Risk management implications of the 2018 Code

By James Smither, Governance, Risk and Compliance at PwC

It would be easy to see the revised UK Corporate Governance Code as being much less significant for risk and risk management than the 2014 version of the Code.

After all, the 2014 Code and the FRC Guidance on risk management, internal control and related financial and business reporting that accompanied it were consciously presented as an effort to “raise the bar” on how risk is managed. They refocused attention on a range of topics – including better positioning of principal risks, definition of risk appetite, and confirmation that a robust system of risk management and controls is in place – that have subsequently become ‘mainstream’ in UK boardrooms.

However, I believe there’s also a strong case to see the latest revisions to the 2018 Code and Guidance on Board Effectiveness – with their major focus on the relationships between businesses and their major stakeholders - as equally significant in the current environment. We’ve all seen the media attention on a range of topics that highlight these relationships (and how they can go wrong) including investor pressure over Board remuneration and the demand from talent to work for strongly purpose-led organisations. These pressures are only likely to increase and diversify in the months ahead. (You can read more about the ‘stakeholder agenda’ in PwC’s earlier publication Navigating the stakeholder agenda > Tackling the reporting challenge.)

Far from meaning that Boards and Heads of Risk can ignore the new Code, therefore, our view is that it raises a number of important issues for companies’ approach to Enterprise Risk Management (ERM). We’ve summarised these in the five questions below, which we hope will help management teams and Boards think through the relationship between risk and the stakeholder agenda in the context of the new Code.

1. ERM usually identifies risks either against strategy or against processes/activities rather than on a wider front.

Given the Code’s enhanced focus on a company’s contribution to wider society [Principle A] and its overarching purpose [Principle B], should we be reframing our thinking around Principal Risks to those that will influence achievement of these outcomes as well?

2. Stakeholders other than investors, and their perspectives, are emphasised to an unprecedented degree in the 2018 Code [Principle D]. Greater Board engagement with the workforce is explicitly encouraged, together with a requirement to disclose how the interests of these non-investing stakeholders have been considered in Board discussions and decision-making [Provision 5].

 Do we need to revisit our current risk analysis so that it reflects the interests of internal and external stakeholders in a more nuanced way? Do we also need to think about including a more representative cross-section of our internal (and even external) stakeholders in our processes for risk identification, assessment…. and management?

3. The revised Code specifically refers to the need for procedures to identify ‘emerging risks’ [Provision 28], and the Guidance on Board Effectiveness [Paragraph 122] recommends processes for escalating rapidly emerging and crystallising risks directly to the Board’s attention as quickly as possible, which “should be clear and … implemented quickly”.

Do we have an agreed definition of what emerging risks are – and a tried and tested methodology for detecting, analysing and addressing them as the Code and Guidance now require?

Do we have an appropriate system of early warning risk monitoring and escalation (for example utilising Key Risk Indicators (KRIs) and data analytics) that addresses the speed of impact issues arising from stakeholder concerns can have (through social media and similar channels)?

4. All of the above considerations have potential considerations for risk appetite, which is reflected in the Code’s continuing requirement [Principle O] for the Board “to determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives”.

Do we need to revisit how we articulate our desired risk-taking approach in light of the organisation’s purpose and the stakeholder agenda, including in relation to when and how to respond to emerging risks? And how can we be sure that this high-level articulation of our appetite is reflected at key decision points in the company’s everyday operations?

5. The Board’s stewardship role in relation to company culture is far more prominent in this version of the Code [Provision 2].

Are we having the (sometimes difficult) conversations we need to be having about risks to culture? And are we also thinking about how risk management and internal control can help create and sustain a ‘healthy culture’ that will “promote integrity and openness, value diversity and be responsive to the views of shareholders and wider stakeholders”, as the Introduction to the Code recommends?

ERM is an area that rarely stands still and we might sometimes feel pulled in particular directions by regulators, rather than inherent need. In this case, however, we think that the changes in the 2018 Code reflect the increasing demand inside and outside companies for ERM to provide more than simply aggregated static risk information. Delivering value-enhancing insights that directly inform strategy execution and decision-making – and that support the embedding of the right culture and the enhancement of stakeholder relationships – has to be the right way forward.