Blog : BOARD TALK
|Posted on February 4, 2013 at 6:10 PM|
Is anyone else surprised by the fact that 'risk' committees are still scarce on the ground in most European boardrooms? A report quoted here earlier on `Non Executive directors in Europe' by management consultancy Hay Group says "the prevalence of a committee covering risk (as opposed to nomination, remcom or audit) is much lower across Europe at 19% overall."
Well, I'm not surprised, I'm shocked. The greatest clustering of risk committees is in the UK, Switzerland and Germany, because "risk committees tend to be more prevalent in industries which have inherent risk built into the business model, such as financial services and pharmaceuticals" says the report.
I won't beat up on the Hays Group because this is an excellent report, with a lot of valuable food for thought. But I would say that "inherent risk" now exists for any business that uses IT, with cyber-security rushing up to the very front of the queue on risk management. So leaving 'risk' as a headache for the audit committee makes no sense at all.
I haven't asked them, but I would say KPMG agree - their recently published Audit Committee Institute survey (of some 1,800 audit committee members in 21 countries) says nearly half (45%) of respondents globally said their company’s risk management programme requires “substantial work” (39% of UK respondents). You can download the survey here. And they aren't the only ones to be concerned - there has been a lot about cyber-security in media coverage, and the UK government is not the only nation's leadership to be concerned. Here's the White House on the subject.
It goes on: "The quality of information that audit committees receive about critical risks facing the company continues to pose concerns – particularly cyber security where only a fifth of UK respondents are completely satisfied with the quality of information they receive (my emphasis)– while only just over a third of UK audit committee members are fully satisfied that their company’s risk management process is dynamic enough to cope with a rapidly changing environment including new technology and social media risks."
Re the KPMG finding from audit committees on boards, I have to say I wonder if those one-third of members that are "fully satisfied" have progressed beyond letting their secretaries handle their e-mail.
Cyber-security is surely the point at which technological change collides with generational stagnation. I'm not suggesting older people are not fully capable of grasping the intricacies of IT (dare I say it this is a DIY website and you know what they say about people in glass houses) but let's face it, the world is changing very very fast.
Tablets are taking over, but even 18-24 months ago it was clear that Apple, with the iPad, was stealing the march into boardrooms (search the blog which had one of the earliest reports on that trend). So older people can adapt to changes in technology, but that is not the same as being IT savvy enough to be good on the security issues and any potential impact on strategic business choices.
The lowest average age of a non-executive director in the European countries covered by the Hays report is currently 57. How much exposure are they going to have had to rapidly developing IT ? Maybe more if they hail from certain emerging markets, but that's another issue.
Let's ramp up the 'risk' fear here - and this is a financial services example (so you could say, already factored in). I quote from the FT story, with the pithy headline: 'Bridgewater deal is tip of risk iceberg'.
"Bridgewater, the world’s largest hedge fund manager, surprised the investment world last month when it hired a second administrator, Northern Trust, to duplicate and back up the work of its existing provider BNY Mellon across its portfolios."
An expensive move. Why ? because it needs total security, which includes the assessment of its operational exposure.
Financial Services and Pharmaceuticals eh ? What about mining, oil and gas, support services, healthcare....I could go on, but I'm sure you get the picture.