TagERM

Thinking About The Upside of Risk

Making intelligent and informed decisions is intrinsic to effective risk management. Many at times risk management decisions are centered around loss events and the negative consequences that might eventuate. The positive aspects of risk taking are hardly noticeable.

Let’s take as an example, a decision by local-based company to build a sales and distribution presence in a new international market. Some of the risks associated with pursuing such a move include:

  • Regulatory or unanticipated government intervention aimed at foreign players.
  • Currency volatility. Shifts in foreign currency values have both positive and negative implications on the company’s costing and selling prices, and ultimately profitability.
  • Political Uncertainty. Increased political tensions between countries often lead to trade wars, supply chain disruptions and minimal trade opportunities.
  • Heightened Corruption. Companies entering certain markets may be confronted with unorthodox ways of doing business. In a number of countries, bribery is required in order to complete trade.

On the other hand, the opportunities of expanding into the new market include:

  • The business is able to keep pace with competitors by pursuing an international business strategy.
  • Potential to serve more customers. A larger consumer market ultimately means enhanced profit margins.
  • Exploring new markets can lead to innovation through external partnerships.
  • Market diversification. Having a presence in more than one market also spreads risk as the business is not completely reliant on one market.

In spite of the opportunities lingering on the horizon, the tendency for decision makers is to fixate on the negative side of risks.

Rather than identify and exploit the upside of risk for value creation, decision makers resort to singing the default anthem ‘No, no, no. It’s too risky.’

Risk taking is strictly eschewed or mitigated – always from the downside. Given today’s surging economic uncertainty and volatility, and the integral role of effective risk management in driving business performance, an unreserved mindset change is necessary.

It’s not about eliminating or even terminating risk as risk will always be present. It’s about mastering what might happen, considering all the potential opportunities, including the potential risks, evaluating whether this is acceptable and then acting as required to effectively pursue set business objectives.

Therefore, instead of always being risk averse, decision makers need to start thinking about the upside of risk and develop an understanding that there is a benefit to taking on more risk, provided this is done in a controlled way and not higgledy-piggledy.

As a strategic advisor to the business, finance can play a critical role in helping management make better informed decisions about uncertainties.

We can achieve this through taking initiative and integrating ourselves in operational and strategic performance discussions, understanding the business and its entire operations, and asking smart questions aimed at helping management perform their jobs better.

Doing so empowers us to provide decision makers with cogent advice that ensures they have solid information about both the upside and downside of the company’s business strategy, and ultimately help them make enlightened decisions.

In other words, the advice we allot to decision makers should not act as an impediment to the achievement of business objectives. Alternatively, it should help them understand the odds of achieving the objectives and business success.

Effective risk management far exceeds risk protection and compliance, loss avoidance or arranging insurance cover to mitigate negative consequences.

Old habits die hard. Nevertheless, growth and progress ensue from challenging the status quo and embracing new habits. Stop paying attention on avoiding loss and start taking a broad, strategic view on the upside and downside of risk.

Resolve how you can literally create value and support the successful execution of business strategy and achievement of objectives.

Rethinking and Elevating the Status of Risk Management

Enterprise risk management (ERM) is at the heart of effective decision making and should be at the forefront of everybody’s thinking within the organization. Today’s risk-filled macroeconomic environment requires front-line employees, middle management, senior executives and the board to take a proactive approach in managing the various risks the business is exposed to.

Risks are increasing and impacting the business at a very alarming level, and as a result, senior management and their teams have to be more prepared to respond quickly than in the past. This means adapting a new view of the risk universe.

Whereas in the past risk management was seen as a compliance and box ticking exercise, this limited view no longer cuts it. Not to say that compliance management is a waste of time, the function still plays a critical role in helping the business achieve its objectives.

What is critical and required in today’s VUCA environment is view risk management with a different pair of lenses, assess its role in helping management successfully execute the broader strategy of the business and increase the overall value of the business.

It is no secret that over the past decade the number of corporate crises and scandals the world has witnessed have increased significantly.  From natural disasters, product-related mishaps, supply chain failures, employee fraud, to IT system failures and too-big-to fail company liquidations, the media hasn’t been short of a story to post as a headline.

Most of these risk events, maybe apart from natural disasters, would have been mitigated had the management and board played their critical role in the effective identification, assessment, management and oversight of risk management within the organization.

