When discussing how to improve the value contributed by risk management, we at Protiviti are often asked, “Where do we start?” At the heart of this question is the desire for a simple and practical point of view that makes sense in practice.
While there is no one size that fits all, there are four fundamental elements to consider in risk management. These elements are intended to be flexible in application, which is essential because risk profiles vary in complexity across industries.
Like any other worthwhile activity in a business, risk management requires a process. As with any process, there needs to be a purpose, inputs, activities and outputs. The activities of the risk management process typically include the identification, sourcing, measurement, evaluation, mitigation and monitoring of risk.
The purpose of the process varies from company to company. One company may seek to reduce risk or performance variability to an acceptable level. Another may seek to prevent unwanted surprises. Still another may desire to take more risks as it pursues value creation opportunities.
For many companies, risk management has focused on protecting the tangible assets reported on a company’s balance sheet and the related contractual rights and obligations. Traditionally, this means the placement of insurance, management of treasury risks, mitigation of environmental issues, and elimination of health and safety risks in the workplace, among other things.
While this traditional role has served a useful purpose in the past and should continue to function, the question arises as to whether risk management should serve a higher and better use.
The relevance of the risk management process increases if it is integrated with core management processes. The idea is to integrate risk management with what matters to instil in the board, CEO and executive management greater confidence that the organisation will be successful in achieving its objectives and executing its strategy.
The nature and extent of integration varies across industries and companies, and is highly dependent on management’s operating style. The scope of integration could include one or more of such core processes as strategy setting, business planning, performance management, capital expenditure funding, M&A and due diligence and integration.
Effective integration can result in risk management becoming more integrated with the rhythm of the business so that it can make value-added contributions to establishing sustainable competitive advantage and improving business performance.
A well-designed risk management process can be compromised if dysfunctional organisational behaviour exists. It is not likely that risk management will have an impact at the crucial moment when a contrarian voice is needed if the CEO does not pay attention to the warning signs posed by the risk management function, if the reward system is not sufficiently balanced with long-term shareholder interests, if the board is not asking tough questions about the assumptions and risk underlying the strategy, or if risk management is so mired in the minutiae of compliance that it is not focused sufficiently on strategic issues.
A culture that is conducive to effective risk management often encourages open communication, sharing of knowledge and best practices, continuous process improvement, and a strong commitment to ethical and responsible business behaviour.
Given the nature of the organisation’s risk management process, the core management activities with which that process is integrated, and the strengths and weaknesses of the organisation’s culture, we can now ask: Is the organisation’s existing infrastructure sufficient to get the job done?
By infrastructure, we mean the company’s policies, internal activities, organisation, reporting and systems related to managing risk. If the answer is ‘yes,’ then we move on. If the answer is ‘no,’ the next question becomes: What changes are needed?
Changes could include any combination of things, such as a risk management policy, more explicit dialogue around risk appetite, a risk management committee, a chief risk officer, improved risk reporting, and more reliable systems.
These elements define what executives should be looking at when evaluating the role and effectiveness of risk management within the organisation, and provide a context for directors when focusing their risk oversight.
Questions to Ask
The following are some suggested questions to ask about the nature of your company’s risks that are inherent in its operations.
- Is there a risk management process that provides a framework for managing risk company-wide? Does it address risks inherent in the company’s strategy?
- Is risk management primarily focused on insurable, financial and operational risks? Does it make sense to integrate risk management with one or more core management processes, such as strategy-setting?
- Are risk management activities scattered across the company operating as separate silos? If so, would coordination across, and even consolidation of, these silos improve risk management?
- Are there cultural issues in the organisation that could compromise the effectiveness of risk management?
- Is the infrastructure in place sufficient to accomplish the objectives that management and the board wish to achieve with respect to risk management?
About the Author
Protiviti is a global business consulting and internal audit firm composed of experts specialising in risk advisory and transaction services. It provides perspectives on a wide range of critical business issues for clients in the Americas, Asia Pacific, Europe and the Middle East.