When Boards Miss the Warning Signs: Elevating Operational Risk Oversight
Healthy corporate governance and robust risk management go hand in hand. In today’s complex business environment, corporate leadership - and, in particular, boards of directors - face expanding roles and responsibilities. Integrated Internal Controls and Risk Management programmes - often designed in line with the Institute of Internal Auditors Three-Lines Model principles - have been commonly adopted by leading industrial organisations as a means to embed strong risk governance and management mechanisms.
There is a growing recognition that the board oversight on operational risk management must further evolve - as a critical lever to enhance business resilience.
While board oversight has evolved beyond its traditional scope of value creation to include a consequential component of a company’s profitability and reputation, operational risk, the fact is, there is still a long way to go.
Healthy corporate governance and robust risk management go hand in hand. Integrated Internal Controls and Risk Management programmes – often designed in line with the “Three-Lines Model” principles – have been commonly adopted by leading industrial organisations as a means to embed strong risk governance and management mechanisms.1
Figure 1: Institute of Internal Auditors Three Lines Model (formerly known as Three Lines of Defense Model)
© 2020 Institute of Internal Auditors
An escalating priority
Major shocks and disruptions to operations and supply chains caused by accidents and external events – including pandemics, extreme weather events, cyber attacks and critical asset failures – have raised the criticality of operational risk exposure within the broader risk portfolio, demanding a higher level of board of directors’ oversight.
Evolving stakeholder expectations are putting additional pressure on the board of directors oversight role. Investors are becoming less willing to invest in businesses that do not show a strong grip on such exposure. In fact, companies with poor track records of ESG performance and past ESG incidents sacrifice long-term value at the expense of short-term savings.2 Investors expect that companies not only create value for the company, but also protect its value.
Our own analysis of 12 major incidents in four countries and in four different industry sectors found a significant drop in the companies’ value in the months following a major safety-related incident (Figure 2). In addition to immediate losses, such events typically result in a drop-off in confidence across stakeholders, potentially eroding companies’ stock price and brand equity and impacting recruitment, employee morale and retention and overall corporate image.
Figure 2: Impact of major process safety incidents on share value
© 2020 Institute of Internal Auditors
While we have seen an increase in requests by boards for greater visibility on risk exposure following catastrophic accidents such as the BP Texas City refinery explosion (2005), the Deepwater Horizon (Macondo) Well Blow Out (2010) and the Brumadinho Tailings Dam Failure (2019), we see board members and executives of industrial organisations are becoming increasingly uncomfortable about the level of visibility and adequacy of their operational risk management programmes, even for well-identified risks that are inherent to the core business.
Dynamic factors such as M&A, portfolio restructuring, large capital projects, energy transition and workforce changes are constantly shaping risk profiles, with new operational risks emerging and existing ones changing in magnitude.
Emerging operational risks
Operational risks have long existed across a variety of sectors. Today, trending internal and external factors are driving new levels of risk in emerging areas.
1.
Climate physical risk
Severe disruptions to a number of mining operations in locations such as Brazil, Peru, South Africa, China and Australia as a result of increasing climate risks (e.g. extreme rainfall/flooding or drought) are affecting production of critical minerals and are forecasted to worsen in the next decade.
2.
Battery fires
The exponential growth and use of electric and electronic waste has resulted in a surge in fires associated to the Lithium-ion (Li-ion) batteries. A study from the National Waste and Recycling Association and Resource Recycling Systems found that the rate of catastrophic losses associated to Li-ion battery fires has risen by 41% over the last five years.3
3.
Cybersecurity
Cybersecurity risk has been on the rise with the size of extreme direct losses, as large as $2.5 Billion, impacting firms.4
In this context, how much time are boards of directors discussing operational risk and changing risk profiles? And do they have the right information and data to do so?
Operational risk oversight: Real-world challenges
We have distilled four key challenges that boards of directors must overcome with respect to operational risk oversight.
Challenge #1:
Limited visibility of operational risk at the board level
Unlike financial and market risks (e.g. credit, currency, interest rates, etc.) for which companies typically have centralised control and monitoring structures, there is often inadequate visibility at the board level when it comes to operational risk profile and exposure.
In fact, for many operational risks (e.g. catastrophic accidents, critical asset failures, supply chain disruptions, extreme weather events) companies often have a highly fragmented and decentralised governance model and varied assessment methodologies, making it complicated and inefficient to raise visibility of the risk profile to the board level.