Unfortunately, in many organizations today, senior management and the board are turning a blind eye on important risks and effective risk management.  Risk management is considered an after-thought activity.

Instead of integrating risk management with strategic decision making, the focus is on short-term performance and incentives that are inappropriate and driving the wrong behaviour from the top and all the way down to the least ranked employee of the organization.

Although the board plays a critical role in ensuring effective risk oversight within the organization, risk management is everyone’s responsibility.

Employees, management and the board should have a clear understanding of the business model, the foundations and assumptions on which this model is based, the risks the organization faces and how they might combine.

Irrespective of which function you are working, there are risks emanating from that particular function and these risks in turn intertwine with the broader business. As a result, it is critical that each employee is aware of what risks are emanating from their line of business, at what frequency and how they fit into the overall risk strategy of the business.

If the tone of risk management from the top is rotten, how can the board except the tone below to be different? Remember the fish rots from the head down.

If the leaders are ignorant, then the whole organization will follow suit. It is therefore important that top leadership sets in motion the right organizational risk culture and lead by example.

As a starting point,  this means changing the role and status of those employees and management tasked with implementing the organization’s risk strategy so that they don’t feel inadequate but can confidently report all that they find to the board. One of the challenges facing many businesses is that of complacency.

There is a misguided belief that good times will last indefinitely. As a result, many businesses are failing to recognize the rapid change in the business environment. Risks change overtime, and it is essential that management and boards are aware of all the important risks capable of derailing their plans.

How competent is your organization when it comes to identifying and analyzing risks emerging from the company’s internal and external environment, as well as from the leaders’ activities and behaviour?

How often are you stress-testing the core of your business model?

To avoid falling into the complacency trap, management and the board must learn to ask questions all the time. For example:

  1. How is your company consistently producing exceptional results?
  2. What are the foundations of the company’s success and how sustainable are these?
  3. Even if the company’s strategy is implemented flawlessly, what other risks could undermine the business?
  4. Does your incentive structure promote any form of inappropriate behaviour?
  5. Are you focusing more on cost-saving and efficiency to the detriment of quality?

Asking the right questions helps management uncover surprises early enough and address these before they become big and damaging to the organization.  It also helps the board understand and evaluate the adequacy of the answers received.

In the financial services industry, many institutions are driven by short-term revenue, profit and ROE gains. This massive obsession with achieving short-term performance targets often results in employees bypassing internal controls and management turning a blind eye to risky behaviour.

We have witnessed cases where companies significantly rewarded an employee for making huge profits on behalf of the business, only for management and the board to find out later that these profits were made via questionable and unethical ways.

How robust and all-pervading are your company’s internal controls to monitor employee behaviour, even the most senior executives?

When the role and status of risk management is elevated within the organization, there is a free flow of information in all directions. That is up and sideways as well as down and from the very bottom to the top of the organization.

Encouraging free flow of information within the business is key to ensuring that any issues or circumstances and risks that are known within the organization, but not to the leaders, do not remain hidden from the leaders’ sight. Some risks remain unmanaged because employees are afraid of flagging these to their superiors because the manager often refuses to heed warning and advice that something is wrong.

When senior managers and decision makers are ignorant of intelligent and informed advice, risks remain unrecognized and unmanaged for longer periods than necessary. These Unknown Knowns inherently become dangerous and eventually become detrimental to the organization’s performance and reputation.

It is therefore imperative that when assessing and evaluating risk information, the organization considers all the sources of information at its disposal.

Rather than limit their focus to traditional risk areas, companies should take an enterprise-wide approach of risk, and learn from their own experiences as wells as other companies and industries. This helps identify not only challenges that might cause a particular strategy to fail, but also any major risks that might also affect long-term positioning and performance of the business.

Self-deception is often a result of failure to listen to outside perspective, and when this happens, business leaders can only see themselves as in a mirror. This often leads to poor decision-making with far-reaching consequences than would have been the case had the leader listened to outside perspective.

Risk management is not only about looking at the downside, but also at the upside. Thus, in order to take advantage of uncertainty and volatility in today’s environment, maximize gains and create value, it is critical that companies move beyond their corporate structures, and adapt more of an “outside-in” perspective when assessing their strategies, challenges and opportunities.

