When Russia invaded Ukraine in February 2022, companies with close ties to Russia were unprepared. Many executives still view the action as a black swan (a wholly unpredictable event with potentially severe consequences). For others, given President Putin’s track record, it is more of a grey rhino event (an obvious danger that is ignored). Whatever the classification, the war in Ukraine is a highly significant geopolitical risk whose future path is unpredictable.
For directors of UK businesses, the war exacerbates existing and fast-evolving challenges. They must navigate a confluence of key operational issues: disruption from the lingering effects of Covid-19 and Brexit, rapidly rising inflation driving up costs, shortages of workers, unpredictable supply chains, and tax and interest rate increases.
Strategically, businesses now face the prospect of lower growth and more uncertain market conditions, leading to a possible collapse in confidence and a higher risk of recession.
Directors need to respond quickly in the face of reduced profitability and a liquidity crisis
Risk shift
The result is a fundamental alteration of the risk landscape. Directors need to respond quickly in the face of reduced profitability and a liquidity crisis – insolvencies are already high. Directors should review their risk strategy, risk assessment and mitigation, and adapt their processes as needed to provide greater assurance of resiliency.
There are various risk management models available including the ‘three lines of defence’ model, COSO’s Enterprise Risk Management; and ISO 31000. However, directors’ primary concern is with risk governance, and here the best practice framework is provided by the UK corporate governance code – see the panel for the relevant principle and provisions.
The board of directors has ultimate responsibility for managing risk, and the UK code identifies two essential aspects of director focus. The first is the traditional requirement of board oversight of the systems of risk management and internal control.
The second is the more recent requirement for directors themselves to assess the principal risks – those ‘events or circumstances that might threaten the company’s business model, future performance, solvency or liquidity and reputation’.
Risk responses
Set out below are five actions that boards should be taking as they seek to pilot their businesses successfully across the new risk landscape.
Adjust meeting agendas
In volatile conditions directors and senior managers need to spend more time discussing risk. Agendas should be adjusted accordingly – whether for meetings of the board, board committees (audit and/or risk committees) or of the senior management team. It is crucial that the board allocates sufficient time for a robust assessment of the principal risks facing the business.
Recalibrate risk appetite
The board should revisit the corporate risk appetite statement, setting out the amount and type of risk the business is willing to accept in pursuit of its objectives. Directors may decide to be more cautious in current conditions. For example, they could tighten the business‘s investment criteria by increasing the hurdle rate for expected returns before any project is approved.
Those businesses operating in, or that have links with, Russia require significant adjustments to reflect the increased political, reputation and third-party risk following the invasion of Ukraine. As a minimum, compliance with financial sanctions obligations is essential. The board should ensure that all changes to the corporate risk appetite are clearly articulated and communicated.
Identify fast-emerging risks
Velocity is the third dimension of modern risk management (traditional impact and probability measures are the other two). In a volatile world, directors need assurance that their business can identify fast-emerging risks and then escalate them quickly to senior managers and the board.
Data analytics, artificial intelligence and other emerging technologies can help here. So too can promoting a risk-aware culture. In addition, risk registers should be amended to include information on the speed and direction of travel of each principal risk.
Focus on scenario analysis and contingency planning
Scenario analysis is crucial for sound decision-making in times of uncertainty. Directors should reassess their models, considering an appropriate range of extreme scenarios and incorporating the possibility of risks such as inflation and supply chain disruption combining to increase the threat significantly.
Managing the Brexit and Covid-19 impacts has shown the importance of contingency planning. Directors should ensure that response plans for high-impact threats such as cyber-attacks involving malware and ransomware are periodically tested and reviewed by the board.
Focus on improving resilience
Both Covid-19 and the war in Ukraine have highlighted the fragility of global supply chains and the consequent vulnerability of strategies based on just-in-time stock replenishment. In these circumstances, directors should be prepared to respond by taking measures that prioritise resilience, even at the expense of efficiency.
Resilience measures include building up higher stock levels, introducing the dual sourcing of supplies, and moving to shorter and more localised supply chains.
Risk management code
Section 4 (audit, risk and internal control) of the UK corporate governance code sets out boards’ risk responsibilities as follows:
- The board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives. (Principle O)
- The board should carry out a robust assessment of the company’s emerging and principal risks. (Provision 28)
- The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. (Provision 29)
More information
See also the AB articles ‘Resilience requires purpose’, ‘Sanctions and the supply chain’ and ‘Supply chain pain’