Regulation, risk and entrepreneurialism

And lessons from the debate on risk appetite

You might well observe that the three key words in the title are the wrong way round. Surely entrepreneurialism comes first? And it is in that context that I have been struck by the debate that is raging around the political arena about growth and about the need for regulators to begin to articulate just how they can support growth. According to The Times recently, the Chancellor of the Exchequer is speaking to sixteen regulators to discuss their contribution to growth rather than their focus on risk (see comments for example).

And there, in that very question that is being put to regulators, we have an active debate about the government’s and society’s risk appetite and that of individual businesses. I graduated the year after Margaret Thatcher became Prime Minister. Whatever you thought of her politics, we witnessed a fundamental transformation in the nation’s risk appetite. Stuffy and unadventurous nationalised industries were privatised and regulators were established to oversee the newly deregulated industries. At the same time, if I understood the argument put forward by Professor Mike Power , we saw the privatisation of risk responsibility, as the consequences of risk were moved from being a government preoccupation, to being one managed by corporations under the auspices of regulators.

The shift in responsibility and accountability

We have seen a 180 degree shift in that responsibility, as government has been forced to once again take responsibility for the consequences of risk: the Global Financial Crisis, Covid-19, the contaminated blood scandal, the Post Office scandal, Windrush, Grenfell Tower, or Equitable Life. Society has demanded that Government take action, apportion blame and seek accountability. That has meant governments of all varieties accepting vast liabilities for the state, in other words for taxpayers. Simultaneously we have seen regulators devise ever-expanding rule-books to prevent risks from crystallising and impacting consumers (society). The much vaunted “risk-based” approach of the FSA under Sir Howard Davies and others was seen as being too weak to cope with the Global Financial Crisis, and it was replaced by a far more prescriptive rule-book under the new regime of the FCA. This has been replicated by many other regulators, where rule-books have been drawn up to prevent harm to consumers at an ever more granular level. So the debate today is eerily familiar, even if it has a sense of Back to the Future about it.

Risk Appetite and Tolerance

Some years ago, I was privileged to lead a working group on, and then substantially write “Risk Appetite and Tolerance – Guidance Paper” for the Institute of Risk Management (the IRM). One of the diagrams that I developed helps to crystalise exactly what is going on here. In diagram 6 on page 16 of this booklet (which is still available on the IRM’s website - see comments for link) I suggest that all companies have a propensity to take risk and that they all equally have a propensity to exercise control. Other things being equal, I suggest that at a strategic level, there is likely to be more of a preponderance to consider risk, and at an operational level, a greater preponderance to emphasise control. But I also suggest that the capacity of the organisation to manage this trade-off and the maturity of the business were influenced by a variety of factors.

What I spectacularly failed to identify on this diagram, although it is referenced at various places in the text, is the regulatory environment. At the time we were addressing the requirements of the FRC for boards of directors to consider risk appetite, and we were not looking at individual regulatory requirements.

Here is the diagram:

In talks and lectures subsequently, I would often argue that the angle of that line between risk taking and exercising control, and the time devoted to each at various levels of the organisation, was critical to the long-term success of the organisation. A horizontal line would imply an absence of dialogue between those taking risk and those exercising control, resulting in a mismatch. A vertical line, might well indicate an absence of control over more junior members of staff taking inappropriate risk and an over emphasis of control in the boardroom. Where the line becomes delaminated, we would witness confusion, poor management and uncontrolled risk taking. Equally, I would suggest, the size of each of those triangles is critical, and just who is focusing on them.

The practicalities

I think that in the context of the debate about growth rather than risk avoidance, launched by Keir Starmer and Rachel Reeves, one could argue that the exercise of control has become unduly dominant and the ability to take risk has been sorely constrained. Of course, while this is a “nice” academic debate, the real-world consequences are critical. I recall, when my daughters were really quite young, that they liked to play-fish with sticks on the banks of the river near my home. They were fully acquainted with the risk of falling in, and were therefore careful. When some friends joined us, within five minutes, one of their daughters fell in the river, causing me (and their father) to run faster than he or I had ever done before… In one personal family event, my ideas of risk collapsed in the face of what could have been a serious mishap. The real world, commercial equivalent of that family issue is that where a company fails, or develops dangerous products, or a group of consumers, or employees is damaged by a regulator reducing the rule-book, who is going to pick up the tab? Company, or Government? Or to be brutally practical: will greater risk taking result in financial losses, loss of life or failing infrastructure? Is that a trade-off that society is willing to accept in order to see greater economic growth?

Rethinking risk management

In answering these questions, I would urge regulators to allow risk managers to revert to managing risk, rather than focusing on the failure to meet the requirements of the rule-book. Too often today, the focus of risk managers is on being internal control managers. Risk management is seen as a control function rather than a risk function. I see CRO’s becoming key strategic partners to the CEO, where they can unleash risk management as a strategic lever.

I suggest that CRO’s (and indeed boards, CEO’s and all senior managers) should focus on six areas: the heart of risk management, and which divide into three pairs of tensions:

Taking more managed risk – v – Avoiding pitfalls

Creating a performance culture – v – Managing corporate ethics

Dealing with today’s issues – v – Dealing with multiple potential tomorrows

I illustrate this in the following diagram (for a fuller explanation of these tensions see comments for link to video):

Tomorrow's risk management

Today, in the UK, we are focused too much on avoiding pitfalls, organisational ethics and dealing with today’s issues, and we do not sufficiently balance those with taking more managed risk, the performance culture and the importance of our potential multiple tomorrows.

The opportunity

If regulators were to facilitate the management of risk, rather than purely focussing on the avoidance of failing to comply with the rule-book, it is likely that we could unleash a new age of entrepreneurialism that would underpin growth into the future. And risk management would become:

the disruptive intelligence that pierces perfect-place arrogance in pursuit of strategic growth.