Enterprise risk management (ERM) is at the heart of effective strategic decision making and should be at the forefront of everybody’s thinking within the organization. Today’s risk-filled macroeconomic environment requires front-line employees, middle management, senior executives and the board to take a proactive approach in managing the various risks the business is exposed to.
Risks are increasing and impacting the business at a very alarming level, and as a result, senior management and their teams have to be more prepared to respond quickly than in the past. This means adapting a new view of the risk universe.
Whereas in the past risk management was seen as a compliance and box ticking exercise, this limited view no longer cuts it. Not to say that compliance management is a waste of time, the function still plays a critical role in helping the business achieve its objectives. What is critical and required in today’s VUCA environment is view risk management with a different pair of lenses, assess its role in helping management successfully execute the broader strategy of the business and increase the overall value of the business.
It is no secret that over the past decade the number of corporate crises and scandals the world has witnessed have increased significantly. From natural disasters, product-related mishaps, supply chain failures, employee fraud, to IT system failures and too-big-to fail company liquidations, the media hasn’t been short of a story to post as a headline. Most of these risk events, maybe apart from natural disasters, would have been mitigated had the management and board played their critical role in the effective identification, assessment, management and oversight of risk management within the organization.
Unfortunately, in many organizations today, senior management and the board are turning a blind eye on important risks and effective risk management. Risk management is considered an after-thought activity.
Instead of integrating risk management with strategic decision making, the focus is on short-term performance and incentives that are inappropriate and driving the wrong behaviour from the top and all the way down to the least ranked employee of the organization. As I have previously attested in my posts, although the board plays a critical role in ensuring effective risk oversight within the organization, risk management is everyone’s responsibility.
Employees, management and the board should have a clear understanding of the business model, the foundations and assumptions on which this model is based, the risks the organization faces and how they might combine.
Irrespective of which function you are working, there are risks emanating from that particular function and these risks in turn intertwine with the broader business. As a result, it is critical that each employee is aware of what risks are emanating from their line of business, at what frequency and how they fit into the overall risk strategy of the business. If the tone of risk management from the top is rotten, how can the board except the tone below to be different? Remember the fish rots from the head down.
If the leaders are ignorant, then the whole organization will follow suit. It is therefore important that top leadership sets in motion the right organizational risk culture and lead by example.
As a starting point, this means changing the role and status of those employees and management tasked with implementing the organization’s risk strategy so that they don’t feel inadequate but can confidently report all that they find to the board. One of the challenges facing many businesses is that of complacency. There is a misguided belief that good times will last indefinitely. As a result, many businesses are failing to recognize the rapid change in the business environment. Risks change overtime, and it is essential that management and boards are aware of all the important risks capable of derailing their plans.
How competent is your organization when it comes to identifying and analyzing risks emerging from the company’s internal and external environment, as well as from the leaders’ activities and behaviour?
How often are you stress-testing the core of your business model?
To avoid falling into the complacency trap, management and the board must learn to ask questions all the time. For example:
- How is your company consistently producing exceptional results?
- What are the foundations of the company’s success and how sustainable are these?
- Even if the company’s strategy is implemented flawlessly, what other risks could undermine the business?
- Does your incentive structure promote any form of inappropriate behaviour?
- Are you focusing more on cost-saving and efficiency to the detriment of quality?
Asking the right questions helps management uncover surprises early enough and address these before they become big and damaging to the organization. It also helps the board understand and evaluate the adequacy of the answers received. In the financial services industry, many institutions are driven by short-term revenue, profit and ROE gains. This massive obsession with achieving short-term performance targets often results in employees bypassing internal controls and management turning a blind eye to risky behaviour.
We have witnessed cases where companies significantly rewarded an employee for making huge profits on behalf of the business, only for management and the board to find out later that these profits were made via questionable and unethical ways. How robust and all-pervading are your company’s internal controls to monitor employee behaviour, even the most senior executives?
When the role and status of risk management is elevated within the organization, there is a free flow of information in all directions. That is up and sideways as well as down and from the very bottom to the top of the organization.
Encouraging free flow of information within the business is key to ensuring that any issues or circumstances and risks that are known within the organization, but not to the leaders, do not remain hidden from the leaders’ sight. Some risks remain unmanaged because employees are afraid of flagging these to their superiors because the manager often refuses to heed warning and advice that something is wrong.
When bosses refuse to listen, risks remain unrecognized and unmanaged for a long time. These Unknown Knowns inherently become dangerous and eventually become detrimental to the organization’s performance and reputation.
It is therefore imperative that when assessing and evaluating risk information, the organization considers all the sources of information at its disposal. Rather than limit their focus to traditional risk areas, companies should take an enterprise-wide approach of risk, and learn from their own experiences as wells as other companies and industries. This helps identify not only challenges that might cause a particular strategy to fail, but also any major risks that might also affect long-term positioning and performance of the business.
Self-deception is often a result of failure to listen to outside perspective, and when this happens, business leaders can only see themselves as in a mirror. This often leads to poor decision-making with far-reaching consequences than would have been the case had the leader listened to outside perspective.
Risk management is not only about looking at the downside, but also at the upside. Thus, in order to take advantage of uncertainty and volatility in today’s environment, maximize gains and create value, it is critical that companies move beyond their corporate structures, and adapt more of an “outside-in” perspective when assessing their strategies, challenges and opportunities.
In an age of Big Data and data analytics, companies can also take advantage of these advanced technological innovations, invest in this modern technology and make sense of the vast information at their finger tips, by sifting through the data, determining the most important risks and risk indicators and establish an effective strategic risk management model to follow while continuously updating the company’s strategic risk profile.
Effective decision-making demands the business leaders to have a more comprehensive picture of the challenges that are in front of the company. This requires integrating ERM into the overall business strategy and planning process, and changing the approach to managing enterprise risks. ERM must effectively support the development and execution of business strategy. However, if risk management is considered a cost and not a value-adding process, there is a big risk that the business will fail to execute its strategy successfully.
Effectively implemented and aligned to the business, ERM can become an important source of information to the board as well as the business via its executives. For example, it can help them become aware of the new risks created by their strategies, evaluate the strategic impact of new technologies and identify investments that are necessary for managing risks and exploiting new opportunities.
On the contrary, if the internal audit and risk management teams are given a very low status and never listened to, they become less effective resulting in the company being exposed to unnecessary risks.
What level of status are you giving to your organization’s internal audit and risk management teams?
How does risk inform your company’s broader business strategy?