While there is no one size that fits all, there are four fundamental elements to consider in risk management. These elements are intended to be flexible in application, which is essential because risk profiles vary in complexity across industries.

 

Like any other worthwhile activity in a business, risk management requires a process. As with any process, there needs to be a purpose, inputs, activities and outputs. The activities of the risk management process typically include the identification, sourcing, measurement, evaluation, mitigation and monitoring of risk.

 

The purpose of the process varies from company to company. One company may seek to reduce risk or performance variability to an acceptable level. Another may seek to prevent unwanted surprises. Still another may desire to take more risks as it pursues value creation opportunities.

 

For many companies, risk management has focused on protecting the tangible assets reported on a company’s balance sheet and the related contractual rights and obligations. Traditionally, this means the placement of insurance, management of treasury risks, mitigation of environmental issues, and elimination of health and safety risks in the workplace, among other things.

 

While this traditional role has served a useful purpose in the past and should continue to function, the question arises as to whether risk management should serve a higher and better use.

 

The relevance of the risk management process increases if it is integrated with core management processes. The idea is to integrate risk management with what matters to instil in the board, CEO and executive management greater confidence that the organisation will be successful in achieving its objectives and executing its strategy.

 

The nature and extent of integration varies across industries and companies, and is highly dependent on management’s operating style. The scope of integration could include one or more of such core processes as strategy setting, business planning, performance management, capital expenditure funding, M&A and due diligence and integration.

 

Effective integration can result in risk management becoming more integrated with the rhythm of the business so that it can make value-added contributions to establishing sustainable competitive advantage and improving business performance.

 

A well-designed risk management process can be compromised if dysfunctional organisational behaviour exists. It is not likely that risk management will have an impact at the crucial moment when a contrarian voice is needed if the CEO does not pay attention to the warning signs posed by the risk management function, if the reward system is not sufficiently balanced with long-term shareholder interests, if the board is not asking tough questions about the assumptions and risk underlying the strategy, or if risk management is so mired in the minutiae of compliance that it is not focused sufficiently on strategic issues.

 

A culture that is conducive to effective risk management often encourages open communication, sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethical and responsible business behaviour.