Making risk management work

Structured risk management is an important part of any business governance structure and has now been around for some years – yet many companies are struggling to embed it in their business and make it work effectively so that it truly adds value. As Boards are increasingly asking for management to ‘show them’ what they are doing to manage key risks rather than ‘trusting’ their assurances, this debate is only going to heat up. Also, as businesses grow, the costs of failure become higher – an effective risk management process is therefore essential to the long term health of every business.

This article examines some of the techniques companies have adopted in the successful implementation of risk management and may give you ideas that you can use in your own business.

Strategy

Pull from the Board – unless the Board is engaged in the risk management process, it is unlikely to be given priority by management. Sufficient time should be allowed in Board meetings for discussion, challenging the information provided both about risks and how they are managed, and asking for management presentations on selected risks where they need more insight. Risk should be a standing agenda item for Board and senior executive team meetings. Most importantly, the Board should not accept proposals such as acquisitions, capex requests or major projects without a well thought through risk analysis attached.

Strategic Planning – delivering on the strategic plan is one of the most important things a business does, but rarely is there sufficient debate around the related execution risk. Providing a risk analysis in the business plan, including the key obstacles and what will be done to overcome them, must increase the likelihood of success.

Risks that Matter – too many risk management processes get lost in detail with a large number of relatively low risks. This turns what should be a valuable exercise into a laborious process. Risk management should be about focusing on key risks so that there is valued debate concerning them and how they are being managed. Board reports should include no more than 10 – 20 risks.

Defining Risk Appetite – this is rarely well defined and often subjective. It can however be addressed by including a risk delegation table in the Risk Management Strategy. Delegation tables set out the maximum risk each level of management can take without elevating the issue for approval. Understanding the risks a manager is delegated to take will improve the confidence with which that manager identifies and pursues opportunities.

People

Performance Plans – performance plans should include KPIs relating to the key risks each manager is responsible for and should require management to include risks that can be reasonably foreseen in the risk profile. The existence of foreseeable risk events that were not in the profile should reflect poorly on the manager concerned.

Endorse the Risk Program – the CEO should endorse the Risk Management Strategy whenever possible and demonstrate through questions and behavior that it is important to the business.

A Risk Manager who understands the business – where a Risk Manager has been appointed, it is important that they are commercially savvy and can relate to the managers in the business. A Risk Manager focused only on process is unlikely to get significant traction. The Risk Manager should also see themselves as a coach to avoid the impression that they, rather than management, are responsible for managing risk.

Avoid a culture of blame – organisations that manage risks best are those that learn about issues early. A culture of blame can only reduce the quality and timeliness of information received by senior management and the Board.

Process

Risk Champions – appointing a Risk Champion in each business unit will improve the flow of information through to the Risk Manager and therefore the senior executive team and the Board. The Risk Champion needs to want to do the job and have the time to do it.

Make the process easy – by using technology which is simple to use and intuitive, by making information such as templates and guides available on the intranet and by providing training which is simple and flexible. Above all, the process should be integrated into existing activities (i.e. making risk analysis an integral part of the capex approval, strategy setting and management reporting processes). Finally reporting should be simple, concise and easily generated.

Be prepared to vary the process – different business units will have different processes and one size does not fit all in risk management. The Risk Manager must be prepared to tailor their risk management process to meet each business unit’s needs while at the same time, provide the information needed by the corporate executive and the Board.

Include assurance as part of the process – requiring internal audit or the Risk Manager to periodically validate the operation of key risk management controls will both provide assurance to the Board and provide an incentive to management to ensure that the controls they record are real rather than aspirational.

Provide incentives – reduced insurance cost allocations is just one way to reward business units for effective risk management.

By breaking risk down and addressing its various elements – strategy, people and process, implementation of risk management becomes more attainable and ultimately more effective.

Author: Peter Moloney, August 08

Want advice or more information on this topic?

Click here to contact the author

Alternatively, phone Peter directly

T +61 3 8663 6000