In today’s era of Big Data and advanced analytics, companies can also take advantage of these modern technologies and start making sense of the vast information at their finger tips, by sifting through the data, determine the most important risks and risk indicators and establish an effective enterprise risk management framework.

Effective decision-making demands the business leaders to have a more comprehensive picture of the challenges that are in front of the company. This requires integrating ERM into the overall business strategy and planning process, and changing the approach to managing enterprise risks.

ERM must effectively support the development and execution of business strategy. However, if risk management is considered a cost and not a value-adding process, there is a big risk that the business will fail to execute its strategy successfully.

Effectively implemented and aligned to the business, ERM can become an important source of information to the board as well as the business via its executives. For example, it can help them become aware of the new risks created by their strategies, evaluate the strategic impact of new technologies and identify investments that are necessary for managing risks and exploiting new opportunities.

On the contrary, if the internal audit and risk management teams are given a very low status and never listened to, they become less effective resulting in the company being exposed to unnecessary risks.

What level of status are you giving to your organization’s internal audit and risk management teams?

How does risk inform your company’s broader business strategy?

Embracing Risk for Improved Business Performance

Barings Bank rogue trader (1995), LTCM hedge fund failure (1998), Enron bankruptcy (2001), Parmalat accounting fraud (2003), AIG accounting scandal (2005), Lehman Brothers bankruptcy(2008), Bennie Madoff ponzi scheme (2008), Toyota unintended acceleration recalls (2009) , BP Deepwater Horizon oil spill (2010), Fukushima tsunami and nuclear accident (2011), Libor-fixing scandal (2012), JP Morgan $14.6 billion regulatory fines (2013), Rana Plaza collapse (2013) and General Motors recalls (2014) are a few examples of risk management failures we have witnessed over the years.

Although the number of risks affecting the business and list of risk management failures continue to grow year-on- year, organizations are not doing enough to reduce exposure to negative events. This fact has also been highlighted in a recent 2015 Report on the Current Sate of Enterprise Risk Oversight: Update on Trends and Opportunities published by the ERM Initiative at North Carolina State University. Of the surveyed respondents, only 25 percent have mature enterprise-wide risk management process in place, 30 percent have only a partial process, addressing some but not all risk areas and 45 percent have no enterprise-wide risk management process in place. These findings are worrying, especially in today’s volatile, uncertain, complex and ambiguous business environment.

Management of risk is a fundamental and essential element in decision-making at all levels across the organization. Organizations need to rethink the way they look at risk. Instead of only looking at the downside of risks, there is also need to look at the upside of risks. This means moving beyond financial controls and regulatory compliance and spending time assessing, managing and monitoring operational and strategic risks for improved business performance. Risk management is not only about protecting the business but also about enabling business performance. Risk management must therefore be integrated with organization’s performance management activities. There is a positive correlation between financial performance, risk management and performance management. For example, a study by EY found out that companies with more mature risk management practices integrated with strategic planning processes outperform their peers financially.

Implemented properly, enterprise risk management (ERM) helps organizations create value and reduce costs. Today’s volatile economic environment is not making it easy for CFOs. They are being challenged by the board to do more with less, help the business survive and achieve targets. Faced with this challenge, the CFO has no other option but to find cost efficiencies. By implementing robust risk management practices, CFOs will be able to improve the organization’s cost structure. For example, ERM helps management to assess, manage and monitor enterprise risks holistically. Such an approach in turn helps reduce costs by eliminating duplicate risk activities and the savings gained from risk management activities can be used to fund strategic corporate initiatives and create value.

In order to embrace risk for better business performance, organizations must:

  1. Strengthen the Organization’s Risk Governance and Oversight

Enhancing risk strategy enables organizations to more effectively anticipate and manage risks proactively. In order to enhance the organization’s risk strategy, the board or the management committee must strengthen its risk governance and oversight and increase transparency and communication with stakeholders. Developing a risk governance structure includes establishing the organization’s risk appetite, defining the risk universe, determining how the business would measure risk and establishing enabling technology to help manage risk. If the board or management committee is unable to clearly define risk management objectives, this will automatically make it difficult to adopt and implement a common risk framework across the organization. Risk must be aligned to strategy. This helps identify and understand the risks that matter, invest in the risks that are mission-critical to the organization and effectively assess risks across the business and drive accountability and ownership.

