Indian economic progress has forever changed the role of risk functions within the organizations. The bespectacled serious-brow-furrowed auditor who goaded and badgered business teams was buried alive. The new-age risk manager took birth who handholds business teams.
The transformation has not been easy. Risk managers have more teeth now though they are still climbing the learning curve. While some have successfully changed the risk function within their organization, others are still struggling. The ten best practices mentioned below ensure risk managers win the race.
1. Integrate Governance, Risk Management & Compliance (GRC) Departments
In the good old days, risk management entailed conducting financial and internal audits. In auditorville, cash, bank and journal vouching sufficed. With globalization, technology advancement and interdependent economies, the risk landscape has dramatically changed. Now risk managers address financial, strategic, operations, political, legal, reputation, continuity and emerging risks. It requires diverse domain knowledge to mitigate downside risks and leverage upside risks. Hence, breakdown the risk function silos and integrate them under one head.
2. Appoint Executive Level Chief Risk Officer
The other aspect is that in the organization structure hierarchy, the risk management functional heads frequently have a skip level reporting to the CEO. As the risk function head is not a direct report of the CEO, the risk management issues do not come on the CEO radar. The problem magnifies where GRC department heads are reporting to different direct reports of the CEO. In such scenarios, the probability of risks remaining unaddressed is high as risk management function lacks authority. Thus, organizations benefit when an executive level Chief Risk Officer directly reports to the CEO.
3. Empower Risk Oversight Committee
Presently, a few listed companies have formed risk oversight committees as only some have realized their importance. Risk oversight committees play a pivotal role in educating board members about risks and steering their thought process towards organizational risks. The committee members’ role is to discuss strategic risks, approve risk appetite, improve corporate governance etc.. The objective of a risk oversight committee is different from audit committee. Audit committees are a mandatory requirement for listed companies and are significantly focused on financial risks and irregularities. Risk oversight committee encompasses all organizational risks. Chief Risk Officers should request their boards to form risk oversight committees to get traction at senior level.
4. Prepare a Risk Management Strategy
As Sun Tzu said – “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” The problem is just around 50% of the organizations have a formal risk strategy. In quite a few cases, risk functions are conducting reviews, audits and analysis without a strategy. Risk managers navigate without a compass when they attempt to manage organization risks with just tactics
The senior management risk attitude falling in four categories– maximisers, conservators, pragmatists or managers - determines the risk strategy of the organization. Management may adopt a risk strategy of risk trading, loss controlling, diversification or risk steering depending on the risk attitude and economic environment. Therefore, develop a risk management strategy after understanding the management attitude and business strategy.
5. Focus on Strategic Risks
The strategic risk discipline is still developing as it gained focus in the last decade. Not surprisingly, in nearly half the organizations, risk managers are not involved in business strategy formulation stage. Hence, the strategic risks of the organization remain unaddressed in the initial stages.
Risk managers fail to understand the different perspectives of senior and middle managers. Middle managers focus on downside risks - on regulatory compliance, operating and tactical risks. Senior management is interested in exploiting upside risks to increase shareholder value - emerging market risks, financial market volatility and market demand. Therefore, risk managers need to assist senior management in addressing strategic risks.
6. Build a Risk Culture
This is an often-ignored concept, though a risk culture can make or break an organization. Enron case showed that when organization culture is deviant or aggressive, there is significant impact on internal controls. Without a risk culture, risk assessments and audit reports are swept under the carpet.
A risk mindset is developed when each employee understands risks and thinks through them while taking daily business decisions. To make risk culture part of organization DNA, top management must walk the talk. In addition, to build a risk culture risk managers must continuously train, educate and communicate with employees.
7. Measure Risk Appetite
Risk appetite, a relatively new concept, is defined as the quantity of risk the business owners are willing to take to get the desired rewards. Although it measures risk and reward, just a quarter of the organizations have properly calculated risk appetite. The result is that sometimes excessive risks are taken while making business decisions, as there is no scale to measure against. On the other hand, sometimes organizations sit on a pile of cash and other assets and do not take the required level of risks for business growth. Secondly, sometimes organizations decide a ballpark figure of risk appetite by doing back of the envelope calculations. A better practice is to use models to calculate risk appetite and continuously monitor the same.
8. Become a Business Partner
Risk managers do not like to hear this, but let’s face the truth. The old auditor image is hard to shake off. Sometimes business teams think risk managers are nitpickers, watchdogs, critics etc. Quite frequently business teams consider risk managers an obstacle to or irrelevant in achieving business goals. The reviews and reports set a negative tone and business teams become averse to risk managers instead of risk per se. Risk managers need to cut down the constant rhetoric and become business enablers. Rebrand risk management functions as transformation agents and business value contributors. Focus on providing competitive advantage to business.
9. Improve Communication
In most organizations, risk reporting is a weak link. Although, engaging stakeholders is worth its weight in gold risk managers haven’t mastered the art. Senior management demands short and precise reports with material risks and concrete suggestions. Middle managers request risk observations alignment with business and a cost-benefit analysis for recommendations. However, board, senior and middle managers frequently complain that they do not receive sufficient risk information from risk managers.
Risk managers are unable to say it in one line -“The bottom line is…….or here is what is important”. Due to inadequate communication skills, risk managers are failing to demonstrate value. Hence, improve communication for enhancing internal selling.
10. Invest in Tools & Technology
While technology adoption is high in business users, risk managers still are not leveraging it properly. Except for few who are early adopters of GRC software, most are still relying on excel worksheets for their work. The prevailing mindset is to put more boots on the ground to cover increased scope. Risk managers must invest in tools and technology to proactively and continuously manage risks. This not only improves resource utilization and allocation, it arms the organization to timely address uncertainties.
Use the following scorecard to evaluate your companies status in respect to best practices.
Author profile: The author is a risk management and corporate governance consultant with +15 years of experience. She is a qualified chartered accountant, certified internal auditor and has cleared certified public accountant (USA) examination. She blogs at Sonia jaspal's RIskBoard (http://soniajaspal.wordpress.com).
CAclubindia
