Three Steps to Successful Risk Management
In the wake of an ever changing risk environment, companies are faced with increasing demands from a variety of organizational stakeholders. As such, companies are seeking improved approaches to manage risks and create value. A recent thought paper published by EY summarizes their global governance, risk and compliance survey (GRC) of 1,196 respondents from 63 countries and 25 industries to determine how effective companies are at managing risk. The general consensus was that companies still see room for improvement in risk management, despite recent enhancements made to date. This paper, which is authored by Paul van Kessel, Matt Polak, and Michael O’Leary, provides a three-step approach to risk management to become a more risk-aware organization.
Three Categories of Risk
Traditionally, risks have been placed into various categories depending on the company. However, in today’s environment a more structured approach to categorizing risks is needed in order to be effective. The following three categories of risks should be used in the risk management process:
- Strategic Risk: offer positive benefits towards the company’s goal which makes these risks a balancing act
- Preventable Risk: offer no positive benefits and should be eliminated, avoided, or transferred
- External Risk: despite offering a positive or negative benefit, these risks are out of the company’s control and as such the focus should be on mitigating the likelihood of occurrence
1. Advance Strategic Thinking to Improve Value Creation
The starting point of many risk management processes is identifying and assessing risks. However, before this occurs the company needs to better understand their risk appetite, which is the amount of risk they are willing to accept in pursuit of the business strategy. This allows companies to more effectively identify risks to their chosen strategy. Once risks are identified they should be placed into the three categories previously mentioned. This allows companies to identify both positive and negative risks for a given strategy. The second component of step one is to design risk response plans for identified risks. Separating risks into the three categories enables companies to design cost-effective and efficient risk response plans within their risk appetite.
2. Optimize Functions and Processes to Effectively Execute your Risk Strategy
Having designed a risk response plan, a company now needs to optimize the plan in order for it to be effective. This process involves three components: establishing an operating model, aligning the right resources for execution, and designing the policies and processes of the risk response plan.
An operating model that is well-defined and coordinated is one in which ownership and accountability of the risk is clear and defined. This allows for effective coordination, communication, and reporting of the risk response activity. Management is responsible for this process by setting the tone at the top and creating a risk aware culture throughout the company. EY has also defined “three lines of defense” in order to have an effective operating model. The first line of defense is operations and business units and is comprised of those individuals that own the risk and are responsible for identifying and managing those risks. The second line of defense is management assurance. This line is comprised of those that are responsible for monitoring the design and operational effectiveness of controls. The last line of defense is independent assurance from internal and external auditors. Establishing these lines of defense is the first step in optimizing the risk response plan.
The second step in optimizing the risk response plan is aligning the proper skill-sets and resources to the execution of the plan. These should be aligned throughout the three lines of defense in order to have the most effective and efficient plan. Respondents to the survey indicated the following as the top five skills/experience desired for these functions:
- Risk management
- Business strategy
- Critical/analytical thinking
- Regulatory compliance
- Process Improvement
The last step in optimizing the risk response plan is designing risk management policies and processes for the plan and communicating those throughout the organization. This step is crucial in effective risk management, as those with responsibilities need to know the what, why and how of the plan. The GRC survey found that 65% of respondents do not produce or only produce annually a risk management report. Increasing communication frequency will lead to more effective risk management, and one a process that is more embedded in the culture of the company.
3. Embed Solutions to Proactively Respond to Risk and Improve Performance
In order to achieve the most effective risk management, companies need to embed sustainable solutions into the culture in order to remain effective. EY provides means to embed solutions for each risk category.
Solutions to preventable risks have one main objective – to prevent. Solutions that prevent risks from arising and are easily detected and monitored are the most effective.
The objective for strategic risks is to balance risk mitigation and risk taking as these risks can generate value to the company. Solutions such as balanced scorecards, key risk indicators, and risk modeling and analytics enable companies to manage risks and adapt to risks are most effective.
Stress testing, scenario planning, and war-gaming are the recommended solutions for external risks. Companies should focus on embedding these practices to allow them to better identify, assess, and prepare for external risks.