In one survey of global CEOs by PricewaterhouseCoopers (pwc), the business advisory firm, executives saw over-regulation as the greatest threat to business growth. Since the dawn of the new millennium, almost every crisis or scandal has led to the introduction of new regulatory requirements. In the early 2000s, after the collapse of Enron, the Sarbanes-Oxley Act was enacted in the US to address transparency issues and hold executives accountable for their actions. Since then, we have witnessed similar regulatory requirements such as IFRS, Public Finance Management Act, The Municipal Finance Management Act, The Companies Act, European Solvency II and the South African King III come into force.
There is no problem in having regulatory reforms to govern the role and operations of business enterprises. The problem arises when organisations believe they can eliminate risk through compliance. Regulation does not eliminate risk. Many organisations still make the huge mistake of focusing on risk management largely as a result of industry regulation. They now spend too much time and other resources on compliance and regulation at the expense of having an open discussion about the risk appetite of the organisation and embedding risk management into business decision making. They believe risk management is only of value when something goes wrong and fail to acknowledge its potential to create value for the organisation.
In order to benefit from risk management and its value creation potential, the focus of management should not be purely on either performance or conformance. There needs to be a balance and the two should be aligned to create sustainable balance.
So how can organisations align performance and conformance?
Clearly set and communicate your organisation’s risk appetite: Avoid falling into the trap of diverting resources away from other priority risk management activities that might support greater revenue generation or business growth. Every time new industry regulation is enforced, instead of quickly setting up a new oversight department or designing new processes, first examine the consequences of failing to act. Define your risk culture and risk appetite and make sure they are clearly understood enterprise-wide. Having done that, you then need to align your risk management systems and processes to ensure a universal basis for decision making.
Systematically identify and consistently manage risks: In most cases, compliance and regulation is a box ticking process performed once in a while. There is often a list of rules and regulations that you are obliged to adhere to and you just make sure that you are not taking the wrong route. This box ticking process does not in whatsoever ways enhance organisational performance improvement.
You need to embed risk assessment into all business processes and build a comprehensive risk profile. This will help you identify the main drivers of change in risk management priorities and determine the best strategies to create value. In other words, this periodical review of processes will help you acknowledge both the opportunity and the possible consequences of your organisation’s individual and collective actions.
Measure business performance on a risk-adjusted basis: This gives a clear understanding of where and how much value is created or destroyed across the organisation. Risks should be considered when evaluating new projects or investments. You also need to ensure that key risk indicators impacting business performance targets are properly controlled.
Integrate risk management with strategic planning: The need to meet regulatory deadlines is undermining the efforts by many organisations to successfully integrate risk management into their strategic decision making processes. There is need to redesign risk management and compliance processes to enable you assess business opportunities quickly and effectively gain competitive advantage. It is all about having a business model that aligns with your organisation’s risk appetite and tolerance.
Embed risk appetite within the organisational culture: Various studies have shown that companies with both ethical guidelines and compliance programmes report suffering fewer economic crimes. You need to establish a culture where the right people will do the right thing at the right time, regardless of the circumstances.
To create such an environment calls for strong leadership qualities. This means management having the ability to clearly communicate organisational objectives, risk appetite, ethical business standards and incentive and reward systems. At the same time, managers should also have the ability to encourage employees to do the right thing. Role specific ethics, compliance and training programmes could also prove more effective here. It is all about ensuring there is a two-way conversation so that employees understand and commit to the culture of doing the right thing.