  1. Make Risk Management an Everyday Part of the Business

To successfully achieve strategic and operational objectives, organizations must embed risk management practices into their business planning and performance management processes. Current information about risk issues must be included into the organization’s business planning and strategic planning cycles. By linking risk to the business planning and strategic planning cycle, the organization is able to prioritize and link the key risks to its operations and performance indicators.

  • Do you understand how the different parts of your organization fit together and the risks inherent? Risk is everywhere within the organization. You must be able to identify the connection between business, technology, processes, people and risk strategies and coordinate all the risk functions.
  • Is there a formal method of defining acceptable risk limits within the organization? Stress tests must be used to validate risk tolerances
  • How committed to embedding risk management is the organization’s leadership team? Leadership must drive the adoption of the risk management program across the organization and ensure it is effective.

Unfortunately in some organizations risk conversations are done once in a while. Risk is not embedded as part of the organization’s DNA. This must change if the organization is to become agile and respond effectively and efficiently to materialized risks.

  1. Coordinate Risk Activities Across All Risk Functions

Organizations go through various changes during their lifecycle. Some grow and diminish at an alarming rate and others remain stagnant for considerable periods. During the growth phase, various activities (risk, control and compliance) often become fragmented, siloed, independent and misaligned. The result is a negative impact on both the governance oversight and the business itself. Very often, because of this lack of coordination, costs spiral out of control and there is duplication and overlap of risk activities. When this happens, management must act promptly and address these problems to reduce risk burden, lower total costs, expand coverage and drive efficiency.

  • Monitoring and control functions must be aligned to the risks that are mission-critical to the organization.
  • Risk technology must be integrated to create visibility to risk management activities across the organization and eliminate or prevent redundancy.
  • Individuals must receive risk-related training in order to enhance their skills and promote efficiency. You need to continuously evaluate the skills gap in your organization and invest in skills development.
  • Risk consistent monitoring and reporting methods and practices must be applied across the organization to ensure all the risk functions are speaking the same language.
  1. Improve Financial Controls and Processes

Management must build optimal controls and processes that that balance cost with risk. These controls must be optimized to improve effectiveness, reduce costs and support increased business performance. If the environment is over-controlled (costs of control are too high) this hinders finance’s ability to effectively respond to changes in the competitive landscape. In this case, a review of current controls is necessary. This helps highlight duplicate and ineffective legacy controls. Investing in technology is also assisting organizations minimize the use of manual detect controls, automate controls and drive a more efficient, effective and paperless controls environment.

  1. Change the Organization’s Risk Culture

Effective risk management requires the right tone from the top. If there is no commitment or drive from the executives to create a risk aware culture, the program is bound to fail. A risk champion is required to change the way people view risks – from business protection to business support. The chosen individual must have great people and influential skills to ensure successful buy-in. During the change process, a decision might arise to invest in new technology for maximum benefits. Care must be taken that the change process or risk initiative is not technology-driven. The chosen technology must act as an enabler of change and the IT strategy must be aligned with the broader risk and business strategies.

It is critical that executives operating in today’s volatile economic environment periodically evaluate existing risk investments, move beyond compliance and focus more on strategic issues that will increase or decrease the value and performance of the business.

Minimizing Risks of Outsourcing Failure

As the challenge on CFOs and other business leaders to do more with less continue to increase, we have witnessed an increase in the number of outsourcing arrangements across all industries.

Most organizations, led by their CFOs have outsourced selected projects, functions and delegated the day-to-day management of these activities to third-party organizations.

Many at times, the reasons for outsourcing include but are not limited to – outsource to achieve significant cost savings, focus management on core activities, improve quality, achieve higher activity levels, improve customer service(s) and improve financial control.

Whether CFOs and their organizations achieve these intended outcomes is a debate for another day as some research findings have proved otherwise.

When outsourcing certain business activities, it is imperative that CFOs do not succumb to “herd mentality”. Just because everyone is doing something doesn’t necessarily mean you have to follow suit.

When the decision has been made to outsource, it is critical for CFOs and the other business leaders to thoroughly understand the risks inherent therein and devise intelligent means of managing and monitoring these.

Unfortunately, outsourcing risk is poorly managed in a considerable number of outsourcing arrangements.

What business leaders need to be clearly understand is that, if improperly managed, outsourcing risk can be fatal to their organizations.

Simply outsourcing a selected part of your business does not mean all your problems are over. You can never outsource responsibility, nor can you outsource reputation risk.

