oped

Professor Elizabeth Sheedy is a risk governance expert at the Macquarie Business School Department of Applied Finance, and the author of Risk Governance: Biases, Blind Spots and Bonuses (Routledge).

With the triple threat of COVID-19, climate change and cyber risk challenging almost every organisation in 2021, effective risk governance has never been more necessary. In my new book, I argue that risk management is something that does not come naturally to most humans due to a range of behavioural biases such as overconfidence, availability bias and short- termism. These biases often prevent executives from taking costly short- term actions that might enhance resilience and lead to better longer-term outcomes. The biases are often compounded by incentives that encourage a short-term perspective. What passes for “long-term remuneration” is often only a three-year vesting period. True executive accountability for bad outcomes is too rare.

Lately, I’ve been reviewing some of the major cyber events of the past few years. Consider the case of Equifax, a US multinational consumer credit rating agency. On 7 September 2017, the company disclosed that hackers had gained access to its IT system, compromising the personal records of around 148 million US customers and an undisclosed number of customers elsewhere. To put this in perspective, about 44 per cent of the US population was affected by the hack.

The direct costs of the breach were estimated at US$1.35b, including technology and security costs, legal and investigative fees, consumer compensation and fines. But the loss of shareholder wealth is likely to have been at least four times greater — think loss of customers as well as higher insurance premiums, audit fees and cost of debt. Following this severe breach, all stakeholders re-evaluated the effectiveness of risk management at Equifax and demanded a higher risk premium.

Governance reset

What about executive accountability following the cyber attack? After the Equifax attack, the CEO was pushed out, but still managed to extract a significant termination payment. Not surprisingly, this raised questions about the effectiveness of the board in holding executives to account.

Following a major cyber breach, it is common for significant governance changes to be made and this is exactly what happened at Equifax. Several directors departed with not all being replaced, leaving a smaller board. Interestingly, Heather H Wilson, a female with a technology background (CEO of CLARA Analytics) was added to the board. The roles of chair and CEO were separated and the board started to meet much more regularly. The responsibility for cybersecurity was extended to both the audit committee and the technology committee, having previously been the responsibility of the technology committee alone. Cybersecurity expertise became a director skill actively sought by the board and the firm disclosed for the first time that its directors were engaged in cybersecurity education. Finally, Equifax hired both a chief information security officer and a chief technological officer. Both were among Equifax’s most highly paid, thus indicating their high status.

How tragic it is that risk governance too often comes after the horse has bolted? How many recent scandals might have been averted with better risk governance? Typically, this means a well-functioning independent board, supported by a risk committee to approve strategy, risk appetite and risk policies, as well as supervise the executive with appropriate challenge and accountability. It requires competent executives in the key oversight roles (risk, compliance, internal audit) that have access to the board. Equally important are remuneration systems that should promote prudent risk management and sustainable outcomes, rather than short-term orientation.

However, it must be admitted that some of the organisations with the trappings of risk governance have not been entirely successful in their risk management endeavours. This can happen when risk governance is a regulatory requirement. Poor risk culture can undermine policies and structures that look good on paper.

Developing a good risk culture

So how is a sound risk culture achieved? Recent research at Macquarie Business School suggests that implementation of the Banking Executive Accountability Regime (BEAR) is helping to shift the dial. Implementing the BEAR has produced greater clarity for executives regarding their individual accountabilities and greater understanding of what accountability entails. Greater clarity around individual accountabilities has in turn contributed to numerous risk management benefits as senior leaders have positioned themselves for evaluation and possible sanctions. They have demonstrated greater care and diligence, and greater interest in risk management to ensure satisfactory outcomes are achieved in their areas of individual accountability. This is consistent with our hypothesis that enhanced accountability addresses behavioural biases such as overconfidence and availability bias. As senior executives are more diligent in their risk management, their behaviour is emulated by their underlings. Behaviour that is regularly repeated becomes the culture.

While the BEAR has been imposed in banks, there is nothing to stop directors of any organisation adopting the principles underlying it — that is, clear individual accountability for executives with greater use of deferrals and malus clauses. This is something you might want to consider as you review your governance practices over the coming year.