Globally, increasing levels of corporate governance legislation are forcing companies to develop enterprise risk frameworks. But behavioural issues can affect the way in which boards respond to the regulatory environment, as Graham Woolford explains
South African companies are faced with many complex issues when founding an enterprise risk management (ERM) framework. Specific challenges include relatively high real interest rates, volatile exchange rates, low levels of economic growth, political uncertainty, inflexible labour legislation, creeping corruption, threats of nationalisation, and high unemployment and crime rates.
From a regulatory standpoint, both the King III report on corporate governance ('comply or explain' vs the Sarbanes-Oxley Act 2002 'comply or else') and broad-based black economic empowerment (BBBEE) affect risk management for South African companies. The former is a compulsory though relatively flexible corporate governance framework, which prescribes specific guidelines. The latter is designed to redress the political and social iniquities of the past by requiring companies to engage in a range of imposed measures to broaden the participation of previously disenfranchised racial groups in the economy.
Despite the well-intended regulations, the effects of these in terms of cost, risks and benefits are unclear, partly because the risk management culture is still in its infancy, particularly in the non-financial sector. Boards themselves, as cognitive entities made up of individuals, surprisingly exhibit strong behavioural biases. Companies and regulators should therefore be aware of risk behaviour when dealing with risk management decisions. The following examples highlight some specific behavioural issues facing South African boards.
For many companies, the presence of a strong individual on the board, notably the chief executive, often mutes other voices and opinions. Unless there are equally strong and knowledgeable non-executive directors present, decisions may follow the views of the chief executive or other dominant factions. By contrast, a strong diversified board may arrive at watered-down, sub-optimal decisions.
The trend towards appointing more non-executive directors - often politically expedient appointments and not intimately familiar with the company - may present longer-term risks. Non-executive directors should have extensive industry experience.
On the boards of most companies, there are few 'cognitive champions' with the experience, knowledge and intellect to really understand the panoply of risks facing the organisation. These board members tend to be those with executive and operational responsibilities, or have worked in the industry for a considerable period. In spite of this, in non-financial South African companies, formal risk assessment processes are often relegated to managers ill-equipped to appreciate the overall economic, political and commercial risks facing the company.
Many companies blindly follow the prescriptive processes of risk scorecards and matrices laid out in the corporate governance framework, mainly at the behest of their auditors. There appears to be insufficient time and effort devoted to really understanding the frequency and financial impact of the various risks facing the business. Even less time is spent in trying to come to terms with more sophisticated risk management techniques, such as the degree of dependency between risks. Even if time is spent on this, the answers are, at most, educated guesses, without any scientific basis, and are highly unlikely to find their way into any form of risk mitigation programme. Lack of understanding of risk management is a major problem in small to medium-sized South African companies.
A behavioural bias referred to as 'source dependence' has been identified, whereby boards will tend to react to risks according to their source and irrespective of their impact. Thus high-impact risks from one source may be taken less seriously than low-impact risks from a different source. This may be partly attributed to familiarity with the risk source. For example, boards may be more comfortable discussing financial risks than, say, technological risks with which they would be less familiar but which could have more serious consequences. The demise of Polaroid is a case study of note.
Even a modest risk management framework introduces a form of moral hazard, as companies may believe that a slavish devotion to prescription and the mechanical recording of observable elements of risk provide protection. There is a risk of over-prescribing risk management processes, which may also not be appropriate for every company.
There is evidence that some companies are prone to 'reality drift', a phenomenon whereby leaders gradually lose touch with key aspects of the business through a combination of cognitive bias and an inaccurate or inadequate flow of information up and down the chains of command. This risk seems to increase with the size of the organisation and may contribute to the discussion of why many leaders of highly regulated companies continue to make errors of judgment and overlook areas of major risk to the business. Faced with highly complex problems, they may also resort to altering their perception of reality in order to develop responses to risks that are perceived to be soluble with greater certainty and confidence.
What you don't know
A risk framework is based on the identification of fundamental elements of risk. At any one time, there may be storm clouds gathering that are not yet within the board's field of vision. A risk management framework, no matter how sophisticated, can't deal with unknown risks.
Adherence to corporate governance implies increased legitimacy with regulators and stakeholders, and consequently less institutional pressure. But, at the same time, this requires management commitment, with obvious cost implications.
Further, companies are constrained by corporate governance obligations that carry the force of law. As 'agents' of the stakeholders of the company, it can be assumed that companies ought to adopt risk-adverse strategies. However, some boards will want their managers to assume a more risk-tolerant approach, which often leads to increased complexity.
Advisory role of actuaries
Risk culture and behaviour clearly affect the overall ERM framework, and each country has its own set of challenges and regulatory framework, which affects how boards respond to their corporate governance requirements. Globally, there is a great deal of convergence relating to ERM practices. However, as already stated, blind adherence to mechanical processes to manage risk in line with regulatory prescription is a risk in itself.
Large companies in particular ought to focus on the reliability and sufficiency of data flowing through the organisation, so that risk managers have accurate data to work with. The failure of many large companies can be attributed to the board being remote from reality at the coalface.
Actuaries need to emphasise that, while regulators require companies to focus on capital adequacy as opposed to risk appetite, ERM should attempt to integrate the effects of multiple elements of risk and study them as systems of risk rather than as independent elements of risk. And, once again, senior executive members of the board must be directly responsible and involved in this process.
Dr Graham Woolford MSc, DBA, FASSA, FIA is the chairman of Unihealth, a pan-African provider of employee benefits and health insurance