The events of the past 18 months or so highlighted some areas of weak risk management within various organisations. Questions were and are still being asked:
– What exactly went wrong?
– How come we didn’t anticipate this recession?
– Where were the risk managers or the governments? etc
When something goes wrong, all kinds of questions and blame start to show up. Big corporations as well as small business had thousands of money wiped off their balance sheets, high street chains went bust, governments defaulted on their debt e.g. Iceland. However, some companies, who had incorporated proper risk management structures within their business, the likes of Standard Chartered Bank, Barclays Bank, Canadian firms and etc came out unscatched or only suffered minor losses.
We all agree that this was indeed a global financial catastrophe, but, I would like also to believe that with hindsight, had most of the decisions which were made during the boom times, made with proper risk management consideration, the damage would have been minimal. I think, the perception risk management has received over the past few years played a role in the demise of many.
Most organisations still view risk management as a compliance-driven activity being imposed on them by regulatory authorities. Some still see it as the responsibility within the job description of the Internal auditor. This should not be the case. Proper risk management infact helps in continuos preservation and creation of value.
Below are some of the lessons I think we should learn from the events of the past 18 months or so:
#1. Risk management should be incorporated into Strategic Planning:
When formulating various business strategies on, for example, markets to enter/exit, product lines to offer, customers to serve, capital investments to make etc; risk management should come into play. Questions should be rigorously asked about different types of risk that can hinder goal achievement. Also avoid the mistake of only looking at the downside of risk. Looking at the upside of risk, helps in making calculated decisons that will yield great returns in the future e.g. Instead of saying “Oh the market is saturated; ask yourselves how you can penetrate that market by offering new products or maybe by forming alliances with locals”. This might look risky at start but in due course, if properly undertaken, the decision will pay back its own dividends.
#2. Its time to get out of the shell:
I like the analogy of the tortoise. Everyone knows that whatever the tortoise does, it does at its own pace but will eventually finish whatever it has started. When it gets its neck into its shell, it stops moving and cannot see whats happening around it. It can only start moving again when it sticks its neck out of the shell. The same applies in business, the recent crisis highlighted how a lot of organisations became comfortable by getting stuck in their shells. The focus was on the internal processes and procedures at the expense of the externalities around.
Moving from a silo-based approach of identifying and managing risk can help organisations improve their performance. Instead of looking at risks maybe, function by function, an enterprise-wide approach should be implemented. This will help reduce duplication of activities as well indicate how risks are interconnected within the business and how they can effectively and efficiently be managed.
#3. Everyone should be involved in risk identification & management:
There is this myth that risk managemnent responsibilities should be handled by the “high ups”. I tend to differ on that, for example, though the CEO sits at the helm and has sound knowledge of risks affecting the business, a production worker who is on the shop floor almost everyday has a better understanding of the risks that are inherent in his/her job. The same applies to the sales guy who is constantly out there engaging with the market. By involving these lower level stuff in the process of identifying and maping risks, there is a broader view of risks affecting the organisation. Involving lower level stuff in decision making also motivates them resulting in increased productivity and better performance.
#4. Risk management is an ongoing process:
The process of identifying risks is not a one off activity. It also does not involve just compiling a list of risks, strategies should be planned ahead and be ready to implemented when disaster strikes. The business environment is constantly changing and evolving and so are the risks, hence the need to be alert all the time.