In this first chapter we will:

‘Risk literacy’ is not about reading (or writing) books on risk. Risk literacy is concerned with the adequacy of a manager’s ‘underpinning knowledge’ of risk and uncertainty conceptually, familiarity with suitable risk assessment approaches and an ability to deal appropriately with the risk issues identified.² Brand risk literacy applies this underpinning knowledge to marketing problems and to other brand-related issues that are faced by marketers and nonmarketers alike. It sits alongside strategic insight and financial understanding as the third required competence for people who manage brands.

The United Kingdom Turnbull Report (1999) reviewed and consolidated the various codes of corporate governance that had preceded it, obliging listed companies to consider the effectiveness of their systems of internal control and risk management. Since sudden collapse of public confidence had been the cause of several outright corporate failures, the report recommended that the boards of listed companies should consider reputation as a significant risk in its own right.³

In 2002 the United States legislature also responded urgently to a number of corporate scandals, among them those that had led to the separate collapse of two leading US corporations, Enron and WorldCom.⁴ The resulting Sarbanes-Oxley Act (SOx) of that year established new accountabilities for company officers, accountants and auditors. These supplemented their existing obligations to report on ‘risk factors’ in the annual Form 20-F submissions to the United States Securities and Exchange Commission (SEC), to comment broadly on the company’s systems of internal control and risk management. Companies are now required to undertake risk assessments of critical financial processes and ensure that controls are effective.

By 2003, with ever more visible disparity of wealth between rich and poor in the global economy, the degree of commercial freedom accorded to the managements of large businesses was being questioned. In particular, the social and environmental impacts of large-scale operations were being attacked by activists and single-issue lobby groups. This wider activist concern meant that many firms could now expect to be called to public account for their conduct in pursuit of profit, even though they were abiding by the law. There had been damaging and disruptive media exposés involving famous-name companies in energy, pharmaceuticals, foods and consumer goods.⁵ Leading investors came to realize that a higher quality of earnings might be achieved through ‘sustainable’ business practices. These would consider the longer-term consequences of corporate decisions, not just the opportunities for short-term gain. This conscious balance was especially important to the managers of pension funds and insurance capital, generally amongst the largest institutional investors. These institutions are obliged to take a prudent long-term view, usually investing their funds in the globally active companies with greatest exposure to the new demands and the new uncertainties.

In the United Kingdom, standards and expectations in corporate governance are principally set down through legislation in the Companies Act 2006 and through the requirements applicable to listed companies in the Combined Code. In response both to EU requirements and to pressure from non-governmental organizations favouring fuller disclosure of business impact on the environment and communities, there is now an obligation on all but the smallest of companies to include a narrative Business Review in their directors’ reports to shareholders. This review supplements financial reporting with information intended to help the shareholders judge the extent to which the directors have performed their legally enshrined duty ‘to promote the success of the organisation’.⁶ Whilst United Kingdom legislation is evolving and is almost certain to place the greatest demands on the largest companies, directors’ attention is evidently drawn to risk issues of direct concern to marketers:

Nowadays, ongoing responsibility for the establishment of appropriate risk disciplines throughout the firm often lies with a risk management professional: the risk manager, director of risk management or chief risk officer. In smaller companies and leaner corporate headquarters, the role is frequently taken by the company secretary. Internal auditors, whose function is mandatory under Sarbanes-Oxley in the USA, may also have an important role to play in awareness-raising and coaching. However, the internal auditors’ role in assurance requires that they remain independent of the actual business risk evaluations. Ultimate accountability for effective risk management remains with the directors and officers of the company, commonly through a nominated subcommittee that convenes on a more regular basis than the main board.

A reasonable test for the effectiveness of risk management is whether it appears to support sustainable business growth by promoting a culture of acceptable risk and by improving the quality of decision-making:

Behavioural studies in risk assessment appear to support the hypothesis that an organization engaging in proactive risk management can make worthwhile improvements in both human and financial performance. At its best, the process for risk assessment gives people an opportunity to re-examine the internal and external environment in which the company is operating, to test hitherto unchallenged assumptions and to think constructively about the likely determinants of success and failure, either strategic or operational. The risk assessment process creates a stimulus for reviewing the lessons of the past, contributing to a culture of continuous improvement. The development and rehearsal of business continuity and crisis management plans in simulated incidents not only produces a better organizational response on the fateful day. As an absorbing exercise in teamwork, it highlights the interdependence of different functions and promotes better collaboration between them.

A major focus of corporate governance should be how a company communicates to its employees on risk matters: how it is made clear what is expected of them; how the board defines the scope of their freedom to assume risk on behalf of the firm and when to alert company officers to escalating issues. In this connection, Hillson and Murray-Webster (2005) expressed concern that there was still no natural home in many organizations for understanding and managing the risk attitudes of individuals, teams and entire organizations. In their view, this can often explain why a risk management project fails to deliver on its promises.¹⁰ Consistent with this view, Toft and Reynolds (1997) found analysis of disasters arising from operational failure revealed that their underlying mechanisms invariably had organizational and social dimensions.¹¹ Technical causes were sometimes, but not always, present. This is pe...