There are those in the world who would have you believe you can live your life, and operate your business, without risk. Palpable nonsense in my opinion; risk is an implicit part of life. The issue is how we handle it.
I present below a high level overview of the key components to an effective risk management system.
I will begin with a couple of simple definitions:
Profit is the reward for risk.
Risk is an event/occurrence that hinders the achievement of the business objectives.
Companies exist to make profits, and as such will always be exposed to risk.
Companies are exposed each day to many changes (organisational, commercial, political, technological, etc.). The speed of those changes is reducing reaction time, and increasing the types and complexity of risks. Within such an environment risk assessment is essential for an effective and efficient management process. Risk assessment helps management to focus on the issues that really matter.
The Risk Assessment
Risk assessments should be primarily a management exercise. The fact that a company is constantly facing changing risks, requires that management makes use of a proactive approach to assess those risks; as well as developing an effective, and efficient, process to reduce risks to an acceptable level. This proactive approach should address the following areas:
Determine the risk appetite of the company - This is the responsibility of the Board, who must set the risk parameters (high, medium or low) that they are prepared for the company to operate within.
Clear risk identification - Managers should analyse the company’s external environment, and internal processes, in order to ensure that all potential business risks and their sources are identified. The question management should be constantly asking itself is “what could go wrong?”.
Risk assessment - Management should categorise risks on the basis of their significance (magnitude of the loss or missed opportunity), and the probability of occurrence (eg likelihood of the risk event occurring say within the next two years). When making the assessment management should take into account factors such as the size/value of transaction streams, and the financial impact on the organisation of the risk.
Definition of critical areas - Critical areas are those areas which are of major importance for the specific business eg sales, R&D, production; coupled with the outcome of the risk assessment. Namely a high magnitude risk in the sales department, coupled with a high probability of occurrence, would mean that the sales area would be deemed a critical area. Having identified the critical areas the management now have a risk map of their organisation.
Control of the (critical) areas - Management should review the adequacy of controls by means of a self assessment control checklist. Controls, eg hedging of foreign currency transactions, being the means by which the organisation achieves its objectives. Where control gaps are identified, necessary steps (corrective actions) should be taken to implement compensating controls that reduce the residual risks to acceptable levels. Care should be taken when implementing compensating controls; as excess controls waste scarce resources. However, it may be the case that controls will not mitigate the risk to an acceptable level; in which case alternative measures such as insurance, outsourcing or closing the activity should be considered.
Continuous self assessment of the process - Management should review the entire process on a regular basis, to make sure that the model applied to identify risks and the business controls in place are adequate. Where necessary, management should take corrective actions in order to guarantee the quality of the entire process.
The Role of Internal Audit
I am a great believer in the maxim “what gets measured gets done”. Internal audit has a vital role to play in reviewing, and giving an opinion on, the effectiveness of the risk management process. Specifically, it should:
Verify if a business risk assessment process is in place and up to date
Verify the quality of the business risk assessment process in place
Verify the quality of business controls and control self assessment
Stimulate corrective actions
Track the trend of improvement and deterioration
Risk management is not a one off exercise, but part of an ongoing process. As circumstances change so do the risks faced by organisations; it is essential that management keep there risk map “up to speed”.