risk management guide - secret recipe for risk managers

This quick checklist is designed to help risk managers mark their progress as they read through the guide and implement the recommendations provided within as appropriate.

Check activities off as you complete them:

QUICK CHECKLIST

Objective 1:Drive risk culture

Define the overall risk profile

Help set the tone at the top

Help define the risk-management roles and responsibilities

Remember to keep it simple

Objective 2:Help integrate riskmanagement intobusiness

Involve staff as much as possible

Align risk management, strategic planning, budgeting, and performance management

Create a network of risk champions throughout the company

Provide risk-management training

Assist management in evaluating projects and opportunities using risk analysis

Facilitate open communication

Objective 3:Become a trustedadvisor

Scan the horizon often, and remember to challenge assumptions

Inform the management about emerging risks

Conduct risk research upon management’s request

Establish a network of risk managers from peer companies

Fine-tune your own risk-management skills

CONTENTS

INTRODUCTION 1

OBJECTIVE 1: DRIVE RISK CULTURE 3

A. Define the overall risk profile 4

B. Help set the tone at the top 9

C. Help define risk-management roles and responsibilities 12

D. Remember to keep it simple 15

OBJECTIVE 2: HELP INTEGRATE RISK-MANAGEMENT INTO BUSINESS 16

E. Involve staff as much as possible 17

F. Align risk-management, strategic planning, budgeting, and performance management 18

G. Create a network of risk champions 23

H. Provide risk-management training 24

I. Assist management in evaluating projects and opportunities using risk analysis 26

J. Facilitate open communication 27

OBJECTIVE 3: BECOME A TRUSTED ADVISOR 29

K. Scan the horizon often, and remember to challenge assumptions 30

L. Inform the management about emerging risks 31

M. Conduct risk research upon management’s request 32

N. Have a network of risk managers from peer companies 33

O. Fine-tune your own risk-management skills 34

CONCLUSION AND NEXT STEPS 35

APPENDICES 36

Appendix A – Risk-management roadmaps 37

Appendix B – Bibliography 39

ABOUT THE AUTHORS 42

COPYRIGHT

INTRODUCTION

Nowadays risk management is on everyone’s corporate agenda; however, this hasn’t always been the case. We began our research into the topic back in 2007. At the time, this was prompted by the fact that many large corporations across Eastern Europe were establishing risk-management teams and implementing risk-management frameworks. Our 2007 study highlighted that risk management was largely driven by the requirements of stock exchanges and was very basic in nature. We identified a number of challenges, mainly relating to weak risk-management culture and confusion around the roles and responsibilities that the boards of directors, executive management, and the risk-management teams play in the overall management of the company’s risks.

We also noted that back in 2007, risk managers focused primarily on fundamental activities, like developing risk-management frameworks, conducting risk assessments, and aggregating risk reports. This resulted in a very compliance-like—and sometimes overly complex—process of risk identification and analysis. It often took months to get any meaningful results and quickly became a box-ticking exercise. Business units resisted what was perceived as a “back office initiative,” claiming that risks were already known and under control. Nevertheless, the drive to have a robust independent analysis of major risks, an enterprise-wide view of the same, and a reliance upon the quality of the risk-management process soon became

apparent to the boards of directors and the executive management.

Today, as we continue to adapt to a highly volatile environment, businesses across Eastern Europe are becoming more proactive about risk-management. As a result, risk managers have been given a much more prominent role in establishing a robust risk-management culture within organizations. In order to succeed, risk managers need to re-emerge as trusted strategic business advisors who are able to communicate with shareholders and management in a simple and compelling business language and who can apply the right risk-management tools that fit the size, complexity, and culture of an organization.

In our research, we were pleased to find that the Eastern European companies we interviewed have addressed the initial challenges, helping risk managers to get buy-in from the company and strengthen the risk-management culture within the organization.

The objective of this guide is twofold: • To assist risk managers in building

a risk-intelligent culture within their organizations and provide them with some practical suggestions and tools on how to achieve this in line with the latest risk-management standard ISO31000:2009; and

• To help the board of directors fulfil its governance duties and help the board members build the right expectations of what a true risk-intelligent culture comprises.

SECRET RECIPE FOR RISK MANAGERS 1

To achieve this objective, we have revisited our own risk-management experience, which we have acquired over the course of ten years of risk consulting to various businesses across Australia, Singapore, Poland, Russia, Ukraine, and Kazakhstan. Both authors have worked as risk-management consultants and corporate risk managers reporting directly to Chief Risk Officers (CRO) and vice-presidents, have actively participated in various discussions within the international risk-management community to stay at the forefront of the schools of thought regarding risk management, and have performed their own research of corporate governance and risk-management practices in 2006–2007, the results of which were published in an international journal.

We have also interviewed other risk managers from large corporations in Eastern Europe to leverage their practical approaches in developing a risk-intelligent culture and have prepared case studies of risk-management practices in developed countries. These are incorporated into our practical guide.

Guide structureThis guide provides fifteen very specific and actionable recommendations that corporate risk managers will find useful in building a robust and value-adding risk-management system. To provide a logical structure, the authors have grouped the fifteen recommendations into three high-level objectives:

A detailed description is provided for each recommendation on the left side of the page. The right side of the page contains specific actions relating to each recommendation. The authors encourage the readers to first scan the main body of the document and then refer to Appendix A, which contains useful roadmaps that help risk managers prioritize the recommendations provided in the guide. A quick checklist covering the content of the guide is also provided for the reader’s convenience on the first page.

