Smart business leaders know that risk management is more than an unopened compliance manual tucked into the top drawer.
Story Melissa Wilkinson
The practice of risk management has rapidly matured as a business discipline over the last 10 years. It is no longer regarded as a back office function and a narrow subset of the finance department’s number-crunching activities. There has been a steady and persistent influx of chief risk officers joining executive teams and holding significant levels of influence with organisations. Industries such as nuclear energy, airlines and mining are leading the charge in terms of best practice.
Boards have also jumped onto the risk train and realised the potential short and long-term implications of not managing risk well. In the short term, an unexpected, high impact event can have catastrophic implications for a company. It can take years to recover from or in some cases it can mean shutting the doors completely. In the long term, a subtle, but undetected change in consumer preferences over a period of time can cause serious product misfires and lead to the loss of large chunks of market share.
Poor risk management can also have a significant impact on investor confidence. Researchers have found that over a 10-year period, almost half of the 1000 largest companies in the world experienced a fall in their share price of more than 20 per cent in a one-month period, relative to the Morgan Stanley Capital International (MSCI) World Index.
Deloitte Research’s 2005 study, Disarming the Value Killers, found that by the end of 2003, approximately one quarter of the companies studied had still not clawed back their lost market value. Another 25 per cent took more than 12 months for their share price to fully recover.
Changing Nature
According to Dr Mark Lawrence, one of the leaders of McKinsey & Co’s global risk management practice, the world of risk management has changed profoundly. “There has been an important shift in the nature and scope of risk management. It is no longer just an activity or tool to protect a firm from loss. There is now wide acceptance that it has moved well beyond the domain of compliance, loss avoidance or insurance to a broader consideration of all aspects of risk which affect a company’s future performance.
“There has been a significant increase in awareness about the importance of risk management. This has happened inside organisations and also externally among key stakeholder groups like investors, regulators and the general public.
“As a result of these changes, risk management has matured as a profession and is now a recognised career path. There are now formal chief risk officer roles, risk management industry bodies and official qualifications. There has been a lot of progress on the regulatory side and prudential regulation is increasingly being designed to measure risks and set minimum standards.”
From Risk to Reward
Lawrence believes that strong and effective risk management practices are now increasingly being seen as a source of sustainable growth and competitive advantage.
“We’re now seeing the emergence of a few companies who are actively using and positioning their risk management capability as a source of competitive advantage in the market. This is a new trend and investment banks in particular are using it to differentiate themselves in the market. Firms are looking very deliberately and strategically at which risks they have a competitive advantage in and want great exposure to.”
Significant growth opportunities often lie behind strategic risks. As a result, risk management practices are increasingly being used as a source of continuous operational improvement. They are proving to be very powerful in helping companies think more systematically and strategically about the future.
According to Sudhish Nayyar, principal of risk solutions at Aon Risk Services Australia, sound risk management practices act like the brakes in a car. “They let you drive as fast as you can within the speed limit and let you take advantage of opportunities as they come up. Smart companies today don’t see risk management as a cost centre activity; they’re actively searching out rewarded risk opportunities.
“Risk management practices can also act like the headlights in a car. They let management focus on moving forward in the pursuit of value for the various stakeholders. These headlights enable the organisation to become more anticipatory and effective at negotiating the magnitude of uncertainties on its journey.”
Changing Sources of Risk
The key threats that have threatened the stability of firms in the past seem to be evolving and changing all the time. A 2007 report by the Economic Intelligence Unit (EIU) on Best Practice in Risk Management found that the more traditional risks like financing risk, credit risk and foreign exchange risk, while still important, were no longer the key risks on companies’ agendas. This report appears to have been prepared before the onset of the sub-prime crisis as the credit crunch and subsequent volatility in financial markets have since pushed these risks back under the spotlight.
Greater corporate regulation such as Sarbanes Oxley and Basel II has also been responsible in driving risk management forward in these areas. The systems and tools to manage these more quantifiable risks have evolved to such an extent that companies now have much more confidence in identifying and managing them.
According to the EIU’s annual Risk Barometer survey, companies now find that the most threatening risks are those related to human capital, reputation and regulatory compliance. For the last two years that the EIU survey has been undertaken, human capital risk was perceived as the most threatening for survey respondents.
This risk relates to the loss of key staff, skills shortages and succession issues.
One of the most difficult risks that firms are finding hard to manage is reputational risk. This type of risk comes from stakeholder perceptions of companies and of their employees’ behaviour. History has shown that while a firm’s reputation can take many years to build, it can be destroyed by only a small number of people in a record space of time. Firms that don’t have a resilient reputation to start with can find it difficult to ride out times of high impact sudden market shocks. Part of the problem in managing this type of risk is its nebulous and intangible nature.
Most senior executives would agree that reputation matters, in part, because it sounds good. However, the anecdotal research suggests their priorities are focused on more tangible assets and risks. If senior management doesn’t fully appreciate how important this type of risk is, then how can employees be expected to understand the link between reputation and the bottom line? Rupert Hugh-Jones from public relations firm Scaffidi Hugh Jones says that it’s true that reputations are typically hard won and easily lost.
“In today’s organisations, there’s definitely an understanding of the importance of brand equity, but not many executives have their heads turned in the direction of reputational risk. Unfortunately reputation touches so much of a business’s operations which are left relatively unguarded.
“The trouble is that the cost of losing a reputation can be hard to calculate. In the case of the Garibaldi smallgoods incident (1995), the manufacturer didn’t draw a link between its reputation and the risk of something going wrong with one of its products.
“There’s still a real sense of complacency around the executive table and many managers have trouble looking from the outside world in. The public affairs function can play a useful role in this regard as a conscience for the organisation.”
