Despite all the rhetoric and money invested in risk management, it is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that they are followed. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster, as it did not prevent the failure of many financial institutions during the 2007â€“2008 global financial crisis.
An understanding of what risks are is meaningless, if not followed by an even better understanding of how they can impact businesses and be managed. In the world of risk management, Treatment is the word used to describe the actions taken to manage risk. According to its definition, Risk Treatment is the process of selecting and implementing measures to modify risk. Risk treatment measures can include avoiding, accepting, adopting or adapting the risk.
Having identified and evaluated risks, the next step involves the identification of alternative appropriate actions for managing these risks, the evaluation and assessment of their results or impact and the specification and implementation of treatment plans.
Since identified risks may have varying impact on the organisation, not all risks carry the prospect of loss or damage. Opportunities may also arise from the risk identification process, as types of risk with positive impact or outcomes are identified.
Management or treatment options for risks expected to have positive outcome include:
â€¢ expanding or continuing an activity likely to create or maintain this positive outcome;
â€¢ modifying the likelihood of the risk, to increase possible beneficial outcomes;
â€¢ trying to manipulate possible consequences, to increase the expected gains;
Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be:
â€¢ to terminate the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that risk;
â€¢ to modify the likelihood of the risk trying to reduce or eliminate the likelihood of the negative outcomes.
In general, the cost of managing a risk needs to be compared with the benefits obtained or expected.
Risk treatment measures can present a frightening array of hard-to-follow processes and results and unfathomable language and jargon. That is not to say that these are not important. They are. But they need to be translated into simple, elegant tools and knowledge systems for the Board to be able to make sensible, life-giving risk managed decisions for the business and for the stakeholders in a managed context.
In an optimised scenario, Risk management should be embedded as a culture. It should be managed enterprise wide in an integrated and coordinated approach. This is spelt out in the code of corporate governance for public companies in Nigeria (2003).
The financial services industry poses a unique challenge because of the volatile dynamics of asset markets and the potential impact of decisions made by investment managers. A bankâ€™s risk profile can change dramatically with a single deal or major market movement. For such companies, risk management requires embedded experts within the organization to continuously monitor and influence the businessâ€™s risk profile, working side by side with the line managers whose activities are generating new ideas, innovation, and risksâ€”and, if all goes well, profits.
The danger from embedding risk managers within the line organisation is that they â€œgo native,â€ aligning themselves with the inner circle of the business unitâ€™s leadership teamâ€”becoming deal makers rather than deal questioners. Preventing this is the responsibility of the companyâ€™s senior risk officer â€“ the CRO, andâ€”ultimatelyâ€”the CEO, who should set the tone for a companyâ€™s risk culture.
Because some risks are quite predictableâ€”even familiarâ€”companies tend to label and compartmentalise them, especially along business function lines. Banks often manage what they label â€œcredit risk,â€ â€œmarket risk,â€ and â€œoperational riskâ€ in separate groups. Other companies compartmentalize the management of â€œbrand risk,â€ â€œreputation risk,â€ â€œsupply chain risk,â€ â€œhuman resources risk,â€ â€œIT risk,â€ and â€œfinancial risk.â€
Such organisational silos disperse both information and responsibility for effective risk management. They inhibit discussion of how different risks interact. Good risk discussions must not be confrontational but also integrative. An enterprise risk management (ERM) approach can solve this problem by managing the universe of risks in a structured and holistic manner.
The need to have ERM experts overseeing the framework within an embedded risk culture environment cannot be over emphasised. This is why successful companies stand out. Most failed companies had relegated risk management to a compliance function; their risk managers had limited access to senior management and their boards of directors. From my experience in banking, executives routinely ignored risk managersâ€™ warnings about highly leveraged and concentrated positions.
Although the degree of risk management actions varies among firms; ERM ensures that firmsâ€™ attain their corporate objectives. ERM does not prevent losses, but provides a platform for firms to better manage their risks. The implication for practice is that risk management is an integral part of the decision-making process. Risk management does not mean always getting things right; instead, it means getting them less wrong, less often, with less damaging consequences.
â€¢ Mbonu, FERP, CIRM(UK), HCIB, MsRM (Stern), studied Engineering, is an experienced Banker and Enterprise Risk Management professional. Earned a post graduate degree in Risk Management from New York University Stern School of Business, and is a member of the Institute of Risk Management -UK. Can be reached on 09092092046 (SMS Only); email: email@example.com