By Prof Colin Coulson-Thomas
Ethical and virtuous conduct are pursued by some for their own sake. From a board perspective, corporate ethics and risk are inter-related. A lack of integrity and unethical conduct, can lead to a breakdown of relationships based upon certain expectations and trust, damage personal and corporate reputations, and result in penalties and cost. Their consequences can include an increased risk of cover-ups, investigations, apologies and blackmail. Boards should ensure their own conduct is impeccable and that corporate conduct is fair, balanced, defensible and proportionate.
The contemporary business and market environment is uncertain, and for many boards it is a source of insecurity. Its nature raises questions about the leadership that directors and boards should provide in challenging times (Coulson-Thomas, 2018c). Will they become reactive and risk averse or will they find new ways of coping? Incurring risk is a consequence of entrepreneurship, dependence, relationships and the operation of markets. It is evidence that one is alive and active and trying to accomplish something or make progress towards a desired objective.
An unwillingness to incur reasonable risks in order to accomplish a desirable objective or shared goal could be regarded as irresponsible where risks can be avoided, reduced, shared or insured against, accepted as worth taking in relation to costs, benefits and probabilities, and alternative courses of action with different risk profiles can be explored. An awareness of risk and the ability and confidence to confront and cope with it is essential for effective human and corporate operation.
Corporate Ethics and Risk Management
Despite its importance, the status of risk management and its future cannot be taken for granted (Coulson-Thomas, 2017a and c). What should the role of a board be in relation to corporate ethics and risk management? Are directors providing general guidance, formulating policies, monitoring compliance and dealing with difficult moral dilemmas that are referred to them and weighing the risks involved in important decisions on the board’s agenda? Are they also ensuring they are role models in terms of their own conduct? Do they give a lead in fostering an ethical culture of compliance with relevant laws, regulations and corporate values, responsible and sustainable conduct and good governance?
In relation to values, are some business leaders and directors leaving themselves open to charges of hypocrisy? It has become fashionable for board members to suggest that other people’s values need to change because of behaviours that are considered undesirable. However, criticised behaviours such as greed are sometimes caused by their own priorities and the performance assessment, promotion, incentive, reward and remuneration, and other policies they establish. Human nature and behavioural risks should be taken into account when board policies are formulated.
Board Responsibilities and Oversight
A board will be expected to establish the risk appetite that applies in various areas of corporate activity and arenas of operation. What steps should it take to ensure that the people, partners and stakeholders of an organisation are aware of the level of risk it is prepared to tolerate? Are directors equipped to assess the risks arising in particular situations and circumstances, and to recognise when a limit has been reached in terms of acceptability? What arrangements are required to ensure a board has oversight of the risks being run in different activities and locations, and that appropriate steps are being taken to mitigate these risks?
Boards need to ensure that an executive team, its advisers and those to whom it delegates responsibilities relating to risk, such as a risk or an audit committee, have the competences to do what is expected of them. Are those with varying responsibilities relating to ethics and risks across the financial, legal, compliance, governance, internal audit, cyber security and risk management communities sharing their concerns, discussing root causes and alerting the board as appropriate? Are their plans integrated and are their priorities risk based?
Are boards supporting the independence and standing of those whom they themselves rely upon for assurance (Coulson-Thomas, 2018b)? Are their advisers aware of and open about declaring factors that might constrain the objectivity and independence of their risk and other assessments? Do directors scrutinise how management responds to recommendations resulting from various audits and periodic investigations? Do such responses suggest an understanding of the issues concerned? Are they balanced, considered and proportionate? Is the HR community also in the loop in relation to the risks of corruption, bribery and fraud?
Competitive and Secure Networks
Mention conduct and risk to some directors, and they respond that they have appropriate directors and officers insurance cover. The risk management perspective of others appears to stop at the boundaries of organisations on whose boards they sit. It should embrace wider networks of relationships. Such networks need to be competitive (Bartram, 1996). They must also be secure. Boards need to take steps to ensure ethical and appropriate conduct and the management of risks across supply chains and relationships with customers, business partners and other members of a corporate network and those linked by greater connectivity and the internet of things.
Are supply chain interruption and other risks, and trends relating to them, in the local, national and international business environment identified and monitored? How are they perceived? A chain or network is only as strong as its weakest link. Unethical and/or inappropriate behaviour in a distant part of a supply chain or network can cause reputational damage and financial loss elsewhere. Hackers, scammers and fraudsters often look for entry into organisations via unguarded back doors.
Are companies collaborating with other parties and participating in collective initiatives to combat fraud and exploitation and protect stakeholders?