When trouble hits a firm and its reputation is under serious threat from a risk gone bad, Hugh-Jones recommends acting quickly. “It’s critical to understand the full scope of the incident. Get out early in front of the public, tell it all and tell it honestly. You need to focus on the people involved, not the cost to the firm. Lastly, you just need to fix the problem.
Getting Good At Risk
A strong culture and awareness of risk is regularly identified as one of the best defences against many risks. Many CEOs have had to leave the building during the recent global financial crisis as a result of poor risk management and a lack of focus on the creation of a risk culture.
This notion has been substantiated by the Institute of International Finance’s Committee on Market Best Practices. The committee has spent the last nine months looking closely at what went wrong during the credit and liquidity crisis that hit financial markets around the world.
The committee found that the role of organisational culture is a primary driver in effective risk management. According to the Final Report of the Committee on Market Best Practices: Principles of Conduct and Best Practice Recommendations– Financial Services Industry Response to the Market Turmoil of 2007-2008, Institute of International Finance, July 2008: “The recent market turbulence has provided clear evidence that effective cultivation of a consistent risk culture throughout firms is the main enabling tool in risk management.”
The report recommends that each firm should make clear that senior management, particularly the CEO, is responsible for risk management. The board needs to have the essential oversight role in risk management and a robust risk culture needs to be embedded in the way a firm operates. Accountability for risk management needs to be a priority for the whole firm, not just the domain of risk specialists.
To create an effective risk management culture, education is key. All employees in a business need to understand what risk is and how their everyday decisions can affect the business. If managers want to spend money, they must be able to identify what risks they are mitigating and how these have been assessed. Spending time building a strong risk culture is important because a firm’s culture can often guide employee behaviour more consistently than formal rules.
Many industry practitioners stress the importance of not building risk silos within a business or operating risk management as a stand-alone function. While this centralised approach might be useful for monitoring and managing regulatory developments that affect an entire organisation like a bank, on their own they often lack the sort of insights that enable managers to respond quickly to changing needs.
The chief risk officer also shouldn’t be asked to act as a central policeman but play more of a facilitation role. By placing responsibility for risk management and accountability with line management, risk management is more effectively embedded at every level of the business.
The introduction of an enterprise risk management process can be a powerful way to help raise awareness of risk in an organisation. Workshops and brainstorming sessions help people to think differently about risk and how it impacts an organisation. A word of warning: if an enterprise risk management function is only implemented through a top-down approach, there is a danger that it can become a one-off add-on or an exercise which never becomes ingrained in the company.
It is also important to embed a risk management culture in the product development process. Industry practitioners recommend integrating these two functions by including product people as well as risk people in the process.
One of the key ingredients required to successfully instil an effective culture of risk is the strong support and understanding from the human resources function.
Interestingly, only 25 per cent of EIU survey respondents said that the integration of the human resources function and risk was currently effective.
It Comes Back To People
Regardless of whether your business offers products or services, the quality of the people in your business will ultimately determine how successfully you manage risk. It is becoming increasingly clear that having the right people in the right roles is one of the best forms of protection — not the latest ERP systems and processes. A poorly skilled person or even simply the wrong person can’t manage a good process.
One of the other traps of relying too heavily on a narrow model or process to manage risk is that it can leave a company blindsided. Too much emphasis on just financial (oil price exposure), hazard (gas leak) or operational risks (computer system failure) can mean ignoring important strategic risks that can cause more serious value destruction. These strategic risks include the failure of a product to launch or new technology that overtakes your existing product suite.
Lawrence warns about the need to be intelligent and conscientious about risk management.
“It’s critical to make sure that there is enough room and time left at the top of the business to have an intelligent dialogue about what risks the business is facing. It’s also important to ensure that a company doesn’t get too preoccupied with compliance, potentially at the expense of the dialogue about broader issues. “Ultimately risk management capabilities and processes have to be tailored to each organisation’s operations, people and performance. There is no single off-the-shelf, one-size-fits-all risk solution. What’s required is a thoughtful process rather than just box ticking.”
Risk Aware
Dante Peel, advisory partner at PricewaterhouseCoopers, says that too much focus on process can definitely lead to a lack of substance behind risk management.
“People in an organisation need to think about risk when decisions are made. It’s not about being risk averse, it’s about being risk aware. Egos and PowerPoint can help people bulldoze ideas through a committee or management team. The right questions need to be asked regularly, not just once a year at a strategy planning session. Line management, with the support of the HR folk, need to take accountability for risk, instead of just leaving it up to the risk manager to do all the work. The other issue that’s important is an open culture where people feel it’s safe for them to speak out. Leadership is very important here in fostering the right behaviours.”
Grant Whitehorn, national president, Risk Management Institution of Australasia, says that people need to change the way they think about risk.
“Risk management is all about enhanced decision making and ultimately growth for an organisation. A change in focus is required to embed this concept into organisational culture. If we can change the culture around this, it will be like the Holy Grail for risk management. One of the ways to do this is to make risk management performancerelated.
Managers should be assessed on how well they manage risks in relation to performance. It needs to be incorporated into employee job descriptions in order to make it real. The reality is that every time you make a decision, you create a risk for the organisation. Everyone needs to see themselves as a risk manager.”
|
The Institute’s education and training pathway is the preferred choice for industry professionals.
Considering a career as a Chartered Accountant? Looking for the next step in your professional life?
The Institute is leading the debate in the areas that matter most to business and the accounting profession. 
The Institute produces an invaluable suite of tools, guidance, products and services to help members in their work. 
Print this Article
Email this Article
