All companies are exposed to risk from time to time. This can be from external factors or the business itself taking risks in the hope of achieving commercial reward. Risk is an important part of business and can lead to growth. The magnitude of risk varies, some only have a low impact, but others, depending on the nature of the business and the risk, can have a more profound impact on the business and its stakeholders. This can include the business’s shareholders, employees, customers, creditors, suppliers, the market, the environment and society in general. As such, it is important for businesses to manage risk effectively.
Within a company, the responsibility for managing risk lies with the Board of Directors. The UK Corporate Governance Code expects that the Board should determine the ‘nature and extent’ of significant risks that the business may take in achieving its strategic objectives. Although many corporate governance reports and guidance are aimed primarily at large firms, small firms, as well as larger PLCs, need to be mindful of the risks facing the business.
Directors should act in such a way that protects the firm and its assets. The Companies Act 2006 (s.171-177) sets out seven explicit duties that all directors must adhere to. Of particular relevance to the management of risk are the following:
- Directors must promote the success of the company (s.172): This means that directors must consider the long-term impact of decisions on the business, its reputation and its stakeholders.
- Directors must exercise independent judgement (s.173): This means that directors should not be unduly influenced by others. They should be prepared to challenge and vote according to their own judgement, even if it means being in a minority of one.
- Directors must exercise reasonable care, skill and diligence (s.174): This means that directors must act diligently, applying the level of care and skill that would be expected of a diligent person carrying out the functions of a director in relation to the company.
Firms should be diligent in how they deal with risk. Putting together a disaster recovery plan (or an ‘emergency’ or ‘contingency’ plan) is a useful way of doing this and is something that most (but not all) firms do.
Having a written plan is all well and good but it must be tested and kept up to date. The Turnbull Report (1999, 2005) and more recent guidance from the Financial Reporting Council, have noted the importance of embedding effective internal risk controls into a company’s procedures. This includes having regular reviews of the relevant plans, which should consider changing circumstances and new, emerging risks. Moreover, plans should not be generic templates, they should be produced with direct reference to the needs of the individual business.
An effective Board therefore needs to keep on top of risk management. To do this, it can be helpful to assign a specific director the responsibility of championing risk management and reporting on risks to the Board at each meeting (all directors retain overall accountability, however). Having risk management as a standing item is also helpful and ensures that all directors engage in discussions around risk on a regular basis.
Risks should be prioritised so that they can be dealt with in a proportionate and timely manner. The Board should set objectives for managing these risks and monitor progress accordingly. A useful way to do this is for the firm to maintain a Risk Register. The directors should also involve managers at all levels in identifying, assessing and managing risk, consulting with other staff where appropriate and relevant.
Annual reports should contain details of the company’s risk management process and its internal controls to give the shareholders confidence in the how the directors are managing risk. After all, the directors are taking risks with the shareholders’ investment.
Larger firms may also consider setting up dedicated risk committees to focus specifically on risk and to offer advice to the Board accordingly.
Ultimately, the Board of Directors is accountable for risk management. If things go wrong, the buck stops with them. In serious cases, particularly those involving health and safety, this could even lead to heavy fines or imprisonment. As such, it is prudent for all companies to have in place effective corporate governance, systems and controls to manage risk and to reasonably ensure that these procedures and risk assessments are written down and properly recorded.
Some risks, of course, are acceptable but others are reckless and an effective board needs to be able to distinguish between the two.