The term ‘enterprise risk management’ is often accompanied by groans and cynicism about management-speak, with specific reactions determined by whether it is being viewed from a strategic or operational perspective.
Strategic risk management can conjure up images of the board of directors having a fun away day under the guise of clearing their minds from operational duties to be able to challenge and question the strategic direction of the company and assess the associated risks to it. There is a perception that the management of strategic risk is a fairly vague and sporadic activity, without much science behind it.
Strategic risk management – a serious business
In reality, the requirements for strategic risk management have been around for a long time. Risk management features strongly in the Companies Act 2006, which has been accepted globally as the gold standard for corporate governance. It would be difficult to align with the Companies Act 2006 if risk management is not evidenced within the company’s corporate documentation or practices.
This is reinforced by other laws. For example, the Financial Services and Markets Act 2000 and the Financial Reporting Council’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (2014) effectively make risk management a legal obligation for directors of a listed company.
Overall, without effective strategic risk management, it is difficult to have a coherent company strategy and direction for the company as a whole as business decisions may not be as reliable or trustworthy.
Identifying and assessing risk
While the strategic aspect of risk management may appear less constrained and perhaps a little less structured than the operational side, this is rarely the case. Effective strategic risk management means that decisions can be made based on credible information and demonstrates that the impacts of the decision have been diligently considered as being in the best interests of the business.
Operating an effective strategic risk management function also allows the board to consider external risk factors that might influence or identify whether the direction of the wider market is changing and whether there are changes to the business environment, as well as potential gaps in the market that they should take steps to capitalise on.
Even if the formal stages are not written down or defined, risks are still identified, assessed and reviewed so their impact on the company can be considered, and a conscious decision to act, or an agreement to ignore, can be made proactively.
‘Know your customer’
Strategic risk management also requires companies to understand how they are affected by generic global policies and procedures, such as those around bribery and corruption. ‘Know Your Customer’ guidelines for example are becoming increasingly important around the world to prevent identify theft, financial fraud, money laundering and terrorist financing.
In other words, customers, and suppliers, need to be desirable from a compliance point of view. This becomes ever more critical in the increasingly integrated business environment, which is resulting in organisations being impacted by third party risks over which they have little direct control.
Operational risk management takes a business process approach
On the other hand, operational enterprise risk management can evoke a constrictive and formulaic image. Operational risk management often sits alongside internal audit within the organisation structure and takes a business process orientated approach.
By seeking to look at the internal business processes and highlight potential areas of risk, the logical focus is on having a repeatable and consistent process to identify, assess and control potential sources of risk. The sense of rigour that comes from adopting such a structure of risk identification provides the context for co-locating with internal audit teams as the skillsets complement each other.
Co-locating in this way is likely to positively impact operational risk management because internal audit should be relying upon the definition of risk to provide the appropriate context for the development of internal controls to manage them.
Consumers and shareholders demand transparency
As the requirement for greater transparency increases from consumers and shareholders alike, there is more of an interest in operational risk management. More of the stories in both traditional and social media focus on failings of organisations’ risk management and controlling procedures.
We do not need to look far to find scandals in the business world; most of which can be attributed to either non-existent, weak or fragmented enterprise risk management processes.
The high-profile Volkswagen case is a good illustration of where internal control weaknesses allowed for individuals or teams to manipulate the results of emissions tests. There are a number of control processes that operate to manage the quality of production and adherence to internal and external regulation requirements.
Despite these control checks, the test results could still be manipulated. Somewhere along the line, either a control failed to operate or a previously unidentified opportunity to manipulate the results existed within the emissions tests themselves.
Ironically, the fact that this scenario was caught and brought to the attention of the public demonstrates that there are controls working to identify and manage risk. Once a risk incident occurs, the focus of public attention rapidly turns to the risk response and it is here that the organisation is judged.
Responding to risk management failures
Despite the media interest in breaking stories like this to the public, an organisation can retain significant public credibility if its response to the incident is rapid, coherent and perceived as having a genuine interest in resolving and learning from it. It is the response that shows that risk and incident management is taken seriously within that organisation.
Respond well to risk incidents, and the company can potentially turn a negative perception into a positive, thus increasing its perceived customer satisfaction and potential shareholder value. Respond badly and the instant nature of today’s social media can have a far-reaching and damaging effect upon the company’s position in the market.
Strategic and operational controls required to minimise risk
In conclusion, there is increasing public interest in potential scandals and corporate behaviour. This makes it more important than ever for organisations to ensure they have controls over their key business risks, whether strategic or operational. It is obviously an ideal scenario to avoid risks from occurring in the first place by having appropriate and effective controls.
But even with a robust controls framework it is also important to plan for the worst, so that if risk incidents occur, the response ensures that the impacts are managed accordingly and therefore minimised.
Simon Persin, director, Turnkey Consulting (opens in new tab)