The Risk Policy Statement – “It is not my portion…”

RISK MGT WATCH

I asked my friend Godwin if he had insured his new car against accident or theft. His reply was what has become a classic Nigerian response – “what accident? It is not my portion”. He left me wondering whose portion it is.
Benjamin Franklin famously said; “By failing to prepare, you are preparing to fail.” Doing business without a plan, a strategy, appropriate risk management architecture and protocols means that business may fail. It’s almost like saying that the sandwich is about the content, whether it’s akara, meat or fish, but the bread and butter that hold the sandwich together is the material that gives the sandwich its substance.

So in a similar vein, the risk framework is the bread and butter of risk management. Like an architect who designs a building, the risk framework is a document prepared by an Enterprise risk professional that clearly sets out the risk architecture (roles and responsibilities), strategy (appetite and attitudes) and protocols (guidelines, rules and procedures). The most important component is the risk management policy statement. Every forward looking organisation (includes Government council, Ministry, Department and Agency) should consider making a statement that clearly sets out the organisation’s objectives for integrating risk management activities into mainstream activities, and demonstrating a commitment to implementing integrated risk management throughout the organisation.

This statement must be in support of risk management as an integral part of the entire organisation’s structures and processes, it may best be included in existing corporate policies regarding the organisation’s objectives and commitments.

A good risk management policy statement mirrors the organisational goals and culture and talks about what the organisation intends to achieve out of risk management. Is the organisation in the business of taking risk? Then the policy should talk about how risk management is going to enable managed risk to be taken. Is the organisation about protecting vulnerable people? Then the risk management policy needs to be about how the focus is about minimising risk that threatens the ability to protect the clients. Aligning the risk management vision and objectives with corporate objectives and strategic direction helps make risk management meaningful and relevant to all employees.

The policy statement also needs to make it clear who is responsible for leading risk management, who implements it, who checks on it, who responds to it (control owners), what structure is in place to implement it, the governance structure surrounding protecting the stakeholders’ interests, and the resources to manage it. Above all it should make clear that everyone in the organisation is responsible for spotting and reporting risks.

Supporting the policy, there needs to be some form of implementation architecture. Depending on the complexity of the organisation, this might vary from a simple aide memoire on the basic processes and terms of reference for the various committees that form the governance structure, to a full-blown Risk Operating Manual that sets out all the information required and the protocols including the risk appetite structure.

An organisation’s appetite for threat and opportunity varies with its culture and with evolving conditions in its internal and external environments. Risk appetite and tolerance can be determined through consultation with affected parties, or by assessing stakeholders’ response or reaction to varying levels of risk exposure.

When establishing and articulating the overall direction for integrated risk management, an organisation may wish to consider:

• The rationale for managing risk, including internal and external contexts;
• Links between the organisation’s mandate and objectives and the risk management objectives;
• The necessary and appropriate accountabilities and responsibilities for managing risks (see below);
• The commitment to adequately resource risk management activities;
• The manner in which risk management will be integrated into the organisation;
• Mechanisms for escalating risks and reporting on risks;
• Mechanisms for enhancing opportunities through risk management processes;
• The methodology in which risk management performance will be measured and the avenues for reporting risk management performance; and
• The commitment to review and update the risk management approach as appropriate, whether in response to a positive or negative event or based on an appropriate periodic cycle.

The risk framework and policies set out the governance structure, confirming that the board and senior management are ultimately accountable for the implementation of risk management within the organisation.

In determining and documenting the appropriate accountabilities, organisations should consider:

• Specifying appropriate risk owners that have the accountability and authority for risks
• Specifying appropriate risk control/ risk enhancer owners who have the accountability and authority to manage risks;
• Ensuring the organisation’s governance structures support the required levels of accountability and authority for the risk owners and the risk control and risk enhancer owners;
• Identifying the appropriate structure for the development, implementation, and maintenance of the risk management approach and associated processes;
• Communicating that all staff have a role to play in identifying and managing risks; establishing performance measurement and internal and/or external reporting and escalation processes;
• The way in which conflicting interests are managed;
• Sanctions and incentives for poor risk taking behaviour versus good risk taking behaviour including ensuring appropriate levels of recognition, reward, approval and sanction;
• Providing assurance over the risk management programme, policy and application of those in the processes of risk management

Risk management processes are the meat in the sandwich, these are the ways in which we work out the context for risk, identify, analyse and then manage risks within our risk appetite. The processes don’t create a sandwich on their own; the sandwich needs the bread and butter. The bread and butter for risk management implementation sets out the surrounding architecture, policies and protocols for enabling risk management to succeed; by preparing to succeed we succeed in preparing.
Back to my friend Godwin, “Yes indeed, it will be your portion, if steps are not taken to prevent its occurrence, and manage same in any unfortunate event it does”.

• Mbonu, FERP, CIRM(UK), HCIB, MsRM (Stern), studied Engineering, is an experienced Banker and Enterprise Risk Management professional. Earned a post graduate degree in Risk Management from New York University Stern School of Business, and is a member of the Institute of Risk Management -UK. Can be reached on 09092092046 (SMS Only); email: rm4riskmgt@gmail.com

Related Articles