“Don’t judge each day by the harvest you reap but by the seeds that you plant. “ – By
Robert Louis Stevenson
Last decade altered the risk profile of the world. Look it from any lens – financial, technological, political, legal, reputation or physical – risks have increased for all organizations. The business rewards are higher of organizations who effectively manage risks.
Previous year’s Deloitte study on governance, risk and compliance showed that financial institutions with highly developed risk management function showed 23% better financial performance than their peers with skin-deep risk management functions. A strong risk and ethics culture facilitates more reliable reporting of financial and non-financial performance indicators thereby improves management functioning and strategic risk management. It improves staff engagement levels and enhances relationships with investors, regulators, customers, and other external parties.
These results indicate that the effort on developing risk management functions is worthwhile. Hence, to leverage the benefits companies need to restructure risk management function. I am sharing some ideas on the steps needed to restructure risk management functions.
1. Get the right team on board
Selecting key risk management personnel is the single most important factor for an organization to form an effective risk management function. Risk managers must have technical expertise, business knowledge, soft skills, emotional intelligence, psychological strength and strong personal values. Reason being risk managers are the charioteers of the organization. The CEO and management lead the organization to uncharted territories to win the battles in the markets. The risk managers ensure the safety of the senior management and organization. Their role requires them to constantly face adversity, be change agents, knowledge managers and principled role models. Hence, getting the right risk managers is crucial for success of the organization.
Neglecting this aspect can cause heavy damages to the organization. Risk managers have access to sensitive information. Hence, without the emotional intelligence and personal values, they can easily become deviant. Without the psychological strength to face adversity and strong consciousness, they may not inform various risks to senior management to save their own skin. Lastly, as risks are dramatically changing, without the technical expertise and knowledge, they may lead the management astray.
2. Modify organization structure
At the global level, there is ongoing debate on the organization structure of risk management functions. Companies are focusing on integrating governance, risk management and compliance (GRC) functions. As per the KPMG Convergence report, 50% of the respondent organizations were spending 5% of annual revenue on GRC. However, interestingly cost is not the driver for integrations. As per the report – “44 percent cite overall business complexity, followed by a desire to reduce organizational risk exposure (37 percent) and improve corporate performance (32 percent).” This indicates that risk management organization structure has an impact on financial performance of the organization.
The first step as I have mentioned before, is to appoint a Chief Risk Officer (CRO) reporting to the CEO. However, the single step itself will not give substantial benefits. The function needs to cover strategic, tactical, operational, financial, reputational, political, legal and other risks. It should have a specialized team of business ethics managers, fraud investigators, internal auditors, compliance officers, information security personnel, physical security managers etc. The reporting lines need to be clear, and the control must not be with business heads. In case of global organizations, there should be matrix reporting to integrate with global initiatives.
3. Clean up the mess
Charles Darwin had said – “It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change”. Since we base our identity on what we have done in the past, it is difficult to let go. However, it is difficult to run fast with old baggage. Elephants don’t dance; hence, we need to bring flexibility in the risk management organization. The first thing to do after getting the team and structure in place is to get rid of the redundant people, processes and technology.
This might sound harsh and ruthless; however, it is a necessity for making an agile organization. However, we need to stop adding organizational resources trying to inspire employees that avoid and inhibit change or processes and technology that is not giving adequate returns. Simply put, clean up the previous mess otherwise it will keep resurfacing and the new team will continuously spend time fire-fighting old issues. Do this by identifying all the facts, halting ongoing violations and preventing their re-occurrence in the future.
4. Evaluate risk exposures
Dynamically changing internal and external risk landscape of organizations increases the risk exposures. Frequently, companies fail to identify emerging risks, as they have no previous exposures to it. For example, few companies still don’t have social media risks management plan or policy within the organization. The senior management dabbles in social media, and without guidelines, significant reputation risks exist.
Recent incidents have shown black swan incidents can trigger major disasters. However, organizations frequently calculate each risk exposure separately, rather than seeing the correlation between risks and assessing the collective impact.
Additionally, regulatory risks change due to multitude of new reforms, policies, and acts issued across countries. For example, the recently released UK Foreign Corrupt Practices Act affects all the subsidiary companies working in other geographies. Hence, compliance and legal functions need to evaluate the risk exposures on an ongoing basis.
Similarly, with new business strategies, strategic and operational risks change. Hence, before formulating a risk management strategy, it is important to identify various risk exposures.
5. Assess various frameworks
While frameworks are not an end in itself, they do provide the means to achieve a desired state of risk management. Various frameworks of enterprise risk management (COSO:2004, ISO 31000, AN 4360:1999, OCEG Redbook 2.0 etc.) ensure a good starting point towards rebuilding the function. Depending on the industry, an organization can choose from a variety of frameworks (information security, data protection, and banking) to model the risk management function.
Take care to customize the framework guidelines according to the organization requirements. Choose the best fit and/or combine a couple of them to form a best fit. Sometimes the mindset is that implementing a framework is only useful when certification is required to enhance business. However, this approach is incorrect.
