By Kellen Kiambati
Businesses face risks every day. How successful they are in managing those risks is all too apparent when major business failures unfold: failure is often the result of poor risk management practices. Risk Management is a term used to describe the processes which aim to assist organisations understand, evaluate and take action on their risks with a view to increasing the probability of their success and reducing the likelihood of failure. Effective risk management gives comfort to shareholders, customers, employees and society at large that a business is being effectively managed and helps the company or organisation confirm its compliance with corporate governance requirements. Risk management is relevant to all organisations large or small. Effective risk management practices support accountability, performance measurement, and reward and can enable efficiency at all levels through the organisation. Risk management requires a detailed knowledge and understanding of the organisation and the processes involved in the business. The Components of Risk Management (RM) are as follows:-
- Risk Capacity – the maximum amount of risk that can be supported by a company, expressed as a sum of money. Determined by available capital, earnings strength/stability
- Risk Appetite – Amount of risk that management are willing to take, given risk capacity, strategic business objectives and culture. Risk Appetite serves as an overall guide to resource and capital allocation. The amount of risk that an organisation is willing to seek or accept in the pursuit of its long term objectives.
In contrast to Risk Tolerance, Risk Appetite is about what the organisation does want to do and how it goes about it. So, it is the board’s responsibility to define risk appetite. Risk tolerance is the boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long term objectives. Risk tolerance can be expressed in terms of absolutes, e.g., “we cannot expose more than x% of our capital to losses in a certain line of business” or “we will not deal with certain types of customers“. Risk limits – allocation of appetite (in metrics relevant to a specific risk) to business units and functions. It reflects expected returns and risks.
Risks and corporate governance
Effective strategic risk management is built around a clear understanding of how much risk your business is prepared to take to deliver its objectives, and a timely and reliable evaluation of how much risk it is actually taking. Types of Corporate risks include strategic e.g., a new competitor into the market, compliance/ hazard risks e.g., introduction of a new legislation, financial e.g., increased interest charges on a business loan or non-payment by a customer and operational e.g., loss / theft of key equipment. Financial risks are typically well controlled and are part of the routine focus of board risk discussions, with strong impetus coming from the increased regulatory, accounting and financial audit focus. As financial information is a key element of stakeholder communications, performance measurement and strategic delivery, board risk discussions will devote considerable time to these risks. Operational risks are typically managed from within the business and often focus on health and safety issues where industry regulations and standards require. These internally driven risks may affect your organisation’s ability to deliver on its strategic objectives. Hazard risks often stem from major exogenous factors, which affect the environment in which the organisation operates. A focus on the use of insurance and appropriate contingency planning will help address some of these. However, there is often a danger that as many of these risks cannot be controlled, boards and senior management will not reflect these in their strategic thinking. Confining strategic management to controllable factors will leave your business at risk of failing to address these factors. Strategic risks are typically external or affect the most senior management decisions. As such, they are often missed from many risk registers. The board has a responsibility to make sure all these types of risks are included in their key strategic discussions.
Risk management frameworks
Frameworks for risk analysis first start with analyzing the sources of risks which include: climate change, customer needs / wants, economy, financial markets, competitor, natural hazard / catastrophe, public relations, regulatory / legal, shareholder expectations and technological innovation. Many executives are worried that the risk frameworks and processes that are currently in place in their organisations are no longer giving them the level of protection they need. Boards are seeing rapid increases both in the speed with which risk events take place and the contagion with which they spread across different categories of risk. They are especially concerned about the escalating impact of ‘catastrophic’ risks, which can threaten an organisation’s very existence and even undermine entire industries. Boards feel they are spending too much time and money on running their current risk management processes, rather than moving quickly and flexibly to identify and tackle new risks.
The risk management process involves:
- Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context.
- Identifying Risks: This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas that the organization may exploit for competitive advantage.
- Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
- Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the
results in terms of impact on the organization’s key performance metrics.
- Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.
- Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks.
- Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.
Management selects a risk response strategy for specific risks identified and analyzed, which may include:
- Avoidance: exiting the activities giving rise to risk
- Reduction: taking action to reduce the likelihood or impact related to the risk.
- Alternative Actions: deciding and considering other feasible steps to minimize risks.
- Share or Insure: transferring or sharing a portion of the risk, to finance it.
- Accept: no action is taken, due to a cost/benefit decision.
Risk Assessment, Audit and Management
There are two elements of a risks: the Consequence (also called impact) when a risk occurs and the Likelihood (also called probability) of the risk occurring Operational Risk Management (ORM) i.e. the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events must be addressed because it has benefits such as:- reduction of operational loss, lower compliance/auditing costs, early detection of unlawful activities and reduced exposure to future risks. There are principles that should be followed which include value creation, making the approach integral part of organizational processes, being part of decision making, explicitly addressing uncertainty, being systematic and structured, transparent and inclusive, dynamic and responsive capable of continual improvement and enhancement.