Corporate governance: Sticky wicket – risk management in financial services

The technology that analyses the effectiveness of different
bowlers during test matches has bounced ever further ahead in recent years. And
cricket watchers have gained insight as balls bounce in simulation down the
pitch, forming a matrix of coloured circles on the screen. It may illustrate the
extraordinary skill required to deal with the wily spin bowler, the terrifyingly
fast bowler and the ever-skilful swing bowler, but finance directors may be
permitted a feeling of déjà vu as they look at the matrix filling up with blue,
green and red discs.

They have seen all this before. Only, then, it was not in the enjoyable
ambiance of watching a test match on television. It was during the duller
moments in the boardroom at the section of the meeting all directors dread: the
point when the risk management team produces its periodic presentation on the
current state of risk management. Instead of the dangers of leg-breaks or
googlies, they are back in the world where the dangers of specific risks rise
and fall and the blobs on the matrix change colour, moving about the squares.

It is a bit of a yawn. The risk management people lay on the dangers with a
trowel, but they have so many systems and processes on the go that nothing can
really go wrong… can it? Anything dangerous, like the fast ball on its curve,
can be dealt with before it becomes a real threat. It is all under those
controls. And even if you have a lingering doubt at the back of your mind, you
can see that these chaps will have a way of providing reassurance. That, after
all, is their job.

Well, that is the illusion. Management theories provide comfort. They remove
the unexpected and create a warm blanket for the mind with all the
quasi-scientific graphics looking as though the theories contain genuinely
unchallengeable logic and infallible certainty. Indeed, so confident have the
risk people become, they will even argue that a corporate strategy should be
driven by risk management analysis.

These are worrying times: you can understand people clutching at straws. But
if you think it through, none of this can have the importance it has bestowed on
itself. The kernel of truth will remain, but companies need to strip away much
of the flannel surrounding these issues. And a report due out in October on
behalf of the Financial Reporting Council by consultant Independent Audit should
do just that. Sponsored by the ICAEW Foundation, it will study the way
non-financial companies satisfy themselves that risk is being dealt with
effectively. What it is likely to conclude is that risk is all about the culture
of an organisation, rather than the systems.

For Jonathan Hayward, Independent Audit’s founder, the findings of the
research are likely to coincide with his long-held view that business is about
people, not process. The study looks at how things work in non-financial
businesses, but, Hayward increasingly feels that the same broad truths work for
financial businesses, too. Those banks which have come out of the crisis well
are those that had a risk culture running through everyone in the organisation,
rather than being confined to a centralised, process-driven unit. The banks that
did not were those that felt the process had everything under control.

“The emphasis on risk management in financial services distracted them from
the basic point ­ the human factor,” Hayward points out. And from there, it
progressed to the traditional dangers of a systems-based process. People work
around the process, rather than looking at the issues with a sceptical and
common-sense attitude of their own. Deals are set up because they could be set
up. The measure of whether they were dangerous or not comes from the processes
and not from intelligence, understanding or insight. “A good deal was what you
could get through the risk management people and the risk management systems,”
says Hayward.

That is the wrong way to do it. But the research suggests it is not as
widespread in non-financial companies. Throughout the research, Hayward
professes himself to having been “pleasantly surprised at the emphasis people
have put on the human factor, rather than the process” ­ vindicating this
hypothesis.

It makes sense and it gives credence to anecdotal evidence that, in large
companies, health and safety is the key. Health and safety has become the butt
of much humour.

But having a good health and safety culture seems to do something other than
keep people safe. It creates an environment where, with the small things being
done well, the large issues are thought about and dealt with as well. It is not
dissimilar to a zero-tolerance approach to crime. Coming down hard on the small
things has a real effect on the large things as well. Risk is about attitudes,
not matrices.