Risk managers can also use frameworks to benchmark the maturity level of the risk management function. Frameworks generally depict t best practices, hence provide a good roadmap for improving the function.
6. Higher external consultants
Sometimes it is a good idea to hire external consultants, especially when revamping the function. The challenge of restructuring risk management function is that there is a high level of wariness amongst stakeholders if things have gone wrong before. The old risks management team may be viewed skeptically and the new risk managers don’t have the political and operational knowledge to be effective. They are also scared of giving the not so rosy picture to senior management as they haven’t had the time to develop strong relationships with them. This leaves all parties concerned attempting to wade through muddy waters.
External consultants besides have excellent technical knowledge are less involved in the politics of the organization. Hence, they are more independent and confident in presenting the bare facts. They are unlikely to face retaliation from business teams, as they are not part of the organization. Secondly, since they look at the scenario with fresh eyes they see the bigger picture better. Hence, it benefits the organization to smooth the path of restructuring by seeking additional help and advice.
7. Develop risk management strategy
I have written previously on criticality of forming a risk management strategy and I reiterate the importance here. Risk management functions are taking bottom up approach when presenting annual plans to senior management. For example, if the organization is having a balance scorecard performance appraisal system, the annual plan may be nothing more than the consolidation of balance scorecards.
This approach doesn’t give a strategic advantage to the organization. The business strategy and risk strategy are running parallel with major disconnect.
Risk managers need to prepare an annual strategy along with a long-term strategy for 3-5 years. The risk strategy has to be aligned and derived from the business strategy. Use strategy maps to monitor the performance of the strategy and revise it accordingly.
8. Leverage technology
Putting experienced boots on the ground without relevant technology doesn’t give incremental returns on investment. Investing in GRC software adds value to the function and business. The Economist Intelligence Unit report “Too Big to Fail” states that 51% of the financial institutions participating in the survey increased investment in technology.
Secondly it says – “Just 40% of respondents say that their firm is effective at collecting, standardizing and storing data. Insufficient data is also seen as one of the key barriers to effective risk management after regulatory uncertainty and poor communication between departments.” Hence, efficient and effective risk management requires timely and relevant information and analysis for effective decision-making. Without technology, risk managers provide outdated qualitative information to management. It results in reactive rather than proactive risk management. Business intelligence tools – SAP Business Objects, IBM Cognos, etc. – give risk dashboards for business executive users. As data is apolitical, the dashboards help in accurate decision-making.
Moreover, the focus now is on building a risk and ethics culture within the organization. Traditionally formal classroom training programs were used. However, these have proved to be majorly ineffective as users fail to apply the concepts after leaving the classroom and revert to old habits within a few weeks. Studies have shown that employees are easily influenced when they participate in the process and have a continuous stream of information. Therefore, applying concepts of collective intelligence is beneficial. Organizations can have internal social networking sites, blogs and knowledge management systems. These allow employees to share knowledge, concerns and take ownership for managing their own department’s risks.
9. Get business teams commitment
Sell, sell, and sell. Do as much internal selling as possible to get buy-in from the business teams. Get business executives talking about risk management through social networking sites, blogs, senior management messages, group discussions, step one meetings etc. Create a common language across the organization.
Studies have shown that people respond more strongly to risks – “when the consequences of those risks are available to them, such as from memory, from imagination, and from mass media. For example, if they witness a news item about a house fire, they are more likely to avoid the kind of behavior that they believe started the fire.” Hence, the more information business executives have regarding various risks the less prone they will be to taking unnecessary risks. Let them be the owners of transforming the risk culture within the organization. Risk managers just need to provide the guiding light.
10. Formulate audit committee/ risk committee
In India, 90% of the companies are unlisted or privately held companies. The corporate governance norms of listed public companies do not apply to them. Hence, quite a few do not have focus on risk committees or formulate an audit committee. This becomes tricky situation as sometimes the private companies CEOs are managing bigger turnovers than listed companies are. If they have a team of technocrats running the business, the focus on risk management is limited. The problem becomes bigger in case of global organizations with subsidiaries in various geographies.
In such a scenario, it is a good idea to form risk and audit committees. The members may be board members and senior risk managers from other locations, if the organization is unwilling to have external members. The idea behind is that other locations senior managers will look at the information independently and share best practices at global level.
The board of directors and senior management though cannot delegate their risk oversight role completely do get better sources of information. As this keeps the internal teams on their toes, as they know that there are other risk experts looking at their work.
To progress, one has to change. Risk managers need to tackle the challenge of evolving risks hence need to transform rapidly. Their ability to adapt and transform themselves directly correlates to the organizations ability to manage risks. During change, a team is fragile and needs constant nourishment. Hence, senior management support is needed for the change, not only by providing the budgets but also protecting their nascent growth. A good GRC function gives competitive advantage to the organization, hence it is worth the effort.
The Business Enterprise magazine published this article in December 2011 issue.