Challenge #2:
Impact of operational risks is not clearly articulated
Operational risks can result in losses to multiple and interconnected dimensions – from people (e.g. site and community injuries) to environmental (e.g. damage to ecosystems), to business interruption (e.g. production loss, interruption of critical services) to asset damage (e.g. severe damage to critical operational assets). All of which can result in both financial and reputational damage in the short and long term.
While financial risks are typically measured through long-held, standard, commonly accepted methodologies, the measurement of operational risk exposure in industrial organisations is less mature and entails a mix of metrics, often resulting in ineffective communication.
A case in point can be found in the mining industry. Mining companies are inherently exposed to catastrophic incidents in their operations - fall of ground, pit inundation, tailings dam failure, underground methane explosions, uncontrolled detonation– all of which have the potential for severe business, operational HSE and reputational impact. Many of these risks are often communicated to the boards in a simplistic manner under the broad HSE risk category or aggregated with other occupational safety risks that carry a very different risk profile. As a result, boards receive a skewed perception of the actual business risk exposure.
Challenge #3:
Board’s lack of confidence in operational risks assurance processes
Even when boards receive information on operational risk, we often hear directors express a lack of confidence that risk exposure is being properly managed. This skepticism of the effectiveness of risk governance and assurance processes is problematic.
To illustrate the point, take the case of a global food manufacturer, with multiple business units and sites across geographies, where food safety is a top operational risk across its entire supply chain. While most food companies have Food Safety & Quality Assurance Teams, a broader range of functions at group and business unit levels (e.g. Regulatory, Technical, Engineering, Procurement, Packaging) plays a critical Second-line role in defining key standards and carrying out verifications and monitoring activities as input to the assurance process. In line with the Three Lines Model principles, such players might even play both Second- and First-line activities, making the picture very blurred. Predictably, in this complex set up, assurance activities are often fragmented across multiple assurance providers and not integrated into coherent communication with consistent data.
Other challenges may exist beyond the Second line. Internal Audit, which acts as a Third line, may not have sufficient technical understanding of the risks at hand, becoming unable to provide a value-added, independent assurance.
These factors jeopardize the robustness and credibility of the assurance processes which results in boards struggling to effectively meet their risk oversight mandate and leaving them with a sense of discomfort and uncertainty.
“Investigations of nearly every major accident that has occurred in high hazard industries have consistently identified inadequate risk governance and oversight from senior management and the board as a root cause.”
Challenge #4:
Inadequate expertise, metrics
As we have noted, board oversight typically focuses on traditional areas of growth and profitability, with an emphasis on financial, market and legal matters. As such, boards usually are comprised of individuals whose professional acumen reflect those business priorities. However, the rise of ESG is catalysing a progressive expansion of board-level expertise with the aim of ensuring that newly constituted boards can better navigate an increasingly complex risk landscape.
A lack of expertise in operational risk can make some board members reluctant to stray from their base of knowledge. Compounding the problem is the absence of appropriate KPIs at the board level, which can result in a false sense of security at the board oversight level.
Not coincidentally, investigations of nearly every major accident that has occurred in high hazard industries – mining, metals, chemicals, energy – have consistently identified inadequate risk governance and oversight from senior management and the board as a root cause. The reliance on inadequate, lagging metrics also has played a conspicuous role.
How to Move Forward
Addressing the four challenges requires a top-to-bottom commitment toward creating a strong operational risk culture across the organisation as well as a common language that engenders a transparent and constructive dialogue.
Such a comprehensive commitment is easier said than done. The “first wave” of Enterprise Risk Management programmes have not delivered the intended value, often resulting in cumbersome risk governance structures and static reporting processes.
What is needed moving forward is a focus on how the Three Lines Model can be implemented effectively within organisations, striking the right balance between performance, speed/agility and control. The result will make a significant difference in terms of value preservation and creation.
Recommendations: Activating the Board
We have distilled four key challenges that boards of directors must overcome with respect to operational risk oversight.
Recommendation #1:
Elevate operational risk to the same level as financial and legal risks
Just as financials and legal issues appear regularly on board agendas, so, too, should operational risks.