Cyber-security presents particular challenges and directors and boards should always be alert to what might need to change in relation to it (Leech and Hanlon, 2017), Are people aware of the risks of entry resulting from greater connectivity, the inter-connectedness of systems, the sharing economy and of more devices being connected to the internet of things? Have points of vulnerability been identified? Are they penetration, stress and resilience tested? Are incident and recovery and collaboration and information sharing arrangements in place?
Enterprise Risk Management (ERM)
Is innovation largely perceived by risk professionals as a source of risk, or are innovation and ERM seen as actual or potential partners (ACCA, 2016)? Boards need to ensure that ERM frameworks, plans, strategies and practices are relevant, living and cost-effective. They should encourage responsible, balanced and creative thinking about risk and be perceived positively as supportive of creativity, innovation and entrepreneurship and not negatively as an overhead cost and a source of bureaucracy and delay. Policies, practices and arrangements need to be reviewed and should evolve as corporate objectives and priorities change and developments occur in the business and market environment. The nature of contemporary risks are such that a board’s perspective should be global.
An existing approach and framework should not be taken for granted. Are analytics appropriate for contemporary, mutating and inter-related risks? Is a structured approach to the assessment, analysis and evaluation of process-systemic risk sufficiently flexible to cope with diversity, change and the introduction of new business models? Are there aspects that can be both automated and enabled to learn and adapt? Many companies still lack an integrated ERM system (RIMS, 2017). How comprehensive is an ERM framework or model in terms of embracing various financial, legal, operational, political, regulatory, technical, physical, security, hazardous, environmental, reputational and other risks? Are behavioural factors taken into account?
Are the right functions, people and business partners involved in ERM activities? Are the requirements of investors and other stakeholders for assurance that risks are being identified and addressed being taken into account? In areas such as legal, regulatory, security and reputational risk is sufficient attention given to factors such as culture, ethical conduct, integrity and trust? Are the prioritisation of risks and appetites and mitigations relating to them being regularly reviewed? Do risk frameworks, maps and models extend across an enterprise and its network of relationships? Do they embrace supply chains, joint ventures, and multi-partner and multi-national projects?
Are boards seeking assurance that resilience and recovery and other ERM plans are being tested where appropriate and areas of vulnerability are being identified and assessed? Are external models and international standards being adopted in ways that are appropriate to a particular company’s situation and its diverse and changing requirements? Are they adapted, modified and developed as appropriate? Are models and frameworks slavishly adopted and unthinkingly applied, or are they intelligent and evolving? Overall, are the approaches of different functions that analyse and address risks in their areas consistent, coordinated and properly integrated to provide the board and stakeholders with balanced, integrated and unified assessments and monitoring reports?
Corporate Ethics and Legal Compliance
Ethical behaviour and compliance depends upon internal factors such as one’s personal needs, predisposition and values, and external factors such as the existence of monitoring and peer pressure, the balance of possible costs and benefits and the probability of being found out and/or caught. Directors and boards can exert more influence on some factors than they can on others, and this may vary according to the person, group, situation and context. A corporate culture and group and social norms can also influence some factors more than others. The challenge for boards is to find ways of encouraging or ensuring the compliance of the most resistant without imposing disproportionate costs and constraints on others that might hinder their performance.
Is the right balance being struck between incentives and penalties? Is legal action taken when appropriate? Are assessments made of the costs and benefits of surveillance and monitoring, initiating actions and of legal and regulatory compliance? In financial services, such analysis has been found to increase awareness of the benefits of regulatory compliance (Alfon, 1997). Is the cost of compliance compared with the possible consequences and resulting costs of non-compliance?
Is emotional intelligence and awareness of others and of the implications and consequences of one’s actions taken into account in selection and promotion decisions? Are investigatory and disciplinary processes and procedures timely and fair? Are managers aware of behavioural factors and sensitive to the pressures and temptations that people face? Is the leadership provided by the board and senior management doing enough to role model ethical awareness, concern and behaviour? Is it nurturing an ethical culture and raising the ethical bar? What more can and should directors and boards do?
Board Conduct and Policies
Returning to a question raised earlier, is the board itself doing enough to encourage ethical and responsible conduct? Is sufficient attention paid to the role ERM can play in preventing corporate scandals and so protecting reputation and trust (Minsky, 2017)? Are directors clearly acting in the best long-term interests of the company or giving priority to their own self interests? Are some board policies increasing the risk of certain forms of behaviour?
Do remuneration, reward and promotion practices favour those who pay lip service to ethical considerations while sailing close to the wind to achieve their objectives? Do incentives encourage responsible conduct or a culture of greed? Are people put under pressure to achieve certain corporate objectives to such as extent as to compromise proper risk assessments? Do they sometimes cut corners in order to achieve results? Does excessive cost-cutting and enforced restructuring alientate people? Can this have ethical risk consequences?
