Your Risk Management Magazine
Demystifying risk

Font size : + -

email print

In the first of a two-part series, Michael Rasmussen investigates how to navigate the corporate fog for risk success

Organisations have managed risk since the dawn of time. Business survival requires an organisation to take risks – successful organisations manage risk well while those that do not go out of business. The challenge is that risk has been managed in silos across the organisation that have not shared a common definition, approach, nor reporting of risk.

As organisations face greater complexity, business change, distribution of business operations, as well as governance mandates from external authorities the organisation needs to have a common definition and approach to risk management across the enterprise. Risk managers are to understand the variation in views of risk across the organisation and come to a common understanding of risk that the entire organisation can work within.

A limited perception of risk based on role and experience results in a failure to see and measure the full scope and interdependency of risk in today’s complex and distributed business environment.

“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”– Captain E J Smith of the RMS Titanic prior to its maiden voyage.

Just as the voyage of the Titanic was doomed by the ignorance of its vulnerabilities and exposure to disaster, today’s business environment cannot tolerate risk ignorance either. Risk ignorance results in the ‘iceberg of risk’ where the full risk exposure of the organisation is not seen as risk is managed in organisational silos that are not communicating with each other and ready to sink the corporate ship.

Corporations fail when they do not see the full scope and interdependency of risks across business areas.

Risk ignorance results from failure to see the interrelationship of risk

Risks managed in isolation leads to corporate disaster as the full interrelationship and dependencies of risk are not foreseen.

The interrelationship of multiple risk factors poised to cause a disaster is evident in the stock market crash of October 1987, in which the Dow Jones Industrial Average lost 23 per cent of its value in a single day. In this event multiple risk factors worked together to create a much greater risk environment, including:

Analyst speculation. Market analysts were concerned and stating that stocks were overvalued and investors should sell.

Government policy. The US House Ways and Means Committee had just made announcements impacting corporate mergers and acquisitions.

Technical failure. The technical systems of the New York Stock Exchange were incapable of handling the volume of trades on 19 October causing further widespread panic and fear.

Note that a risk environment is impacted by both internal and external events. Organisations fail when they manage their risk environment purely from an internal control perspective. There should be great concern for enterprise risk management programs that have sprung out of a Sarbanes-Oxley view of the world that do not account for a full view of risk across the internal and external business environments.

Corporate performance is linked to risk management

Business is risk management. To stay competitive in a fiercely hostile and global market requires that an organisation take and manage risk.

“Enterprise is the undertaking of risk for reward. A proper understanding of the risks accepted by a company in the pursuance of its objectives, together with the strategies employed to mitigate those risks, is thus essential to a proper appreciation of its affairs by the board and relevant stakeholders.”– Judge Mervyn King, from the King II report on corporate governance.

Business organisations – and for that matter individuals – have always taken and managed risk. However, risk management has been an ad hoc process run in organisational silos. It has lacked the risk governance which aggregates an enterprise view of risk that the board of directors and executive management can truly use in steering the corporation.

Enterprise risk management is about managing uncertainty in meeting business objectives, fully realising that there is an upside as well as downside to taking risk. This requires the understanding that:

Organisations are dynamic and complex. Business moves at the speed of light on a global basis among a network of business partners, suppliers, individuals, and technical systems.

Uncertainty grows with the dynamic nature and complexity of business. The more variables introduced the greater the uncertainty – the complexity and dynamism of business causes uncertainty to grow exponentially.

Organisations need an enterprise view of risk to manage this growing uncertainty.Uncertainty can bring both reward and disaster, an enterprise view of risk helps executives and the board not only meets fiduciary responsibilities of due care but ultimately impacts the organisation’s ability to meet or exceed business objectives.

Business complexity requires an enterprise view of risk

Business is complex and dynamic: it changes daily in size (eg employees, business partners, processes, and systems), products, and services, while also facing pressure to move from regional to international operations. While risk used to be handled in fragmented silos across the organisation, organisations are now looking at enterprise risk management strategies. Organisations are looking to ERM to provide a holistic view of risk and their interrelationship/dependencies across the organisation. But moving from silos of risk management to an enterprise risk strategy is a particularly acute problem, coordinating the complexities of risk arising from a firm’s specific situation across many facets of its business, including it’s:

Business operations. Financial, treasury, and insurance risk are mature areas of risk management – operational risk management though is a growing and challenging area given business complexity. Organisations are developing frameworks that include a wide array of operational risks such as supply chains, quality, environmental, health and safety, information technology, business partner relationships and outsourcing.

Political landscape. Relations between governments significantly affect business. When relationships between two countries are strong, business prospers; when weak, business suffers. Through political actions (eg environmental, military, capital/monetary, treaties, and sanctions), the business environment around the world changes, affecting the ability of business to operate in multiple jurisdictions and significantly influencing the risk profile of an organisation operating in a global environment.

Economic forces. Global economies pressure organisations to take advantage of multiple markets, explore new opportunities and relationships, outsource, specialise, and distribute business operations. The complex behemoth organisation of yesterday must transform into an agile and focused organisation to gain economic advantage. Capital markets and regulators mandate ‘transparency of control’ in organisation financials and operations, adding to the complexity of managing risk.

Geographic scope. Organisations are challenged to distribute operations around the world. The goal is to take advantage of multiple economic environments for products and services, grasp opportunities in environments with low costs of human capital resources, and outsource operations and development. To survive in a geographically distributed environment, firms must create oversight mechanisms to manage geo-political risk in the global market and operational risks, as well as compliance demands with operations in multiple jurisdictions.

Legal and regulatory landscape. The distributed nature of business expands the risk profile organisations need to manage – particularly the legal and regulatory environment. Regulations are streaming out of governments nonstop. Further, the risk of prosecution is rising due to the complex environment of risk, corporate governance, litigation, and regulations. Finally, much of the world is quickly moving from a checkbox approach to regulatory compliance to a principles- or outcome-based approach which requires an integrated risk analysis process. The legal and regulatory environment is often anti-globalisation and adds complexity and control to business operations and partner relationships.

Increased scrutiny by financial markets. Risk management practices within organisations have come under the microscope of listing exchanges as well as rating agencies. The New York Stock Exchange requires that a board’s audit committee focus on the organisation’s risk assessment and risk management processes. This sets a benchmark for non-NYSE-listed organisations to follow. Additionally, enterprise risk management is now being integrated into corporate ratings delivered by organisations such as Fitch, Moody’s, and Standard & Poor’s.

Michael Rasmussen is vice-president, risk and compliance research, at Forrester

Part II next month

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.