A group of blind men examining an elephant will each only understand part of the elephant because their differing perspectives only bring information on the trunk or the foot. In the same way, the concept of risk in business can be handled poorly at board level because each Director often brings only one perspective to the table. While Directors are usually aware of the relationship between risk and reward, the standard tools for risk management and even risk allocations in contracts, they may understand only part of the phenomenon and only from a limited perspective. The perspective may be the OH&S practitioner’s view on preventing events by compliance systems. It may be the actuarial approach of seeking to identify the probability of events that may occur, and then to price the product which shares that risk across a large number of parties. The director very likely brings the mindset of an Investor who actively seeks out risk in return for higher payments in the hope that the risks may not materialise.
A director approaching his (her) role in a board environment brings some or all of these background ideas to the table. However, these perspectives don’t really prepare her (him) to make a valuable contribution to the management of the broad spectrum of risks faced by a company. So what is the appropriate role for a director?
One of the board’s key responsibilities is to establish a framework within which management can operate confident that the intent of the shareholders is being honoured in the company. In relation to risk management, this role usually translates to the establishment of a risk charter identifying who is responsible for the management of business risks, how they should be reported, when they need to be brought to the attention of the board and how they should be managed. It is normal for these policies to be made available for investors to peruse in order to assist them in investment decisions relating to the company. The board takes responsibility to ensure that investors are fully informed, and what more important piece of information do they need than how risk is being managed?
Risk management, emerging risks and changing risk environment should be considered by the board on a regular basis. This task demands a regular review of the risk environment and its consequences for the company. For an infrastructure PPP this requirement may place unreasonable demands on the small, busy management teams of the SPV, but it is the directors’ responsibility to set up enough communication for risks to be brought into the open on a regular basis.
The design and implementation of a risk management system is the role of management, and the detailed identification and review of risks central to this management task. Notwithstanding that demarcation in responsibility, an experienced director with hard earned scar tissue and a few war stories can often assist in the tricky task of identifying risks, and it is essential that this experience is brought to the table early in the risk management cycle. CEOs are often protective of the Risk “Turf” and can be sensitive about interference in their roles. It is beholden on the director to bring the relevant experience into the discussion without undermining the responsibility of the CEO. This is a common directorial problem and easily solved by sensible relationship building and tactful communication.
As part of its compliance responsibility, the board must review the contents of the risk management plan for completeness and appropriateness and ensure that the Risk Register is properly established, including allocation of managed risks to individuals. This responsibility is ongoing as risks emerge and wane according to the stage of development of a company or project and the business environment. For example, in an infrastructure development project, risks change between construction and commissioning and again when operation of a facility is established. In particular, there is an acute gap risk at the interface between these phases where handover between builders and operators may not be as smooth as one would hope.
The board should also confirm that the risk management system manages material business risk. One useful exercise to support this responsibility is to examine events which have occurred and discuss how they were identified, tracked, captured and managed by the risk framework. This testing of the risk machinery can reveal gaps in the system both in design and operation, or perhaps it will demonstrate a well-functioning system and give the board considerable comfort. This test can be supported by regular reporting on the effectiveness of risk management which should attempt to answer the following key questions:-
1. Did we anticipate the risks which have emerged?
2. Did we manage the risks as they were planned to be managed?
3. Did we achieve the outcome of mitigating the risk as it emerged, or indeed preventing it from emerging?
One key responsibility that the board must accept, particularly in the case of PPP or infrastructure projects it the management of the original project risk allocation. Considerable effort and negotiation time is expended on allocation of risks during the documentation of major infrastructure project. Often the people who expended that effort move onto the next project and the investors appoint a director to represent their interests at the SPV. The most likely change to the negotiated risk allocation during project delivery and early operations is that the Construction Contractors, Government, Banks and other stakeholders seek to transfer their allocated risk back to the SPV.
The directors’ job is to let management do the managing, but at the same time to understand the risk allocation and the management of risk within the SPV so as to ensure that there are no gaps in the risks or the management system. The directors must satisfy themselves that the system works and is kept to date. It is only with that vigilance and confidence that they can be sure that the risks fall where they should and the returns are not jeopardised by leakage of risks between the parties.