Responding to risk: Strategies to manage threats and opportunities
INSIGHT ARTICLE |
In a competitive business environment, all organizations must implement processes to manage risk effectively in order to achieve business and strategic objectives. Your organization encounters business risks on a daily basis; assuming risk in the pursuit of profit is the essence of a business. However, many organizations do not fully understand the risks they have assumed and whether it is monitored, managed and aligned with their risk tolerance.
Historically, investments in structured risk management programs were driven by two primary risk factors: regulatory requirements and management priority. Although increasingly, risk management programs are now more necessary due to additional pressures such as protection of market value, expectations of counterparties and associated risks, and management’s need to demonstrate reasonable awareness and management of risks. Even if resources may be tight, your organization can experience significant benefits from dedicating more effort to risk management.
Dispersing the management and visibility of risks throughout your organization does not necessarily minimize the threat. In fact, it can make it harder for senior management to monitor and address emerging risks before they become significant events. Most organizations require greater visibility into risks, as value-destroying events can come from anywhere. These events have recently included:
- Cybersecurity events
- Foreign Corrupt Practices Act (FCPA) vulnerabilities
- Regulatory reporting obstacles
- Operational challenges
- Supply chain disruptions
- Finance challenges
Gaining a holistic view of risk helps your organization better understand and manage your unique risks. This perspective provides a more aggregated outlook on risk exposures in the enterprise, for example with concentrations by business line, product, customer segment, industry or geography. It allows your organization to consider all types of risk, including interactions between risks, as well as alternative, forward-looking scenarios.
Enterprise risk management (ERM) is a management discipline that focuses on managing risk holistically. Its popularity grew significantly after the numerous failures resulting from the financial crisis. The Institute of Internal auditors defines ERM as “a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.”
ERM holds several advantages compared to a traditional risk management framework. Instead of tactical, compliance-focused processes that are silo-based, look at risks individually and are supported by rules, ERM is strategic and performance focused, implementing a consistent risk management approach across the organization. It is a more actionable framework, providing a holistic view of key risks, considering risk interactions, developing a risk culture and helping to make business decisions based on a clear understanding of risks.
A practical approach to implementing ERM must start with the basics. Initially, you must understand what processes you already have, then use a framework to determine where you want your ERM program to go. This should consider several key questions, including:
- Why are you implementing an ERM program?
- What do you want to get out of this? Consider upside versus downside risk.
- How will your organization’s culture react to ERM adoption?
- Who in your organization (or outside) will be involved at each phase, and what are the necessary skill sets?
Finally, determine your time horizon. While ERM can help achieve near-term benefits, most frameworks have a long-term improvement focus, taking 18 months or longer before they take root.
Developing a risk culture
Development of a risk culture is imperative to developing an effective ERM program. It should support risk management with a tone at the top that references the importance of risk management, incorporates risk management into executive communications and exhibits desired risk management behaviors. A code of conduct is also a key element of your risk culture, as well as integrating risk management factors in incentive and performance evaluation plans, and defining roles and responsibilities consistent with the three lines of defense.
Determining your risk appetite
An effective ERM program relies on the establishment and communication of your organization’s risk appetite. Developing a defined risk appetite not only helps employees understand the specific risks your company is willing and not willing to take, but it helps ensure that management and the board have an opportunity to align their views on risk before an incident occurs and assumptions about the assumption of risk prove to be misaligned with reality. This process provides a means for ensuring that actual risk-taking is consistent with your company’s risk-taking capacity.
Identifying your risks
Your organization’s risk identification processes must begin with planning. The planning process should consider your business across its various layers of management, whether it’s lines of business, business processes, geography, etc. During this effort, you will also need to determine the risk types to be included in your ERM program (e.g., operational, legal, reputational).
Risks can be identified using various methods, such as interviews, surveys and facilitated workshops. Different levels within the organization may have different perspectives on risks. These views should include emerging risks and should equally consider the events that might bring negative consequences to your organization as well as those areas in which inaction may result in a failure to benefit the organization.
Performing a risk assessment
A risk assessment should begin by clarifying your risk objectives. As a part of this process, common definitions, including inherent versus residual risk, risk levels and the adequacy of controls, should be clearly communicated. For example, a risk with a high likelihood may result in losses on a daily basis, while a risk with high impact may result in significant harm to your company’s reputation.
Some best practices to follow in risk assessments include identifying risks against key business processes; coordinating assessments through interviews, surveys or facilitated workshops to ensure consistency; and using available information, such as key risk indicators (KRIs) to ensure objectivity. In addition, assessments of the adequacy of internal controls must also be objective, and oversight and use of information, such as the results of quality control reviews, are critical.
Enterprise risk assessments can prioritize risks across your company, identify top risks, highlight appropriate responses to risks, and where the adequacy of controls is too low for the level of risk, and drive risk-based monitoring processes. These results can then often be used to help influence the focus and resource allocation of other governance related functions within an organization, such as internal audit.
Responding to risk
Risk responses should be based on assessment of loss frequency and impact. Management actions should be specific to reducing likelihood or impact, depending on management’s agreed upon risk tolerance and the strategic needs of the business. The most common risk responses include: avoid (get out), accept or retain (monitor), reduce (institute controls) and transfer or share (partner with someone). In addition, a risk committee should develop and monitor action plans with assigned owners.
Risk monitoring should follow risk assessments, with higher risks monitored more frequently and more in depth. Key risk indicators (KRIs) are critical to early risk identification, and as a result, fewer surprises. KRIs should be forward-looking, rather than key performance indicators (KPIs), which are primarily backward-looking.
Risk reporting should also follow from risk assessments, with higher risks reported more comprehensively. The emphasis of risk reporting should be on highlighting key risks and recommendations for, and status of, management action. Excessive detail should be avoided, particularly for board reporting, and reports should include early indicators and emerging risks. Best practices for risk reporting include the development of ERM dashboards that provide a holistic view of risk and a thoughtful analysis.
Integrating ERM into decision making
To be truly effective, risk management must be integrated into day-to-day business line activities and corporate decisions. Risk managers should be involved at the onset of strategy-setting processes, and risks associated with new products should be considered and communicated to the board. Analysis of emerging risks and stress tests should influence business decisions and risk information should be shared across the company to avoid the same event recurring.
There is no approach for risk management that is completely effective for every company, but several best practices can be leveraged and customized for your organization. Setting an effective tone at the top establishes an effective risk management foundation, and your organization must learn to crawl before running, building upon the tools and processes already in place. Focus on simplicity at the outset and integrate a risk-focused culture to help satisfy the evolving risk information demands from the board and regulators, while also capitalizing on opportunities and mitigating threats.