Do corporate governance arrangements and related policies and codes of conduct encourage and support ethical conduct and thinking compliance? Do they take account of social, cultural and contextual factors? Are people engaged in ethical considerations and encouraged and willing to be whistle blowers when they come across cases of inappropriate conduct? What happens to them when they speak up? Are they treated fairly and without negative consequences? Are cases properly investigated without the involvement of those who may have a conflict of interest?
Financial and Banking Sector Risk Management
Financial services face particular challenges. Risk management arrangements relating to them need to evolve to match changing requirements (Fox et al, 2011). There are systemic and institutional risks. As one saw in 2008, the degree of interconnectedness, volume of internal and external transactions, use of automated trading systems, widespread practices and human greed can combine to such an extent that issues in some jurisdictions can cause problems elsewhere, and even threaten the international system. As one saw with Barings, the activities of a single rogue trader can bring down a long established and respected bank. New business models, digital technology and entrants to certain market sectors pose a threat to established players that do not move with the times.
Money is a flexible and valuable commodity that is unequally distributed and much sought after by those engaged in both legitimate and criminal activities. It is also widely used as a measure of achievement and success. Its acquisition can become an end in itself. An excess of outflows over inflows that leads to a deficiency when required can result in insolvency and liquidation. Cash flows have to be carefully watched by a board, but are financial resources sometimes given too much attention in comparison with intellectual and scarce natural resources? Are caution and prudence given excessive priority compared with entrepreneurship, innovation and responsible risk taking? Should major banks be regarded as ‘too big to fail’? Is the moral hazard that can result acceptable?
How many board members really understand financial accounts, instruments and statements? Does narrative reporting adequately explain the inter-related nature of risks, strategies, challenges and opportunities faced (ACCA, 2017)? Are too many directors ‘out of their depth’ when financial matters and risks are discussed? Do they know enough to make sound judgements? Who can they trust to give them objective advice? Are their advisers objective and free of vested interests? In an era of greater automation, expert systems and more competition, will financial institutions be able to justify current service fee levels? Will the number and the relative salaries of bankers fall?
Does the development and validation of operational finance risk models incorporate stress and resilience tests? Are back up and contingency arrangements in place in relation to financial failures and access, transfer and denial of service issues? Are some companies overly dependent upon a relatively small number of customers, suppliers, offerings and/or major projects? If so, are their financial health and relevant financial trends monitored?
Implications of Digital Technologies for Risk Management
Certain technological developments have implications for directors and boards. They pose challenges and create opportunities. Their impacts may be felt by some stakeholder groups more than others. They create new risks and new ways of monitoring, mitigating and responding to risks. Boards should ask whether a company has the capacity to cope with disruption and catastrophic risk (Kunreuther and Useem, 2018). Among directors and stakeholders there may be varying opinions on the acceptability and priority of different risks. Greater ability to monitor large quantities of data across multiple issues can lead to improved early warning systems and more accurate assessments of probabilities. It can also allow a wider range of possibilities and responses to be explored.
Do boards consider human and other implications and risks of greater use of automation, robotics, 3D printing, autonomous vehicles, AI applications, connected products, new business models and other technology enabled developments as well as their advantages? Are end-to-end and lifecycle costs being taken into account in risk assessments? Do corporate policies and values need to be reviewed? Are corporate guidelines and new and different forms of regulation required to ensure responsible adoption? How should stakeholders be involved? Are new governance and/or advisory arrangements required? What policies for inclusive innovation would address concerns, mitigate risks and reduce opposition to new technologies and maximize their benefits of (Juma, 2016)?
Will challenges lead to greater risk aversion and missed opportunities? How will new technologies impact upon the management of IT, cloud based risks and data security, and the evolution of investment, corporate, sectoral, national and global risk assessment, monitoring and management practices? Could certain technologies reduce risks associated with global warming (Keith, 2013)? How might particular technologies be used for undesirable purposes, such as cyber-crime or to mitigate them? How should data and other governance strategies be developed, scaled up and implemented across supply chains and corporate networks to cope with new risks? Will adopted corporate and collective approaches influence whether they are viewed as disruptive or enabling?
Recurring Issues and Risk
There is sometimes a tendency to take the fundamentals of risk management and recurring issues for granted (Hopkin, 2012). Like the poor, they always seem to be with us. In terms of relative poverty this is always likely to be the case if the freedoms associated with markets are maintained. Directors sometimes adopt a fatalistic attitude towards continuing risks. They may view them as a given and as a cost of doing business, hoping they can be covered by insurance or that action will be taken by Government or someone else. Because they will impact upon all companies, maybe they will not put a particular company at a competitive disadvantage. Because corporate operations have continued in spite of them in the past it might be assumed this will be the case in the future.
