Ignorance: the last Hiding Place for Risks
Richard Anderson
Experienced Board Chair, Committee Chair and Non-Executive Director, Board Advisor, Risk Consultant
Recent Corporate Governance failures show that we need to radically rethink our approaches to risk and its management.
There are many flavours of risk. For example, we know what will happen if we leave ice cream (thinking of flavours) out of the freezer overnight. We know that if we don’t look both ways as we cross a road (even if it is supposedly a one way street) that we might get run down, so we teach our children to look both ways. We know that mismatched maturities on assets and liabilities can result in serious losses and even bankruptcy for banks, so they employ specialists to manage the mismatch.
In a corporate sense, there are very few organisations that don’t manage these obvious, daily experienced risks. Most companies balance their books and reconcile their bank accounts to their bank statements. Most organisations have access to specialists, professionals if you like, who help them to manage their treasury or forex risks. We have a pretty good idea of what could happen if we don’t manage these risks, so we do so.
We can put in corporate procedures to make sure that we don’t unknowingly flout rules and regulations. We can employ compliance experts to manage those risks, and we can consult legal experts to advise us, and lobbyists to help us get the rules changed. In other words we can navigate through and around these risks. This is not to deny that some organisations fail on this front, that is a different issue.
Here Be Dragons...
But sometimes we don’t know. We simply do not know. On ancient maps, mariners and cartographers wrote: “Here Be Dragons”. But gradually, knowledge replaced ignorance, and we knew that we could circumnavigate the world without encountering dragons (unless we went to Komodo…). As Professor John Adams said, in the absence of knowledge, people will respond to risks based on their “ignorance, preconceptions and prejudices” which allows them to argue for anything that fitted their world outlook.
In this world of increasing global knowledge, nobody can know it all. Medical doctors have specialisms, engineers specialise - you might not ask a bridge specialist to design a satellite - some accountants know about tax, some know about audit, but next to none of them can cover the full spectrum of “Accountancy” knowledge. The number of books written each year precludes keeping up, let alone the volumes of erudite articles. And however many people you have in your organisation, the chances that you have the unique combination of knowledge that addresses areas where “here be dragons” is remote.
The limits of iNED knowledge
Oftentimes organisations, and particularly their boards, and especially their non-executive directors, do not know where the boundaries of knowledge and the lack of knowledge, ignorance, exist. Ambitious managers are loathe to say they do not know. And this is where the “strategic” risk manager comes in to play a part.
The “strategic” risk manager knows to ask questions, loads of questions, of loads of people: they ask people directly involved, and those barely tangentially involved. They ask senior people and they ask junior people. And while they are unlikely to create knew knowledge, they are able, a bit like using a sonar, to identify signals that show the vague outlines of possible futures that have yet to be mapped.
The power of conversations
Many times the first outlines of possible futures can be picked up in the conversations and discussions that are being held amongst the team, or with suppliers and customers, or with regulators or in fact with anyone in the ecosystem within which you operate. But how do these vague signals, weak signals get amplified and reported up to a board where the risks have been squared away in the certainty of a risk register that itself has been squared away through the rigour of risk meetings, risk reviews, managerial oversight?
Regrettably there are many examples of non-executive directors being blindsided by CEO’s who control the information flow to them, whether that is the Post Office, or Water Companies where the regulator has said that NEDs were insufficiently curious. I have little doubt that the boards reviewed the risk registers, they may even have debated the risk rankings and the colours ascribed to them. But they apparently only acted on the map of the corporate world that was presented to them.
Three possible remedies
Three remedies suggest themselves to me:
1.??????? iNEDs should have unfettered access to executives and others without the hindrance of the CEO. They are not there merely to discharge Corporate Governance duties in the confines of the boardroom – a rubber stamp approach to governance. They have to be talking to staff up and down the organisation, to customers, to suppliers, to people across the ecosystem within which they are operating. This is not a one or two day a month exercise: it requires the investment of time.
2.??????? Chief Risk Officers (and ALL companies above a certain size should have one!) should report directly to the Chair of the Risk Committee, and just as there is a private session of the Head of Internal Audit with the non-executive members of the Audit Committee, so should the CRiO (I insert a lower-case “i” to distinguish from Chief Revenue Officers…) meet with the non-executive members of the Risk Committee. And the CRiO should be tasked with looking for the boundaries between knowledge and ignorance.
3.??????? iNEDs should seek out information about the DNA of the organisation by understanding the Risk Conversations that happen within the organisation, and at the organisational boundaries. This is a topic about which I have been passionate for many years – I am finally on the verge of making it possible (see www.riskconversations.com)?
Heavy baggage
Ignorance carries a heavy baggage of negativity in our knowledge-based world where LLMs can tell you anything. But if you look at ignorance as merely the absence of knowledge, then it becomes the space for innovation and creativity. It also becomes the space for strategic risk management. We now need to embrace our lack of knowledge, recognise it as the space for innovation, and to work with ignorance, the last hiding place for risks.
Richard Anderson is a portfolio non-executive director, and is also a risk management consultant in which capacity he is developing an AI-powered engine for identifying, analysing and visualising Risk Conversations (see www.riskconversations.com)
Advocate for integrating risk and quality management to improve performance and resilience.
6 个月Good series, good post, and plenty to contemplate here, starting with what constitutes a risk. Like metrics, too often the 'risks' articulated are the ones we CAN articulate rather than those that SHOULD draw our focus. I've seen risk registers full of problems with obvious solutions that just haven't (or even which have) been implemented yet, but which have no real drawbacks, merely because the process of generating and scoring a register is deemed sufficient. Reframing risk management as the appreciation and resolution of uncertainty based problems with strategic implications is key to finding value from the risk function.
Head of Risk & Insurance
6 个月Totally agree with this thank you Richard. There is so much focus on process (which has its place) and tick boxes that people forget the bigger picture and ‘uncertainty’ which is often the better word to use than ‘risk’ which then people try to reduce to a scoring scheme and target dates
Founder | CEO | Senior Advisor | Strategy | Risk | Treasury | Liquidity | Capital Markets | Structured Finance | Derivatives | BASEL | CCAR | FRTB | Tech | PE | VC | M&A | Valuation | Due Diligence | Litigation Support
6 个月Corporate Governance (or lack thereof) and Risk Culture (ditto) are seen often as Big Red Flags when Startups engage Go-to-Market Strategy discussion and Buy-Side Due Diligence with an "UberEats" mentality. Kudos, Richard Anderson
Strategic Senior Consultant | Banking Risk & Audit Specialist | Championing Internal Controls
6 个月Richard Anderson .. just some questions if you can share more views 1. Can you elaborate on how organizations can balance the need for risk awareness with the potential for information overload? 2. How do you recommend addressing cultural or psychological barriers to risk awareness within an organization? 3. How can organizations ensure that risk awareness is maintained over time, rather than being a one-time initiative? 4. How do you recommend addressing the challenge of "unknown unknowns" in risk management? Your insightful thoughts very much appreciated Sir. Thanks in advance..