By handing over critical parts of your organization to a third party and delegating their day-to-day management to a third-party organization, you are to a certain degree, losing degree of control over operations and quality.

However, you still maintain ultimate responsibility of the partnership performance and results. It is therefore important to remember that when something goes wrong, your customers, employees, vendors and other key stakeholders will come knocking at your door for answers.

They do not care much who the outsourcing company is.

Thus, having an effective enterprise risk management (ERM) framework can help CFOs monitor and manage a wide array of risks in outsourcing arrangements.

Lack of preparation and improper decision making are what causes a large percentage of outsourcing arrangements to fail. CFOs and business leaders need to know and understand the critical units that are absolutely essential to the functionality of the core business processes.

In other words, the decision to outsource should be made on good business grounds, looking at the overall value outsourcing can bring, and not solely on grounds of cutting costs or improving ROI.

Having clearly defined goals and objectives from the outset is key to identifying risks to the project and minimizing failure. If clear objectives are not defined, it makes it difficult to assess all the risks with potential of derailing the outsourcing arrangement.

What CFOs need to understand is that outsourcing risks go beyond the planning stage. They are found at each stage of the outsourcing arrangement.

Once the agreement has been entered into, risks will continue to creep in along the way.

How are you going to respond if service delivery fails to meet your expectations, confidentiality and security are breached, there are management changes at the outsourcing company, the contract is too rigid to accommodate change or the outsourcing company goes out of business?

These are some of the risks CFOs must keep an eye on and ensure there are adequate plans and controls in place to monitor and manage these.

As mentioned earlier on that poor planning and decision making are what causes a large number of outsourcing arrangements to fail, selecting the wrong partner is one of the worst risks.

Selecting the provider to deal with should not be based on whoever provides the cheapest deal but also on other factors such as capability and competence, supplier pricing transparency, data and information security, third-party dependency risk, compatibility with your organization’s culture and vision and the supplier’s governance structure and internal management practices.

By having various perspectives of the supplier CFOs will be able to manage the process effectively.

Another area of risk concern lies within the SLA, the contract which governs the buyer-supplier relationship. Although SLAs are partly standard for any type of outsourced arrangement, they must be properly designed to your specific business.

Bad SLAs can hide unacceptable problems in the business and this has a high potential of backfiring in the long run. Thus, when negotiating the SLA, it is critical to take a risk-based view of the contract development.

In addition to containing details of what needs to be done, division of responsibilities, activities that will impact the arrangement and critical deadlines that must be met, performance review process, reporting of performance, issue escalation process, confidentiality expectations, change control protocols and the exit strategy, the SLA should also act as a fundamental risk control.

Risk profiles should be developed for each outsourced function, service or activity to allow for appropriate oversight. These risk profiles must be aligned to the desired process outcomes and the risk metrics developed accordingly so that they can be monitored logically.

Designing risk profiles helps CFOs and other business leaders evaluate the performance of the outsourcing partner and determine whether the desired outcomes are being achieved or not.

The risks metrics designed to monitor the arrangement should tie into the SLAs that have been established for the service provider. Furthermore, they must be properly focused and the means of producing and reporting them must be real time and near time.

Lack of appropriate outcome-focused metrics and the right measurement criteria is a key failure point in outsourcing arrangements. The problem with many arrangements is that too often unrealistic expectations are placed on the provider by the client.

CFOs and their executive management team should be reasonable and realistic and try to ensure there are no surprises. Good communication ensures that management’s expectations are managed and also acts as a prudent risk control mechanism.

The exit strategy must be laid bare from the outset. Although there are various reasons why the contract should come to an end, failure by the provider to deliver on expectations or poor quality are some of the reasons. When negotiating SLAs, CFOs must think about their exit strategy.

There should be clarity about the circumstances under which the agreement may be terminated, how the service or function can be brought back in-house or passed on to a third-party, who owns what assets and when compensation is due.

Failure to do so can result in the organization becoming dependent on the provider or losing its negotiating power making it difficult to transition elsewhere.

It is important for CFOs to understand that an outsourcing arrangement is a partnership that must be nurtured and managed effectively on a collaboration basis to achieve the desired outcomes.

Getting it right from the start is key to minimizing failure and maximizing performance.

© 2019 ERPM Insights

Theme by Anders NorénUp ↑