Risk in business is inevitable – in fact it is essential. A business which does not take commercial risks will not grow, and a business which does not grow is doomed to decline.
Yet, by and large, people in business, as in life, are risk averse, seeking where possible to follow the path which provides the lowest perceived risk.
That is not to say that business leaders should behave recklessly, taking unnecessary risks with little regard to the consequences. Rather, they should take managed risks, and it is the job of the board to ensure that the risks are managed robustly and rigorously.
Businesses need to identify the risks that they face, think of ways in which they might reduce the impact of each risk on the operation of the business and prioritise their focus onto the risks with the highest likelihood of occurrence and the greatest impact to the business.
Strategic, or enterprise, risks are the overarching risks the business takes when it sets or modifies the direction of travel of the business.
With the advent of the internet, social media and digital marketing, the main risks businesses face are no longer purely financial – business failures are much more likely to occur because of reputational, environmental or security risks.
Boards need to satisfy themselves that the business’s risks are being addressed effectively and that they have the expertise available to identify, mitigate and manage risks which are far more important today than they were two decades ago.
As we have seen, businesses which have gained significant market share by delivering innovative products or services can have their share values decline dramatically through an ill-considered tweet (Elon Musk and Tesla) or misuse of customers’ data (Mark Zuckerberg and Facebook) – reputations which have taken years to make can be lost almost immediately, and many boards are ill-equipped to build the reputational resilience for their businesses to survive in the digital age.
Cyber-security is also now a very real threat to the livelihood of many businesses, and it is not just a technical issue. Boards are investing in new technologies such as blockchain and artificial intelligence to supplement their use of cyber-security consultants, penetration testing and ethical hacking to make their data systems more secure, but unless they also tackle their internal security processes there is still the possibility that a disgruntled employee or sub-contractor will leak sensitive data to competitors or publish it on the internet.
We have also seen the rise of state-sponsored cyber-threats which have further damaged the reputations of companies such as Facebook and Twitter, where fake accounts and targeted advertising have been used to influence voters in recent elections.
In addition to these reputational and security risks, boards are also having to contend with the external risks brought about by volatile financial markets. Brexit in Europe and the threat of US trade wars have led to wide fluctuations in world markets and currency exchange rates, which can have highly significant and often detrimental effects on global supply chains – and even if businesses are not directly affected the associated loss of consumer confidence can have wide-ranging consequences.
My experience, based on working with boards of businesses in many different sectors, is that board members are often unprepared or ill-equipped to deal with these strategic or enterprise risks, and chairs should question the make-up of their boards and the effectiveness of the way those boards deals with risk.
Boards often fear articulating risks in the mistaken belief that somehow this will guarantee that they will happen. The reverse is closer to the truth – failure to recognise risks means that the business is not ready to address them and has not put in place the measures, controls or mitigations to eliminate or minimise the effect of the risks.
Risks are also not always negative, and a business that is on top of its strategic risk governance can turn a risk into an opportunity at the expense of its competitors.
If businesses are to avoid the dramatic failures that we have seen with companies such as Carillion, House of Fraser, Patisserie Valerie and, most recently, Debenhams, then their boards need to invest in the expertise to enable them to identify, understand and manage the key risks that they face in the first half of the 21st century.
First published in Business Reporter Future of Risk Issue
More heat, less steam! 
Good article. My view is that one of the fastest growing areas of risk sits in the supply chain, from health and safety to CSR, especially as you say, Cyber, GDPR and modern slavery. Companies are not “ready” until its too late. Risk management in supply chains is a lever for growth.
I agree Anthony – a prime example is the rapid adoption of “the cloud” as if it is some mythical hyper-secure entity floating above the Earth when in fact it is just someone else’s computer