By Hillary Magede
Failure to completely identify and effectively mitigate risk management implementation challenges contributed significantly to the latest global economic disaster and continues to contribute to corporate losses and failures resulting in some doubts being raised regarding effectiveness/value of risk management. Those organizations that have been properly managing risk as part of the day job have frequently managed to overcome these barriers emerging with success stories to tell.
One of the more frequently encountered barriers to effective implementation of risk management is inertia which manifests through personnel not wanting to adopt new procedures. This is characterized by difficulty in changing mind-sets and obstinacy. Resistance to process change initiatives or culture may result from various reasons including job security fears (self concern, individual objectives or goals driven by greed (self interest), arrogance and pride, insufficient regulation in the industry or economy and inadequate will and initiative at executive level (national and organizational).
Inertia which can also promote corruption also results where risk management is viewed simply as a hindrance getting in the way of progress/individual goals, stopping deals and preventing bonuses from being earned. During difficult periods in a business cycle or periods of boom, risk management is often relegated to the background.
Combating inertia begins with culture change and the message that comes down from the top/board is crucial in establishing the attitude that will filter to the other organizational levels. Risk management should rather be viewed as informed decision making (and informed risk taking) rather than a negative exercise feeding problems at the expense of opportunities. Clear communication of top management buy in and support is critical if the process is to hurdle this obstacle. Legislation (including threat of litigation), corporate governance responsibilities and a culture of accountability are also factors that can combat inertia. Individuals aware that their jobs are at risk and those whose investment or financial interest is at risk will have an interest in managing risk appropriately. FAIS legislation, SAM and King Code for example compel responsible individuals to ensure steps are taken to manage risk.
"Managing the risk of talking about risk? is another culture related obstacle to an effective risk management process. This happens in the private sector public sector and indeed government/national level. In some organisations there exists this often misplaced belief that senior management do not want to hear any bad news with any attempts to identify risk being treated as being overly pessimist. This is normally a challenge with the middle level that does not want to be bearers of bad news. Individuals will highlight only the benefits and downplay the downside risk to secure a seat on a project team by sounding more enthusiastic and positive. Whilst this helps focus on the positive side of risk (opportunity) it defeats the purpose of risk management i.e. informed decision making.
Where there are various projects competing for limited funding one may seek to conceal the negative risks to one?s project for fear of losing out on the funding. This approach is however one that?s genuinely career limiting in that significant risks will begin to surface well in the middle of the project. It should again be emphasized that risk management is NOT there to stop or delay projects but to ensure that we go into the project or investment fully informed. Total disregard for risk reduces business decisions to gambling or speculation and the significance of the goal or project does not diminish the need for proper risk analysis. Would one drive the Gautrain (high speed passenger train in South Africa) at 160km per hour without knowing whether the brakes work or the line is clear? The answer for big business with big goals is structured and formalized risk management with comprehensive risk assessment and mitigation strategies.
Effective communication skills and ability to provide/ suggest effective mitigation solutions and should that fail then right old integrity and putting organizational and national interests first should suffice. In the words of Brian Tracy 'The glue that holds all relationships together -- including the relationship between the leader and the led is trust, and trust is based on integrity.' Integrity, commitment to cause and good faith in organizational/national discussions are more likely to secure a job than being driven by fear and self concern. The leader is likely to appreciate the led more if they are of real value.
Prohibitively High Cost of risk management or huge funding/resource requirements is also a regularly encountered obstacle when it comes to risk management. Some companies do not regard spending on risk management as something positive, although they do recognise that it?s something they need to invest in. A big challenge for the ERM process is to ensure the appropriate balance and focus on those risks that are rated within a band where the risk mitigation procedures are necessary. Some residual risks outside this band (e.g. low risk but high cost to control/mitigate) can be carried by the organisation.
