Risk management: compliance requirement or business decision-making tool?
Published : July 2008
For many, risk management is seen merely as another corporate governance headache. Stephen Roberts examines how you can move beyond compliance and make risk management work to your advantage
This year sees the tenth anniversary of the release of the Combined Code. When it was first published in 1998, it provided many UK listed companies a regulatory requirement to demonstrate how they were actively identifying and managing their significant business risks and that they had a sound system of internal control in place. Ten years on, there now exists a wide spectrum of attitudes to risk management, from boards that look at risk management mainly as a corporate governance requirement, to those that
see risk management as a proactive management tool used to assist senior management to make business decisions more effectively.
This also applies to the drivers for boards to address risk management, as well as to how risk management is being applied within the business. Drivers for boards to formally create a demonstrable risk management process include:
- Corporate governance requirements
- Lender requirements
- Tender requirements
- Key customer requirements
- Insurance requirements
- Better understanding of key exposures
- Requiring a clearer ‘line of sight’ on key objectives
- To be better equipped to make decisions specifically around capital allocation
- To be equipped with better management information on a board decision
Going forward, an emerging driver for boards to formally develop risk management is the current activity of the rating agencies such as Standard & Poor’s, who are formally creating a risk management rating ‘lens’ on top of the normal criteria currently used to rate companies. While the exact shape and scope of this is still being finalised, this could be a substantial factor for boards to ensure that their risk management
is demonstrable and effective, and to ensure that their risk management is viewed favourably under the intended rating agencies’ scoring criteria.
Whatever the driver, as we stand in 2008 the question to be answered by companies today is not, “Do you have risk management?” but, “How are you applying your risk management?” and, “Do you view your risk management as a business-enabling tool?”
Indeed, referring to the drivers above, the further down the list you go, the more benefit the risk management provides. However, what does moving beyond compliance actually mean?
In going beyond compliance, a number of companies turn to international standards on risk management: COSO, the New Zealand and Australia Risk Management Standard 4360, the King Report and the Financial Services Authority’s Risk Assessment Framework are a few examples, with the British Standards Institute about to launch a further version to the list. These standards are effective in steering companies to create a baseline of risk management; however, to optimise the benefit of risk management to a board, the last 10 years tell us that there are a number of best practice factors that boards should look to establish within their risk management to ensure that it becomes a proactive management tool.
These include:
1 A formal risk tolerance is calculated
Unless a company considers the financial ability and willingness to pay for deviations from expected expenditure as a result of risk related events, it is difficult for senior management to understand the point at which a risk becomes material to the organisation. Understanding the risk tolerance level enables the organisation to make informed decisions as to whether there is any particular need to initiate a risk mitigating action, change an approach to a business issue or re-allocate capital, resource or investment. This should occur at group, divisional and indeed, individual risk level.
2 Scope of risk register is group wide
Risk registers have a tendency to be heavily operational in content and coverage. For a risk register to effectively capture the entire risk footprint of the organisation, risks relating to joint venture participation, key contracts, key customers, key suppliers and subcontractors should all be featured to ensure that the picture is complete for the board in understanding where the challenges lie across the business.
3 Top risks quantified
An increasing trend is to see companies using actuarial modeling to place a financial figure on the risk should it occur across a varying degree. Being equipped with a tangible value for impact allows not only for a more accurate understanding of how to manage the risk (capital allocation, risk financing strategy and reserving), but the ability to present this risk tangibly allows for better communication of the risk to other areas of the company.
4 Responsibilities and action plans assigned to top risks
A common stumbling block by organisations is that once the initial work of creating the risk register occurs, it then becomes a dormant document. Through systematically allocating responsibility for the risk and, with that, confirming an agreed mitigation response along a timeframe, the board can receive
appropriate updates on how the risk is being managed on an ongoing, proactive basis.
5 Risk management framework tailored/embedded and communicated
To ensure that the risk register becomes an effective management tool with the ability to capture emerging as well as existing risk management, it is essential that risk reporting policies, procedures, formats and communications channels are formally established. The key to the success of this is that the framework is moulded around the existing organisational structure. There has been a trend of organisations paying substantial sums for off-the-shelf risk management frameworks which, without tailoring, will end up being a bolt-on to the organisation rather than an embedded process. Through setting effective communication channels and processes along with appointing risk
champions throughout the organisation, the risk management framework can be effectively positioned.
