Risk management is not a new concept, yet this year the economy has witnessed some of the worst corporate scandals and losses in history. Adverse economic conditions may be partially held to blame, but many affected organisations suffer from the deeper problem of having a culture incapable of confronting irresponsible behaviour and effectively managing risk.
An organisation will only manage risk correctly if its members want to, and if the management process is effective. Unfortunately, the concept of risk management is apt to carry a negative connotation. Some individuals feel that responsibly managing risk can be a risk in itself. In fact, very few see any major incentive to manage organisation risk correctly. They perceive that the very behaviour required to effectively manage risk itself entails significant personal risk.
For example, a back office trade processor will hesitate to blow the whistle on a fraudulent senior trader for fear of losing his job. Likewise, a middle manager will hesitate to highlight a superior's suspect deal making due to the risk of being made redundant or demoted.
In many cases, risk management is about asking questions which challenge management and decision-making. It is about quality control. It becomes very difficult to manage risk if no-one is prepared to take a risk themselves. The individual initiative is critical. But without a supportive culture and operating environment, the risk management process can be difficult to facilitate in isolation.
Corporate acceptance
To operate a positive risk management culture successfully, the organisation needs to achieve agreement from the majority of its employees. In order to get this, it needs to communicate the benefits of good risk management extensively. It needs to reverse the negative perception of risk management.
If an organisation suffers financial loss as a result of poor risk management, the consequence will affect all employees and related parties. However, the concept that risk management affects everyone - employees, shareholders, suppliers, and customers - is poorly understood. Similarly, while initiatives and regulations, such as the Turnbull guidelines, try to emphasise the importance of risk management and the development of positive risk cultures, the benefit of such initiatives is poorly communicated. Active risk management is everyone's responsibility.
It is often difficult to prove the cost benefit of developing good risk management processes in the short and medium term. The biggest benefits are usually difficult to quantify, such as continued viability, maintenance of shareholder value and reduction in losses, operating costs and insurance premiums.
The promotion of positive risk management can be developed in several ways. Risk awareness workshops, risk management training and mentoring, internal advertising and risk reporting reward schemes are just a few of the methods used. The encouragement of whistle blowing and the creation of anonymous reporting methods are also highly effective in encouraging risk identification.
The development of an internal risk communication strategy and training and mentoring programme is essential to successful and continued positive and effective enterprise-wide risk management. It can be a complex task. Before any work can be done, a risk analysis and management process needs to be established.
Developing a framework
The key to achieving successful risk management is to keep it simple. The majority of organisations perceive risk management as being technically detailed and difficult to implement. In most cases, there is a direct relationship between the level of complexity and the effectiveness of a risk management framework or process. As soon as the process becomes too complex, the level of effectiveness is reduced. The more processes that are involved in the overall structure, the more opportunity there is for error. The biggest failings of risk management processes are not that risks are unidentified, but that they are not communicated to the right people early enough to allow a mitigating strategy to put in place. All too often, too little is done too late.
The risk management strategy and framework need to become the backbone of an organisations' structure. The framework should be simple, effective and touch every business unit in the organisation. Most importantly, the communication channels for reporting risks should be easily accessible to everyone.
Most medium to large organisations have some form of risk management process in place. However, nine out of ten of these organisations operate their risk management practice in a 'silo' or departmentalised fashion. Managing risk this way produces gaps and overlaps in the identification process, and creates fragmented risk reporting and communication. These gaps and overlaps often hide some of the most severe risks.
In order to reduce the likelihood of gaps and overlaps appearing in a risk management process, all the identified risks and their related mitigating procedures need to be allocated to individual owners. These risk owners need to understand and agree the risks and management responsibilities allocated to them.
Before agreeing management responsibilities, it is necessary to ensure that the owner has the skill and competence to manage the risks, and understands how his role fits into the organisation's overall risk management process. It is essential that no risk owner feels incapable or personally at risk. An 'ask if you need help' philosophy should be encouraged. It should be possible for the average employee to report a risk to senior management or even to a board member without feeling intimidated. This can only be done if there are dedicated communication channels available and a communication culture is encouraged.
The risk committee
Figure 1 illustrates the basic risk management process. The two largest components are the Monitor & Review and Communicate & Consult processes. Without these functioning effectively the whole process will begin to falter.
An effectively operating risk management process must be supported and owned by all of senior management and the organisation as a whole. The general method for managing a risk programme is to create a Risk Management Committee (RMC). The RMC should consist mostly of heads of department and critical process managers. It is responsible for the design, development, implementation, operation and effectiveness of the overall risk management process.
In many companies, the RMC has significant difficulty defining its role. Confusion arises over whether the RMC should be seen as the policy setter or the process enabler. Whatever the decision, it is essential that the RMC is not seen as alien to the business in any way. Ideally, the RMC should set the risk management strategy and then go out to individual departments and sell the programme to every employee. RMC members should promote discussion on risk management, and advertise themselves as ambassadors of the topic.
The committee is the critical link between the strategy development, the implementation, embedding and ultimate success of an organisations' risk management programme. But in many cases a breakdown in communication occurs between the RMC, the managers of other departments, and the business a whole.
The role of an RMC member should not be taken lightly, as it carries significant responsibility, some of which may be legally binding. The committee's ultimate responsibility is to manage an effective risk management process that allows it to identify, analyse, prioritise, mitigate and report all risks to the board in an accurate, concise and timely manner.
In order to do this, it needs to be able to receive information relating to the number, frequency, probability of occurrence, potential impact and severity, of the risks active within each business unit. A good risk management framework will have a defined method and process for classifying the status of risks and reporting them to the RMC. This process should clearly communicate the frequency and severity of all risks identified. The RMC in turn will report to the board the status of any risks that pose real potential threat to the company's continuity and operations.
Risk reporting is therefore another very important factor in the overall risk management process. If the reporting process becomes inaccurate and the proposed methods and channels misused, the opportunity for error and the oversight of critical risks increases.
An organisation's risk management programme needs to be continually serviced and refreshed. Risk management will only ever become properly embedded into an organisation if the importance of good enterprise wide risk communication is appreciated.
Operating a risk management programme can seem relatively expensive. Maintaining a programme's effectiveness requires significant resources, such as continual independent reviews and frequent training and mentoring of staff. The decision to develop an effective risk management framework requires real discussion and commitment from senior management
. Organisations need to allocate budget and treat risk management financing as a critical and fixed cost. They must see risk management as a dynamic process that is essential to longevity of the organisation and its staff's employment.
Some organisations that have developed extensive, very effective risk management programmes, consider them as corporate assets and a marketing tool. Investors are beginning to favour companies that have developed comprehensive risk management strategies. To investors, good risk management translates as better protection of shareholder value.
The new economy has introduced a more volatile and risky operating environment for everyone. In order to maintain real business continuity and protect shareholder value for the long term, organisations need to cultivate more risk aware corporate cultures.
Michael Porteous is senior consultant, AMTEC consulting plc, Tel: 01252 737 866, E-mail: michael.porteous@amtec.co.uk