Hence a risk vs value of action matrix should be a tool. ERM programs naturally entail enhanced risk assessment processes, risk and business integration, and governance concerns. These activities may necessitate investment in new resources, technologies, policies and process enhancements. Risk Managers or risk advocate often struggle to demonstrate sufficient Enterprise Risk Management value to justify implementation costs when it comes to appraising investment decisions and on occasion that helps management shoot down investment requests on account of high cost.
Traditional investment decision tools including can be employed in establishing Enterprise Risk Management value, risks and costs and these may also be augmented by other less tangible qualitative factors such as improved risk transparency and awareness, improved safety, improved health, improved risk management coordination and accountability, and the elimination of siloed risk management activities.
Clear monetary values can be attached to savings such as risk infrastructure and process consolidation, reduction in compliance fines and penalties, reduced risk transfer costs and reduced regulatory capital requirements. Likely equity premium driven by positive public perception, an improved credit rating or risk score, and the integration of risk results with operations may be used in arguing the case for shareholder value added. Alternative options can also be assessed and combinations of risk mitigation solutions can be used.
Ignorance and a general lack of appreciation risk management principles, practice and expectations within organizations/regulatory bodies and governments can be the difference between success and failure in effective risk management or enforcing of the same. The complex nature of business today be it the commercial sector or industrial sectors requires a well formalized risk management rather than adhoc exercises in avoiding risks or exploiting opportunities. This can be even more significant in African and developing economies where imported concepts and principles have not been properly applied to context in unique or unstable/highly dynamic socio economic and political environments. There hasn?t been enough skill to interpret such imported concepts and adapt to local context. This has been worsened by lack of full appreciation in legislative authorities and government to the extent that this has meant supportive legislation is NOT fully in place.
The solution here includes training both internal and outsourced. Reference and consultative resources (standards, frameworks, guides, tools, and codes) are also available from regulatory bodies including government agencies, risk management specialists, bodies such as Institute of Risk Management (UK), Institute of Risk Management South Africa, Institute of Internal Auditors, COSO, Australian/New Zealand Standard AS/NZS 4360 etc. Imported concepts must be adapted to context and environment as well e.g. Solvency Assessment and Management in South Africa.
Organizations can easily overemphasize on the compliance objective rather than commitment to enterprise wide risk management driven by organizational goals. This is more frequently symptomatic in organizations where risk management is championed by the compliance function motivated by the need to meet regulatory imperatives. Following years of invention of various risk management standards, frameworks, advent and enhancement of regulatory initiatives, enhanced debate about risk management, this should be the era of exceptional application. Simply meeting regulatory and legislative requirements alone with risk management is not good enough.
Insurance and regulatory requirements such as SAM/SOLVENCY/BASEL give assurance that should something unexpected occur, there is a funding resource to fall back on. The test for risk management is in the application with risk management being carried out as part of the day job and business decisions. It may not be as reassuring as expected for Gautrain passengers to be informed that Gautrain has got has got passenger liability and should they be involved in an accident, their dependents will receive millions of rand in compensation. Passengers would rather hear that the train is fully serviced and maintained, has been checked and tested prior to the trip, the line is safe with the traffic control system being fully operational and they will get to their destination on time and in one piece.
Compliance requirements as defined by most codes, laws and regulations are by their nature broad based usually define the minimum expectation. Risk management on the other hand should commit to maximum exploitation of opportunity while minimizing threats obviously within acceptable value at risk vs. cost of control assessments and the message from the top must be clear in this regard.
A successful risk management program must have capacity to direct focus beyond compliance and ensure effective and efficient operation of the organization effective internal controls. Effective implementation of risk management beyond compliance improves company value both in reality and perception. The real side is that evaluating and controlling risks will ensure areas where the organization could afford to be less risk averse are highlighted and opportunities exploited.
One of the commonly encountered challenges in business is the existence of silos bordering on "turf wars?. Risk management can encounter serious threats to its success or effectiveness where organizations fail to coordinate the various independent functionalities e.g. security, business continuity, safety, health, environment, compliance and legal, risk finance and in extreme situations internal audit may assume roles that are in conflict with the requirement for objectivity and independence in assurance. In this scenario there can be a case of rigid silos specialist units isolate themselves or regular toe stepping with unclear responsibilities. Such silos may extend to other operational functions resulting in a totally fragmented approach to risk management.