This complacency overlooks opportunities to secure a march on competitors by doing something different that has an impact and might become a differentiator. It also assumes that past conditions will continue to apply. Are directors questioning management and providing challenge (Coulson-Thomas, 2017b)? What if the situation suddenly changes because a tipping point is reached? Balloons do not keep expanding for ever without bursting. At some point a dam may burst or overflow, or an activity may cease to be viable. Perhaps at some point different factors might combine or interact to create a new situation, such as when rising water reaches a live power cable.
The Timing and Crystalisation of Risks
The best and worst aspects of human beings can create risks and opportunities for fraud and theft at any time when and where people are involved (Sapolsky, 2017). How exposed are companies to financial fraud, currency movements, asset bubbles, interest rate rises, exchange controls, increasing costs, falling margins and credit and various other financial risks? Are boards taking reasonable and affordable steps to prevent fraud and other risks? Can one isolate, protect and/or insure against certain risks? Does a company have access to the expertise it needs to respond and undertake forensic accounting and other investigations when fraud occurs? Does it and financial institutions have the capability to cope and quickly recover when risks crystalize? How resilient are the institutions and markets upon which it depends? Are there robust pre-audit and other arrangements?
The timing of tipping points and discontinuities when risks crystallise and probabilities, situations and their consequences suddenly change are often difficult to predict. Directors and boards sometimes fail to spot when an activity is likely to fall over a cliff. Ravines and canyons can be difficult to spot until one is really close to the edge. It may then be too late to slow down and reverse direction. When people are busy and under pressure, they may be tempted not to put in place the response and recovery mechanisms needed to deal with something that may not happen during their tenure of office, or which has been categorised as a “once in a hundred years event”.
The impact of some natural developments could be cataclysmic (Mitchell, 2018). As global warming continues and weather patterns change, hitherto rare events such as flooding are becoming more common in some parts of the world. If consumption of scarce natural capital such as certain minerals continues at the current pace, and in the absence of new discoveries, the emergence of alternatives and relevant innovation, we may run out of supplies. Infrastructure, whether public or private, that is overworked in relation to expectations at the time of its construction, and which has been poorly maintained as a consequence of budget constraints, is likely at some point to fail. Various risks may crystalize at a time when people are least ready and able to deal with them.
Governance Arrangements
Governance arrangements relating to risk should not be taken for granted and may need to evolve (Bugalla and Narvaez, 2017). Many boards used to find that an annual calendar of meetings and board practices allowed them to deal with most discrete issues as and when they arose. For many directors, being available to address self-contained issues that crop up between annual meetings of shareholders was a justification for their existence and role. Departmental corporate structures meant issues could be categorised and routed to appropriate specialists who could handle them with or without intervention from the board while others carried on the general work of the organisation.
The issues faced by many boards today are more complex, enduring and interdependent, and responses to them often require more than incremental change (Coulson-Thomas, 2018a). Certain issues have also become more significant in their possible implications and their categorisation can be more problematic. Addressing them may require a multi-disciplinary and – when a company’s own capabilities are insufficient to deal with them – a collective approach. Such issues may also be increasingly regarded as strategic rather than simply viewed as operational matters.
Some directors may also wonder whether they have the mandate to tackle certain strategic issues without reference to shareholders or, where their involvement is required, other stakeholders. Are traditional board and governance practices capable of handling a collective response to a challenge such as climate change? Who now needs to be involved and what new mechanisms are required to build the understanding and develop, approve and implement the responses required? The ethical handling of potentially mission critical risks is likely to become a concern of ever more boards.
About the author
Prof. (Dr) Colin Coulson-Thomas, President of the Institute of Management Services, has helped directors in over 40 countries to improve director, board and corporate performance. In addition to directorships he leads the International Governance Initiative of the Order of St Lazarus, is Director-General, IOD India, UK and Europe, chair of United Learning’s Risk and Audit Committee, Chancellor and a Professorial Fellow at the School for the Creative Arts, Honorary Professor at the Aston India Foundation for Applied Research, a Distinguished Professor at the Sri Sharada Institute of Indian Management-Research, Visiting Professor of Direction and Leadership at Lincoln International Business School, and a member of the advisory board of the Aravind Foundation and ACCA’s Governance, Risk and Performance Global Forum.
You may also like:
- Does CSR Make Economic Sense?
- Building Corporate Governance and Sustainability Competency
- Building a Sustainable Digital Literacy Movement in Rural India Through Innovation
- Technology: The Managing Arm of Your CSR
- Pharrell William’s Song ‘A 100 Years’ to Release in 2117
