When discussing how to improve the value contributed by risk management, I typically start by saying ‘where do we start?’. At the heart of this question is the desire for a simple and practical point of view that makes sense in practice. Because risk profile, appetite and tolerance are different in different organisations, risk management presents itself differently. However, there are 4 fundamental pillars:
Like any value adding activity, risk management requires a process and it entails a purpose, inputs, activities and outputs. According to ISO31000, the activities typically include risk identification, sourcing, assessment, measurement, mitigation and monitoring. The purpose of the process varies from organisation to organisation too. It may be reducing performance variability, prevention of incidents or taking more risks to maximise returns.
Traditionally as well as in financial services sector, risk management is focused on protecting the value of assets tabled in the company’s balance sheet, related contractual rights and obligations. Typical risk management methods include insurance, tools for treasury risks, mitigation of environmental risks such as health and safety concerns. Whilst these forms of risk management had served a useful purpose in the past, contemporary risk management serves a higher and better use. The relevance of the risk management process increases if it is integrated with core management processes that help the organisation in achieving its objectives and executing its strategy. The degree of the integration again varies and typically include core processes such as strategy formulation, business planning, performance management, capital and funding planning, M&A and project management etc. effective integration means risk management is embedded into the rhythm of the day to day business decisions and contribute to establishing competitive advantage and boosting performance.
Effective risk management requires a top down sponsorship and consistent application of conducive behaviours. If the reward system is not balanced with shareholder interests, if the board doesn’t question the assumptions and risks taken for a strategy, or if risk management is restricted to compliance or after-fact firefighting and not focused on strategic issues, risk management will not be able to have an impact at the crucial moment. Robust risk culture promotes open communication, knowledge sharing, promoting best practice and continuous improvement and more recently a focus has been placed on value-driven commitment to ethical and responsible behaviours.
No given the risk management processes, how it integrated with core business processes and the elements of an organisation’s culture, the focus then turns to whether the organisation has what it takes to get the job done – its infrastructure – its policies, procedures, organisational structure, reporting lines, systems and people related to managing risks. If the infrastructure requires improvement such as a lack of risk management policy, unclear risk appetite, unclear roles and responsibilities, lack of risk reporting process or IT systems (GRC), resources must be diverted to have these areas addressed.
Essentially these 4 elements are the foundation of an effective risk management framework and it should be what senior management and the Board look for when establishing risk oversight, or what a maturity assessment be looking at. Ask some of these questions when you think about your company’s risk management practice:
- Do we have a process to identify risks related to our strategy?
- Is our risk management only focused on insurable and financial risks?
- Is our risk management capabilities coordinated across the company or operate in silos
- Do we have risk materialise primarily because there is a lack of risk culture or understanding?
- Is risk management restricted due to resourcing limitations?
What are your thoughts and your experiences in your organisation???