A STRATEGY FOR RISK; You can’t ‘freestyle’ when it comes to managing risk!
This instalment has tapped into a colleague in the UK to crystallise the need for the right culture in which risk management is not seen as ‘friction’ but as an enabler that ensures that potential perils are proactively identified and gaps addressed in order to avoid losses.
One of the most important aspects of risk management is the strategy. When it comes to managing risks, we cannot ‘freestyle’ because we need a robust risk management strategy, which is a plan that provides a coordinated approach to management of risks and related activities.
I am so excited that in writing this article, I had the privilege to co-author it with a representative from the Institute of Risk Managers (IRM) in the UK, Carolyn Williams, who is IRM’s Director of Corporate Relations. I acknowledge this and am thankful to her for the privilege.
Strategy setting is a critical aspect of a successful risk management programme, hence the need to ensure that IRM, as a globally renowned professional enterprise risk management body that provides leading international education, training and research, has an input in this article. Risk management offers a systematic way of exploring, balancing and addressing everything that may prevent an organisation from achieving its strategic objectives (the risks) and everything may enable the organisation (the opportunities) to meet those strategic objectives. A robust risk management strategy is therefore required to ensure proactive risk and control identification towards sustainable business growth and achievement of the organisation’s strategic objectives.
It is important to unpack the key pointers to consider when setting a risk management for a large organisation or small business. First of all, a risk management strategy does not operate in isolation but forms part of the overall organisational strategy. It basically serves as an enabler for an organisational strategy that sets direction and focus areas for the year from a risk management perspective.
But there are many conflicting priorities relating to risk maturity. The risk management strategy therefore defines the key themes for prioritisation that are most aligned to the overall organisational strategy. Carolyn emphasises that for the strategy to be a success, it must have a strong alignment with overall strategy and objectives. Both large organisations and small businesses must have a clearly articulated strategy and key objectives that the management team and even stakeholders are aware of and buy into. The risk management strategic objectives must align with what the business wants to achieve and should be cascaded down through the organisation so that everyone - all the three lines of defence - know what they are supposed to do and can behave accordingly. The risk management strategic objectives can be set out in both qualitative and financial terms and can comprise a set of zero tolerance statements which drive the desired behaviour and keep everyone accountable in order to ensure a robust control environment. The organisational culture also plays a big role in ensuring the success of a risk management strategy. In Carolyn’s words, “A healthy ‘risk culture’ in the organisation ensures that everyone from the board downwards can understand and play their part in helping the organisation achieve its objectives by intelligently managing its risks and opportunities.”
With the right culture, risk management is not seen as ‘friction’ and something that delays the sales and service goals but becomes an enabler that ensures that all potential perils are proactively identified and gaps addressed to avoid losses and regulatory non-compliance issues. Since the risk management strategy is designed to enable the overall organisational strategy, buy-in from the relevant stakeholders remains critical. We need to constantly ask ourselves how to get buy-in from relevant stakeholders on the risk management strategy? “This is something that organisations of all types all around the world find challenging,” says my colleague Carolyn.
It becomes easier when the board prioritises the need to improve the organisation’s risk management. If the organisation is not risk aware, this is likely to be learnt the hard way after it experiences a disruptive and costly risk event. The luckier ones seize the opportunity to proactively address control breakdowns and act upon near-misses to prevent recurrence. Without stakeholder buy-in for the risk management strategy, the risk team is likely to experience resistance and there will definitely be differences in perception and understanding of risk. This is why it is important that when setting the risk management strategy, consultations must be held with the relevant stakeholders to ensure that they are informed and contribute to the strategy. This makes them a part of the solution and promotes accountability by the risk owners as they cannot easily criticize something that they were a part of.
A robust risk management strategy also needs a driver or someone charged with the responsibility of ensuring that it is place and that the strategic objectives are implemented. This can be achieved through having a competent and charismatic Chief Risk Officer (CRO) or equivalent who is responsible for strategy setting and the risk management programme, ensuring that it is well cascaded across all levels within the organisation. The CRO also supports the organisation in building a healthy control environment and a risk culture and has the mandate to communicate and influence risk-based decisions in the boardroom. They also drive relevant discussions and exchange of information needed across the organisation to drive risk maturity. Smaller entities or business establishments whose structures are smaller and leaner may not need a CRO. However, it is important that the owner-manager is risk mature and incorporates risk management into the overall strategic objectives or appoints someone within the business to run the risk management aspect as part of their deliverables.
This shows that a risk management strategy requires adequate resourcing, which is one thing that is often overlooked by organisations. A risk management strategy establishes the risk maturity roadmap and sets out how the risk management team is going to support the organisation in ensuring that risk management remains a major consideration in the organisation. It also drives risk maturity through the embedding of risk management tools like risk registers, key risk indicators and risk assessments and ensuring that such tools are utilized across the organisation. A risk management programme that adds value to the organisation requires a well thought-out strategy and cannot succeed without a robust risk management strategy.
Institute of Risk Managers - IRM, UK