It is critical to break down the silos and encourage a more collaborative culture within the organization. There is also need to establish an enterprise risk structure and provoke the whole organisation to identify, communicate and proactively manage risk, regardless of position or perspective with a common approach, which includes a consistent policy and process. Existing working functions still retain their localised risk management perspectives as these reflect the focus of operational or functional risk management.
Risk management responsibility and ownership should be allocated with specific objectives for each function and across functional areas and organizational levels. An effective Enterprise Wide Risk Management initiative should encourage good functional practices to continue, provided they are in line with enterprise policy and process. Responsibility for driving the process can be entrusted to a team comprising of functional heads thus bringing them together to discuss and share inter-functional risk information as a starting point for aligning individual and business goals.
Whilst it is not common occurrence for Internal Audit to exceed its mandate with respect to risk management, this does occur in both private and public sector entities. Standards and Guidance from such bodies as The Institute of Internal Audit, The Institute of Risk Management and COSO clearly delineate the role of internal audit in risk management for example the IIA?s Position Paper on the role of internal Auditing in EWRM. It is critical to ensure risk management function does not get subsumed into the audit function. This was highlighted under COSO "Internal Auditors.play an important role in monitoring ERM, but do NOT have a primary responsibility for its implementation or maintenance.'
One of the key success factors in the risk management process is the accurate identification of risk. Failure to clearly define risk and have common risk terminology across the organization throws the risk management process off track from the onset. The risk identification process fails as soon as risk is not distinguished from uncertainty or its causes and effects. The choice of definition will affect the outcome of policy deliberations, approach, and the allocation of resources towards mitigation. Often there is also confusion over other terms such as chance, loss, hazard and peril. The risk identification process can also be heavily influenced by perception which can introduce high levels of subjectivity into the process. The risk management process in various organizations turns to ignore the upside of risk and turns to be entirely negative focused.
Risk should be distinguished from its causes and effects and in terms of uncertainty should correctly be recognized as "an uncertainty that if it occurs could affect one or more objectives'. Its critical to observe that the effect on objectives can be either positive or negative. Goals may be totally achieved, partially achieved or not achieved at all. There must always be context to the risk identification process and that context must be derived from objectives. In identifying "uncertainty that has got effect on objectives' (risk), one has got to keep their eye on the objectives all the time and many successful risk identification exercises commence by acknowledging the objectives. You can only identify the risks and opportunities in your journey if you are clear about the destination.
An effective and relevant risk register should clearly distinguish between risks and their causes and effects. It is critical to keep in mind that risks are uncertainties which, on occurrence, would affect achievement of objectives either negatively (threats) or positively (opportunities) whereas causes are definite (and certain) events, facts, circumstances or requirements which exist in the business or its environment e.g. lack of skilled personnel is a definite known fact within an insurance company which gives rise to uncertainty (risk) that profit targets for the motor portfolio may not be met.
Effects on the other hand are unplanned deviations from goals which can either be positive or negative e.g. a non performing motor portfolio with loss ratios in excess of 100% or an a motor portfolio that surpasses targeted profit levels. Part of the main goals that must happen of the Gautrain high speed train are safety of passengers and timely arrival however Inadequate training for high speed train drivers (cause) give rise to the possibility of accidents or trains failing to arrive on schedule (risks) resulting in loss of lives, loss of property or loss on customers (effects).
A combination of organizational consensus, strong executive management and an appreciation for various program sensitivities is required to overcome barriers to EWRM implementation. The implementation should follow a concise path to transform the process and organization past traditional risk management (defensive - risks avoided approach) through business risk management (focussing on managing risks with an organisational risk governance structure) and ultimately to ENTERPRISE RISK MANAGEMENT (risk exploited). The general challenge for organisations is the necessary commitment, initiative and motivation to take the next step towards ERM maturity after the initial process.