Another aspect is the consideration of using Risk Management Information Software (RMIS). While RMIS can be an efficient tool to provide uniformity in approach to risk management across an organisation, it should not be viewed as either the risk management framework itself or indeed the panacea to risk management within the company. RMIS is a support tool, and unless the existing ground work has been undertaken with the establishment of a risk management framework – and therefore the task for which this tool has been effectively identified – there is always the risk that RMIS will be an under utilised, misunderstood and limited resource to the company.
6 Use of key risk indicators
As key performance indicators (KPIs) are an everyday methodology in monitoring the success of the company against set objectives, key risk indicators (KRIs) are a highly effective method to provide ongoing monitoring on both the status of a particular risk as well as the success of the chosen mitigation strategy. By establishing KRIs the organisation is empowered to measure only what is important in relation to the organisation, measure only those factors that impact the risk and allow for appropriate focus on divisional/subsidiary needs. Through KRIs the board can be assured that there is not only ongoing monitoring of risks but that there is also effective control of communicating risks upwards within the organisation.
7 Risk management policy statement
A simple but under utilised way to demonstrate that the organisation does place risk management at the heart of the business is to create a formal risk management statement which describes the positioning, approach and application of the company’s risk management. This is then used as a method to communicate the existence and expectations of risk management to staff, investors, clients and indeed
subcontractors. This is of increasing importance, as stakeholders are using the existence of risk management as one test as to the presence of effective business management.
Using these indicators of best practice, risk management can be applied to a risk management maturity curve along which the further a company is positioned, the more added value it can expect from its risk management.
However, the watershed where risk management can truly be seen as a business decision-making tool and where risk management is businessenabling, are those organisations who then go on to apply their risk management to all aspects of their business. Examples of this are:
1 Strategic objectives
When a chief executive officer or chairman publicly states the strategic objectives for the firm over an annual three or five year plan, it is against these objectives that the success of the company will be measured. However, while companies will have a risk register for the ongoing day-to-day aspects of the company, those organisations which actually risk profile the individual strategic objectives are the ones that can demonstrate a confidence and robustness to achieving these objectives, as well as having a
clear understanding of the factors which must be addressed in order to be successful.
2 Joint ventures
Organisations are seeing the substantial benefit of risk profiling:
a) The choice of joint venture partner
b) The performance of the joint venture partner
c) The risks to the success of the joint venture, where both parties come together to understand the unique risk footprint of the joint venture
For private financial initiatives (PFIs), risk profiling is used to shape the contract. In these instances, the consortium will first create a risk register for the PFI and then, working with the legal team, establish which of the risks identified they are willing to take on and which they are looking to transfer within the contract. Further to this, it also allows for effective allocation of apportionment of risk between all parties to the PFI.
3 Subcontractors
Increasingly, the proximate cause of many risks, crises and/or financial impact has been down to the acts of contractors used. However, it is the appointing company’s reputation which tends to suffer, not the subcontractor’s. With this in mind, companies are increasingly:
a) Risk profiling the choice of subcontractor
b) Requesting the subcontractor to demonstrate how they carry out risk management and scoring this against best practice
c) Insisting that the subcontractor follows the risk management framework of the appointing company – often applied through initial risk management training workshops to establish the expectation of the appointing company in terms of risk management and to raise the awareness of the subcontractor to risk management
4 Key customer/clients
Where there is a substantial contract or key customer to an organisation, often the relationship is crucial to both parties, not just the service/product provider. With this in mind and to strengthen the relationship while also establishing clear expectations on both parties, companies are now using risk identification and assessment workshops run jointly with the key customer/client. Thereby both parties can understand what the risks are to their mutually beneficial relationship, and understand how the service/product provider
manages these risks. In so doing, the outcome is that there is greater confidence, understanding and strengthening of the relationship.
Above are only a few examples of how risk management can equip boards with quality management information to empower them to make decisions more effectively. The key point is that risk management can be used in any business decision, from changing location of a warehouse, choosing a new supplier to even choosing a new board member.
Used in this way, risk management moves substantially from what has traditionally been a compliance ‘tick box’ requirement to a defaulted management tool. It is only now that some organisations are realising the potential of optimising the benefit of their existing risk management processes and in so doing, maximising the return on their risk management investment to date and in many cases, even gaining competitive advantage. END
Stephen Roberts is leader of Marsh’s Strategic Risk Practice