Skip to content

Boards & Risk – improving risk literacy in the boardroom?

September 20, 2017


Executive boards have a responsibility for good governance and responsible stewardship, yet persist in treating risk as a control function, not a decision process. A board is required to take collective responsibility for the organisation’s risk appetite, yet in most board meetings risk is treated as the privileged domain of the Head of Risk, or Chair of the Risk & Audit Committee. Other directors defer to this person as a risk ‘expert’. Consequently risk is confined to imaginable threats to business continuity, a very limited perspective especially as most crises result from unimagined incidents.

Consider two very different unimagined incidents: Ratner jewellery in 1991 and United Airlines in 2017, years apart but with a common theme. In Ratner’s case, a disparaging flippant remark, intended for the financial press, reached the tabloid press where Ratner’s customers took offence and boycotted the brand. In United’s case, an incentive scheme to encourage over-booked passengers to move failed to motivate a customer, who as a result was removed by airport security. In each case the consequences were never imagined because the situations were not itemised on any risk register.

In the past 30 years almost every reputational crisis of note was caused by an incident that had not been foreseen or imagined. This is not a fault of risk management itself, but of how myopic boards have become in their perception of risk. Risk is future uncertainty, good and bad, opportunity and threat. Risk has become a discrete function rather than a vision of future outcomes and bedfellow to Strategy. The same happened to Corporate Responsibility in the recent past: a collective responsibility was identified, attributed to an owner, who became the expert at the board table. What is it in the psychology of boards where authority is sought but collective responsibility is shunned?

The answer to why so many scandals and crises still occur decades after risk became a hot boardroom topic is because boards are looking at risk the wrong way. It also explains why so many communicate it ineffectively. To investors and sponsors risk is presented as a commercial opportunity, the precursor of reward; but to regulators and customers it is presented as something under firm control, a threat that has been confidently mitigated. The language of risk is muddled and so boards need to develop collective risk literacy. This is necessary to articulate not only the board’s shared appreciation of risk, but also its powerlessness to offer certainty about the future.

What is the best way to develop risk literacy? The first step is to shake off the fear of uncertainty and this might seem unnatural. Boards feel they are expected to deliver certainty to investors, customers and a variety of other stakeholders in order to retain their mandate to operate and instil confidence. Nevertheless certainty about the future is a dangerous place and it has been said there are only two types of forecast – lucky and wrong! Admitting uncertainty is not a sign of weakness or incompetence, provided of course it is qualified. Effective risk literacy requires an appreciation of the different degrees off uncertainty, from known-knowns to unknown-unknowns and all the intervening stages.

Improved risk literacy among boards will reduce the risk of performance getting significantly out of line with promise. In the case of Ratner and United a gap opened up between what investors & customers expected and what proved to be reality. This is the gap into which reputation falls. In Ratner’s case customers learnt that he believed his products were ‘crap’ and by implication they were gullible. In United’s case customers believed the airline ‘flew the friendly skies’ but video footage of a customer being beaten up quickly disabused them of this notion. In both cases discovering reality was a complete shock: in 1991 through mainstream press and in 2017 by social media. It is ‘dissonance shock’ that damages reputation: trust flees with value not far behind. Reputation is how you behave.

A higher level of risk literacy in boards would also help to address the dissonance when different parts of an organisation exhibit different approaches to risk. This is most common in the public sector but can also be found in the private sector. Public services like schools and hospitals tend to have a risk-averse culture, implicit in the nature of their duty of care. An imposed management level tasked with cost cutting or revenue generation imposes a higher appetite for risk than the operational culture because it will be looking for commercial gain. The clash of risk culture between management and operations can be recognised and tackled with higher levels of risk literacy in the boardroom.

The amount of risk literacy in a board will depend on the industry sector and the extent to which risk is or is not an intrinsic part of the operational environment. Most organisations already know whether they have a risk seeking or risk avoiding culture, the challenge is to ensure the board has the right balance of viewpoints to equip the enterprise for the future operating environment. The statutory requirement to report on risk appetite is a good start, and most professional organisations accept that appetite will vary according to a variety of internal and external factors so report it accordingly. There does however need to be greater attention to strategic as opposed to operational risk by the board.

Strategic risks should be discussed by the board but are often unseen or unspoken, either by accident or design. Unseen risks include those which cannot be attributed such a reputation, and those which are simply too complex or political. Some risks are unseen because they are so obvious they have become invisible such as culture itself. Unspoken risks include those which powerful members of the board do not want discussed or which for legal reasons cannot be openly discussed. Some unspoken risks remain unvoiced because to do so would question the ethics of the organisation. Nevertheless both unseen and unspoken risks fall to the category of strategic risk which the board should discuss.

In conclusion, boards could improve risk literacy through taking collective responsibility for decisions about the organisation’s future direction (strategy) in tandem with uncertainties relating to this (risk). Perception of risk as threat or opportunity will vary among individual board members in accordance with their personalities, disposition, outlook and experience but collectively it needs to be corralled into a consensus view in terms of both perception and attitude for the organisation as a whole. This will probably require a CEO or Company Secretary to pull together the consolidated opinion of both executive and non-executive board members, but in the long run the organisation will be in a healthier place and earn greater respect from investors, customers and other stakeholder sources of income.

Written by Garry Honey, Chiron Reputation Risk CEO, Better Boards and SAMI Associate. Longer version first published on September 2017 at Board Agenda.

The views expressed are those of the author and not necessarily of SAMI Consulting.

If you enjoyed this blog from SAMI Consulting, the home of scenario planning, please sign up for our monthly newsletter at and/or browse our website at


No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: