By CPA Daniel Githinji
Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organization or it may simply be embedded in the activities of the organization. An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the ‘upside of risk’.
Risk Strategy is an integrated business process that incorporates all of the Risk Management processes, activities,
methodologies and policies adopted and carried out in an organization. The strategy sets the parameters for the entire Risk Management and is usually released by the executive management of an organization. Organizations ought to develop a risk strategy that is supported by top and executive management, agile to respond to threats, flexible to adapt to business change, and inherent in the organization’s day-to-day activities. Employees ought to be cognizant of the risk appetite and tolerance of the organization and understand the relevant risks as part of their actions. They also need to understand the potential up and downstream implications as part of the product or service value chain. Escalation mechanisms are transparent and efficient without fear of reprisal. Risk strategies need to align with the remuneration
program of the organization to reinforce desired behaviors.
The importance of a risk strategy is not only to respond to changing economic and political conditions, but for an organization to grow with confidence and with greater speed. Risk strategy enhances mature risk management practices that are holistic and efficient, working across the business, to support functions. Such practices align with corporate strategies and objectives, corporate governance, employee education and communication, performance management, and provide dynamic updating and reporting to the Board, regulators, executives, and other stakeholders.
Managing risk in this manner assures that resources are optimized and provide the insight to adapt to any change, whether it’s political, economic, or business related.
The importance of a risk strategy is not only to respond to changing economic and political conditions, but for an organization to grow with confidence and with greater speed. Risk strategy enhances mature risk management practices that are holistic and efficient, working across the business, to support functions.
Risks can be easily understood across the organization and actions can be aligned to assure that harmful risks are thwarted and opportunistic risks can be taken advantage of. However, there are a few ways that organization may fail to achieve a mature risk culture such as;
• Lack of relevancy of risk management- Risk taking and risk avoidance needs to be an unambiguous part of the business and business decision making. Risk management must not only analyze the past, understand business stressors, but also try and be predictive.
• Risk management is not a “one and done” exercise. Risk is ever changing and businesses are being disruptive like never before. Technology advances, non-traditional competitors, and threats, like cyber, occur much more frequently than they have in the past. As a result, the days of having a relevant annual risk assessment have passed. Risk, whether implicit or explicit, must be part of the daily conversation of the business.
• Immature risk management organizations struggle with defining risk in qualitative terms. This creates confusion and inconsistencies in messaging leading to a suboptimal management and control environment and inefficient capital expenditures. For example, does each business and function define a “high” or “critical” risk the same? A common categorization is essential for consistently articulating the organization’s risk profile. Moreover, it allows for the disaggregation of risk to its parts. GRC software can be instrumental in facilitating this. This will set the impetus for detailing where risk activities are deficient or where more risk may be able to be taken. Defining risk in this manner aligns better with the organizational processes of how products and services move from one area to another.
Key ingredients of developing a risk strategy, include: dynamic and holistic reporting; sustainable risk practices; ties to performance management and employee conduct; explicit links to the strategies and business objectives; awareness and action to identify, assess, manage, and communicate risk concerns (or opportunities); compliance with applicable laws and regulations; and enabling technology, software (e.g. GRC software) and tools to operationalize risk management.
The importance of a risk strategy is not only to respond to changing economic and political conditions, but for an organization to grow with confidence and with greater speed. Risk strategy enhances mature risk management practices that are holistic and efficient, working across the business, to support functions.
There are a few challenges in creating a mature strategy and ensuring that it is implemented. The first challenge is people, – disconnect between the conduct and incentives employees have to take risk, with that of avoiding unwanted risk. Employees must take the time to assure that risks are prioritized and actioned in an efficient and effective way. The second challenge is technology. Many organizations have latent systems and software that don’t always create the transparent data necessary to make informed risk based decisions. Having an integrated risk technology and software that can identify sources of risk and pull it together is critical to assuring that risks aren’t missed or evaluated inappropriately. Another challenge is not having a common categorization for
risk management. Some functions may value and treat risks differently than in other parts of the company. This leads to confusion, incorrect reporting, and no real value driver of risk management actions. Organizations can overcome these challenges by being practical and pragmatic. For people, having a clear tone from the top on what is expected to understand and manage risk is tantamount for setting a strong foundation. Creating and sustaining ongoing training for employees is also crucial for appropriate risk management behavior. This includes an understanding of relevant, key risks and their interrelationships within the business for each role. Additionally, the common language that is created by this process becomes invaluable as risks are communicated to the board, executive leadership, and external stakeholders like regulators. This requires an understanding from the business perspective of who is asking for risk information, why, and the value of spending time on risk management instead of value add business activities. The second line must coordinate with one another to share what is needed, how it is collected, how it is used, and for what purpose. This begets commonalities in the process and output leading to efficient use of organizational resources.
Changes in business are constant. This necessitates that risk management practices are fluid and not a once-a-year set of activities. For example, risk events, such as cyber-attacks or fraud attempts, can occur multiple times a day. This erases any feasibility on the efficacy of an annual risk assessment. To remain fluid, risk management must be part of the everyday activities and thinking of every employee. Collaborating and getting educational and communication cues from support functions like IT, enterprise or operational risk, compliance, vendor management, and internal audit ensure that risks are identified, understood, and appropriately addressed. This necessitates that there is an understanding of the business and what it’s trying to achieve and that risk and risk management activities are properly communicated to the business. This symbiotic relationship of sharing information assures that risks are prioritized and addressed in a timely fashion.
1 Comment
“Changes in business are constant. This necessitates that risk management practices are fluid” True statement, exemplified by the current pandemic of COVID 19, business dynamics have evolved dramatically!