“There is clearly an intense focus on risk today. While risk management has been on the radar — if not a priority — for most companies and boards over the past several years, many are asking whether our current system of corporate governance and strategic decision-making ensures adequate risk assessment and management.”
— National Association of Corporate Directors (NACD)
Blue Ribbon Commission on Risk Governance
The statement above echoes a familiar refrain that we regularly hear today from companies, regulators, investors and the business press. Yet what is surprising is that it was written eight years ago in 2009. Back then, the world was much simpler. Our concept of terrorism involved airline hijackings and shoe bombers, instead of today’s “lone wolf” attackers and ISIS cells. The Y2K threat had passed without a glitch while ransomware was still far into the future. Al Gore’s An Inconvenient Truth had been released 3 years prior and the world was just beginning to wake up to the threat of fossil fuel emissions. Clearly, since then, the risks that we face as businesses (and society as a whole) have multiplied in terms of type, scale, and complexity.
Professor EP Vermeulen of the University of Tilburg has pointed out that the average life-span of an S&P 500 company has dropped from about 60 years in the 1960s to about 20 years today. No doubt, one of the major contributors to this decline has been companies’ inability to cope with emergent risks.
Philippine companies have, for the most part, kept pace with and addressed these growing threats. The 2016 Corporate Governance Survey of publicly listed companies (PLCs) jointly produced by the Good Governance Advocates and Practitioners of the Philippines and Isla Lipana & Co/PwC Philippines, highlighted these accomplishments:
• at least one board member is proficient in the risk management discipline while training in risk management is a top development priority for directors
• 78% of respondents (or 40 PLCs) have adopted and implemented an Enterprise Risk Management (ERM) framework
• 76% of respondents have created a Board Risk Oversight Committee and of these, 82% have independent directors as their chairmen.
Yet the glass is only half-full.
The survey notes that only 41% of respondents consider the display of appropriate risk-taking behavior as a key determinant in director remuneration. Furthermore, when you consider that one-third of survey respondents come from the banking and financial services industries where they are required by regulators to have a separate risk committee with an independent director as chairman, it seems that the remaining nonfinancial companies still have a lot to do. The results also highlight the absence of an ERM framework for 22% of respondents. Considering that all respondents account for 29% of stock market capitalization, it is worrying in the least that some very large firms out there lack a proper framework for addressing risk. And even if these firms have an ERM framework, there remains much to be done in terms of communicating the existence of such frameworks to stakeholders: the survey says that most of the respondents only disclose material risk exposures in required reports to regulators while only two-thirds of them voluntarily use their Web sites to share this information.
The survey ends its discussion on risk with these words: “While a significant fraction of companies have risk management systems in place, the main challenge relevant to this covers the robustness of such systems, and the quality and degree of implementation that influences the Board’s and management’s ability to manage known and emerging risks.”
Clearly, we need to ensure that we are going beyond mere compliance to actually identifying and mitigating the risks that businesses face.
I propose that we need to look at risk in a new way, given the challenges of the 21st century environment. We need to put risks and their management front and center as part of our day-to-day operations. We should always be on the look-out to not only mitigate but even find opportunity to the extent that we are better able to manage and absorb them than others. Remember that risk and reward are two sides of the same coin. If we can do this, we have a better chance of ensuring our company’s short-term profitability and long-term sustainability. This is the ultimate objective of corporate governance.
The first step in competing against risk is to know your enemy.
In this regard, four major business organizations, namely the Financial Executives Institute of the Philippines (FINEX), the Institute of Corporate Directors (ICD), the Institute of Internal Auditors Philippines (IIAP) and the Management Association of the Philippines (M.A.P.) are organizing the 2017 Corporate Governance Conference with the theme of “Competing Against Risk” that will be held on Sept. 26th at the Dusit Thani Hotel in Makati City. For further details, please go to www.icdcenter.org. The whole-day conference features distinguished experts in various types of risks that businesses face today as well as representatives of companies that will share their best practices for dealing with and finding opportunity in these risks.
Specific competitors may come and go but, like death and taxes, our businesses will always face risks. It’s time to give them the proper respect and attention rather than just complying with regulators’ requirements.
Ricardo Nicanor “Ricky” N. Jacinto is a member of the M.A.P. Corporate Governance Committee and the CEO of the ICD.