Barings Bank rogue trader (1995), LTCM hedge fund failure (1998), Enron bankruptcy (2001), Parmalat accounting fraud (2003), AIG accounting scandal (2005), Lehman Brothers bankruptcy(2008), Bennie Madoff ponzi scheme (2008), Toyota unintended acceleration recalls (2009) , BP Deepwater Horizon oil spill (2010), Fukushima tsunami and nuclear accident (2011), Libor-fixing scandal (2012), JP Morgan $14.6 billion regulatory fines (2013), Rana Plaza collapse (2013) and General Motors recalls (2014) are a few examples of risk management failures we have witnessed over the years.
Although the number of risks affecting the business and list of risk management failures continue to grow year-on- year, organizations are not doing enough to reduce exposure to negative events. This fact has also been highlighted in a recent 2015 Report on the Current Sate of Enterprise Risk Oversight: Update on Trends and Opportunities published by the ERM Initiative at North Carolina State University. Of the surveyed respondents, only 25 percent have mature enterprise-wide risk management process in place, 30 percent have only a partial process, addressing some but not all risk areas and 45 percent have no enterprise-wide risk management process in place. These findings are worrying, especially in today’s volatile, uncertain, complex and ambiguous business environment.
Management of risk is a fundamental and essential element in decision-making at all levels across the organization. Organizations need to rethink the way they look at risk. Instead of only looking at the downside of risks, there is also need to look at the upside of risks. This means moving beyond financial controls and regulatory compliance and spending time assessing, managing and monitoring operational and strategic risks for improved business performance. Risk management is not only about protecting the business but also about enabling business performance. Risk management must therefore be integrated with organization’s performance management activities. There is a positive correlation between financial performance, risk management and performance management. For example, a study by EY found out that companies with more mature risk management practices integrated with strategic planning processes outperform their peers financially.
Implemented properly, enterprise risk management (ERM) helps organizations create value and reduce costs. Today’s volatile economic environment is not making it easy for CFOs. They are being challenged by the board to do more with less, help the business survive and achieve targets. Faced with this challenge, the CFO has no other option but to find cost efficiencies. By implementing robust risk management practices, CFOs will be able to improve the organization’s cost structure. For example, ERM helps management to assess, manage and monitor enterprise risks holistically. Such an approach in turn helps reduce costs by eliminating duplicate risk activities and the savings gained from risk management activities can be used to fund strategic corporate initiatives and create value.
In order to embrace risk for better business performance, organizations must:
- Strengthen the Organization’s Risk Governance and Oversight
Enhancing risk strategy enables organizations to more effectively anticipate and manage risks proactively. In order to enhance the organization’s risk strategy, the board or the management committee must strengthen its risk governance and oversight and increase transparency and communication with stakeholders. Developing a risk governance structure includes establishing the organization’s risk appetite, defining the risk universe, determining how the business would measure risk and establishing enabling technology to help manage risk. If the board or management committee is unable to clearly define risk management objectives, this will automatically make it difficult to adopt and implement a common risk framework across the organization. Risk must be aligned to strategy. This helps identify and understand the risks that matter, invest in the risks that are mission-critical to the organization and effectively assess risks across the business and drive accountability and ownership.
- Make Risk Management an Everyday Part of the Business
To successfully achieve strategic and operational objectives, organizations must embed risk management practices into their business planning and performance management processes. Current information about risk issues must be included into the organization’s business planning and strategic planning cycles. By linking risk to the business planning and strategic planning cycle, the organization is able to prioritize and link the key risks to its operations and performance indicators.
- Do you understand how the different parts of your organization fit together and the risks inherent? Risk is everywhere within the organization. You must be able to identify the connection between business, technology, processes, people and risk strategies and coordinate all the risk functions.
- Is there a formal method of defining acceptable risk limits within the organization? Stress tests must be used to validate risk tolerances
- How committed to embedding risk management is the organization’s leadership team? Leadership must drive the adoption of the risk management program across the organization and ensure it is effective.
Unfortunately in some organizations risk conversations are done once in a while. Risk is not embedded as part of the organization’s DNA. This must change if the organization is to become agile and respond effectively and efficiently to materialized risks.
- Coordinate Risk Activities Across All Risk Functions
Organizations go through various changes during their lifecycle. Some grow and diminish at an alarming rate and others remain stagnant for considerable periods. During the growth phase, various activities (risk, control and compliance) often become fragmented, siloed, independent and misaligned. The result is a negative impact on both the governance oversight and the business itself. Very often, because of this lack of coordination, costs spiral out of control and there is duplication and overlap of risk activities. When this happens, management must act promptly and address these problems to reduce risk burden, lower total costs, expand coverage and drive efficiency.
- Monitoring and control functions must be aligned to the risks that are mission-critical to the organization.
- Risk technology must be integrated to create visibility to risk management activities across the organization and eliminate or prevent redundancy.
- Individuals must receive risk-related training in order to enhance their skills and promote efficiency. You need to continuously evaluate the skills gap in your organization and invest in skills development.
- Risk consistent monitoring and reporting methods and practices must be applied across the organization to ensure all the risk functions are speaking the same language.
- Improve Financial Controls and Processes
Management must build optimal controls and processes that that balance cost with risk. These controls must be optimized to improve effectiveness, reduce costs and support increased business performance. If the environment is over-controlled (costs of control are too high) this hinders finance’s ability to effectively respond to changes in the competitive landscape. In this case, a review of current controls is necessary. This helps highlight duplicate and ineffective legacy controls. Investing in technology is also assisting organizations minimize the use of manual detect controls, automate controls and drive a more efficient, effective and paperless controls environment.
- Change the Organization’s Risk Culture
Effective risk management requires the right tone from the top. If there is no commitment or drive from the executives to create a risk aware culture, the program is bound to fail. A risk champion is required to change the way people view risks – from business protection to business support. The chosen individual must have great people and influential skills to ensure successful buy-in. During the change process, a decision might arise to invest in new technology for maximum benefits. Care must be taken that the change process or risk initiative is not technology-driven. The chosen technology must act as an enabler of change and the IT strategy must be aligned with the broader risk and business strategies.
It is critical that executives operating in today’s volatile economic environment periodically evaluate existing risk investments, move beyond compliance and focus more on strategic issues that will increase or decrease the value and performance of the business.