Boards of directors need to actively raise the bar, demanding the appropriate level of detail to fully understand the nature, origin and magnitude of operational risks. Boards should request regular, detailed updates about the evolving exposure to operational risk and the adequacy of risk-mitigation plans and investments. They must work with management to ensure direct and transparent access to information, including a clear, quantitative understanding of the impact of existing and emerging risks.
Top-down risk assessments – often facilitated by Enterprise Risk Management or other group-level risk functions – are not enough to profile the operational risk across the business. As such, it is critical to strengthen the assessment of operational risk at the First-line level (i.e. a bottom-up approach) in order to provide a solid basis for risk profiling. At the same time, it is of paramount importance to translate the technical nature of operational risks into a business exposure that can be adequately understood at the board level.
“Boards of directors need to actively raise the bar, demanding the appropriate level of detail to fully understand the nature, origin and magnitude of operational risks. ”
Recommendation #2:
Drive a step change in the assurance processes
Boards should work with senior leadership to implement more effective and efficient assurance processes for operational risk exposure.
Assurance must be streamlined and integrated, bridging organisational siloes across assurance players, aligning objectives and scope of assurance activities, integrating risk data and reporting flows to enable effective board oversight. This will result in the use of available resources in a synergistic and value-added manner while removing complexity and administrative burdens.
Beware of recurring pitfalls, however. With the intent on driving simplicity, many companies still consider HSE departments as the main and only Second-line assurance provider for both “occupational safety” and “process safety/catastrophic” risks, failing to properly recognise the vast difference in the key controls and management systems that are required in those cases. Importantly, boards must be made aware of the potential drawbacks from oversimplification.
To achieve the above, boards should insist on regular reviews of the adequacy and effectiveness of the Three Lines Model architecture. Internal Audit also can play a critical role in fostering a progressive evolution by considering dynamic factors and the evolving maturity of the business.
Recommendation #3:
Enable management to create a risk-aware and prevention culture
While operational risks are inherent to a business and cannot be eliminated, much can be done to reduce complacency. A critical element in doing so is committing to a strong risk culture across the organisation, first by employing a common language that enables constructive dialogue around risk exposure. This common denominator is especially important in early stages of organisational maturity when formal risk reporting processes and data are yet untrusted. How these “guardrails” are actually used in decision making is key, and boards must exercise active oversight through an inquisitive mindset – digging deeper, challenging assumptions, demanding data and encouraging open and transparent communication – all before adverse events materialise. The absence of these constructive discussions on operational risk reduces oversight to a superficial level and creates a false sense of security.
A more accurate barometer can be achieved through effective assurance processes which raises visibility of the right set of metrics – numbers that provide an insightful window into the desired behaviours and risk-management processes.
“Working hand in hand, the board and management can role model “felt leadership by fostering an interdependent culture throughout the organisation.”
Finally, there must be a commitment to forging greater collaboration between the board and senior management. Working hand in hand, the board and management can role model “felt leadership” by fostering an interdependent culture throughout the organisation.
Create and protect value
Boards of directors often struggle to fulfil their fiduciary responsibility when it comes to oversight of operational risk and are “caught by surprise” when material losses are incurred from unexpected events. The level of visibility and insights offered to top leadership and boards is too often inconsistent and inadequate, and as a result, stakeholders are left with blind spots on critical risk exposure. Compounding the issue is the fact that Internal Audit – the Third-line backstop – often lacks the competencies and information to be able to adequately review and assess the operational risk exposure and the adequacy of the risk management programmes in place.
Risk is ever-present and so there must be a commitment to addressing it from the top-down and bottom-up. Boards of directors must take a proactive stance in listening, learning and leading the companies they serve to create and protect the value. While conversations around operational risk may be uncomfortable, it is incumbent on boards to ask the right questions, probe into issues and get adequate assurances that risks are being well controlled. By forming a trusted partnership with boards of directors, senior management can tap into its collective experience to better address operational risk management and help surface real and potentially dangerous vulnerabilities.
“Risk is ever-present and so there must be a commitment to addressing it from the top-down and bottom-up.”
1 https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf
2 Principles of Responsible Investment, ESG incidents and shareholder value, Simon Glossner, 25 June, 2021
3 https://wasterecycling.org/press_releases/nwra-and-rrs-release-report-on-threat-of-lithium-batteries-to-waste-and-recycling-infrastructure/
4 International Monetary Fund, Global Financial Stability Report, April 2024.
Authors
