Risk Management: An Every Day Practice
According to a recent CFO.com article by Norman Marks, when most people think about the “risk” in “risk management,” they think of risks specifically related to currency movements or changes in the price of commodities. But it’s not just about complying with laws and regulations, or making sure financial statements are error-free. Risk management, as defined in ISO 31000, is the identification, assessment, and prioritization of risks as the effect of uncertainty on objectives, whether positive or negative. Marks reminds us that risk management means being prepared to roll with all the uncertainties throughout business operations. In other words, it’s about everything, and whenever executives discuss strategies with their boards, they should also be talking about risk and taking measures to protect their objectives.
Some CFOs treat risk as something that can be managed once every quarter, but truly this can be foolish because risks appear all the time! Risks don’t care about schedules, so they should be integrated into every day decision-making, strategizing, and performance management. In fact, failing to think about risk in every situation, at all times, is like riding a bike with your eyes closed half the time. You could be in for a nasty (but perhaps delicious) surprise when you open your eyes and find out you’re about to run into an ice cream truck!
Companies that do handle risk management well are more equipped to deliver better, more consistent and lasting performance long term. This is because they’re well prepared for the unforeseeable events that can negatively impact a business and they’re able to handle tough situations as well as take advantage of good ones.
Strategic risk management is perceived as more effective than traditional approaches to risk management. In those traditional approaches, risk management has been relegated to addressing threats of accidental loss. In this traditional context, the most risk management could ever accomplish was to reduce or eliminate losses from accidents, so that an organization could, at best, continue to do “business as usual.”
The looming issue with this approach is that it fails to address non-accidental risks of loss, from poor business judgment, for example, or from errors in forecasting client needs. It also fails to entertain the possibility for gain from risk. (Though it sounds counter-intuitive, risk management can indeed be a competitive tool. In fact, a report done by CFO.com and Aon Risk Services reveals that nearly half of surveyed respondents believe that a strategic approach to risk management can yield competitive advantage, mainly through better capital allocation and by helping firms manage their industry’s key risks in a superior way vs. their competitors.)
This traditional approach is one reason that some businesses’ risk management practices are lacking. Indeed, according to the survey, the vast majority of executives feel that their company’s risk management is not sufficiently vetted to protect the interests of the company or corporation. Only one in twenty feel otherwise!
Most companies do a periodic assessment of their more significant risks. They hold meetings with board members, the management team and executives to discuss and prioritize what risks deserve attention. The question remains if these occasional meetings are truly a part of the decision-making process? Are organizations maneuverable enough to handle surprise situations? There are significant obstacles to overcome in implementing strategic risk management. Is there sufficient buy-in at the executive level to get strategic risk management off the ground in a meaningful way? CFOs need to ask themselves these questions if they’re to have any hope of keeping their organization on the right path toward achieving their goals.
So what are they doing about it?
One thing many companies are doing is to integrate their risk management processes across the organization. More than a third of companies intend to do this within three years, while only 12 percent expect they will still manage risks in separate functions. Integration has benefits: CFOs are increasingly satisfied with risk management the more unified the process is across the company. Tying risk management to the strategic planning process makes it even more effective.
Few companies (about 15%) have the wherewithal to appoint a dedicated Chief Risk Officer, or CRO. This proportion isn’t expected to change much: only 5% say they intend to create and fill such a position in the future. In lieu of a dedicated position, many companies are appointing risk management boards or committees made up of other executives already employed.
Companies are also focusing the efforts of their risk management strategy to more closely align with their business objectives. 73% of executives surveyed believe that the risk management strategy necessarily includes periodic audits to insure that this takes place.
Posted on: July 19, 2011
