Data Protection Regulation (GDPR); which comes into effect in May 2018. The purpose of GDPR is to strengthen and unify data protection for citizens by providing common rules relating to the processing and movement of personal data. However, the advent of GDPR could have big consequences for company directors. Focus has inevitably gravitated towards the increased limit of fines from £0.5 million up to a limit of either £17 million or 4% of global turnover. Whilst financial penalty will continue to be a last resort for the Information Commissioner’s Office (ICO), the wider suite of sanctions could also hit the top line through reputational impact or data processing restrictions, and the ICO supports the notion of making individual directors personally liable for data breaches. The key point is that the GDPR sanctions regime will be applied based on corporate behaviour before and after any breach – linking risk management directly to the Board’s responsibilities.
Organisations therefore need to change the narrative around risk. The international standard (ISO31000) is a good starting place – it clearly and succinctly defines risk as “the effect of uncertainty on objectives”, and visually depicts risk analysis as a dynamic process informed by indicators from within and outside the company. A lot can change in time between occasional spreadsheet reviews.
In order for corporate directors to engage meaningfully in a discussion on risk there are two key ingredients. Risk must be linked to the achievement of objectives, and must be dynamically addressed and accessible throughout the organisation. Otherwise risk will remain an isolated overhead.