Drive risk culture

Help integrate riskmanagement into

business

Become a trusted advisor

INTRODUCTION

2

A. DEFINE THE OVERALL RISK PRFILE

B. HELP SET THE TONE AT THE TOP

C. HELP DEFINE RISK-MANAGEMENT

ROLES AND RESPONSIBILITIES

D. REMEMBER TO KEEP IT SIMPLE

OBJECTIVE 1: DRIVE RISK CULTURE


Risk management is first of all about creating a culture within the organization that supports proactive management of risks and encourages intelligent risk-taking. Developing a risk profile for an organization is a logical place to start. Below are some specific steps that risk managers may take to start the risk-management journey. However, step “zero” should always be a frank discussion with senior management, seeking to understand its expectations from a risk profile and from risk management generally.

Select a risk-analysis methodology that would suit your company: It is important to select a methodology that is both suitable for your business and simple enough that employees accept it. Probably the simplest approach is covered in the risk-management standard ISO31000:2009 and includes consideration of consequences and their likelihood. However, this approach is by far not the only one. For example, innovative companies that deal with high levels of uncertainties may find it difficult to accurately quantify probability; hence, they may use a methodology that is structured around risk vulnerability, controllability, and impact. Plenty of literature is available on the subject that may help you select a risk-analysis methodology suitable for your company.

Keep in mind that complexity of the risk-management methodology should be proportional to the overall risk maturity of the organization. Therefore, if you are tasked with selecting a methodology for an organization that is new to formalized enterprise risk management or where employees have a distinctly risk-averse culture, it would be highly inappropriate to select a complex and non-transparent methodology. In fact, it may be appropriate to select a relatively straightforward and simple approach—perhaps as simple as just highlighting the risks that your company is most exposed to.

Analyze top risk vulnerabilities: Once the methodology is agreed to and generally accepted by the stakeholders, it is time to identify and analyse potential external and internal threats to the business.

IDENTIFY RISKS AND POTENTIAL THREATS

One of the most critical steps in the process is gathering information from which to develop a draft risk profile. This information should be gathered using a combination of a shelf data review, interviews, and expert opinion (these steps are further explained below). The focus should be on understanding the nature of events that have impacted the organization, as well as those events that management has already considered through its business-planning activities.

DEFINE THE OVERALL RISK PROFILE

Complexity of the risk-management methodology

Maturity of risk-management culture

Take action:

1. Review available risk-analysis methodologies

2. Select a methodology appropriate for the current risk culture of the organization

3. Pilot test the selected methodology with a few stakeholders to see if it is transparent and simple enough

A

4

ATake action:1. Identify potential

threats (both internal and external)

2. Ensure all major external forces and internal sources of risk are taken into account

3. Prioritize the identified risks using the selected methodology

4. For the risks assessed as significant, management should develop and execute an action plan to address the risk

5. Draft and validate the risk profile

6. Communicate the company’s risk profile to the relevant stakeholders

Key components of this step are:

• Shelf data review: The purpose of the review is to provide an insight into the background and current status of the organization’s operations. This is a critical first step for any risk manager and must be completed before fully engaging with the business, as you may find most of the necessary information already captured and available for further analysis. This involves the review of key documentation relating to the operation and its associated risks, including:

• A review of the sources of information contained within the organization that may highlight particular risky events, such as:

• Historic losses or incidents maintained by the organization• Pre-existing risk assessments and management plans that

may exist within the organization, including internal audit risk assessments and reports, as well as any historic SWOT analysis

• Strategic and operating plans and details of any scenario analysis undertaken within the organization

• Budget models and underlying assumptions/sensitivities as well as histories of reforecasts

• Financial reports• Insurance coverage details and claims history• History of litigation and contracting• Historical board reports or management reports• Historical regulatory filings• Any existing key risk indicators (KRI) and key performance

indicators (KPI).

• A review of industry risk information and sources of information external to the organization, such as:

• Media articles on the organization• Analyst reports on the organization and its competitors• Ratings agency reports on the organization and its

competitors• Insurance broker assessments• Reports on industry outlook prepared by analysts.

• A review of risk profiles of comparable/peer companies (available through 10K disclosure for US companies, in annual reports, or on company websites for major international corporations)

• Where available, a review of key financial ratios of the company and compare with a small peer group, as this exercise can also highlight potential financial risks that the company may not be thinking about

• As appropriate, additional insight obtained through the use of external industry or functional experts



• Interviews: A series of interviews should be conducted with selected senior managers to validate the results of the shelf data review. These interviews should:

• Enable to refresh risk areas for inclusion in the draft risk profile• Raise awareness amongst participants of the benefits/process of risk

profiling• Allow risk manager(s) to engage with stakeholders and determine the

level of organizational “buy-in” and support.

PRIORITIZE IDENTIFIED RISKS

This step needs to be taken for each identified risk in order to provide the basis for determining the risks that require further “treatment” to reduce their impact.

Risk analysis is about developing an understanding of the risk. It helps management determine whether risks need to be reduced (or treated) and the most appropriate risk-treatment strategies and methods. Risk analysis involves the consideration of the causes and sources of risk, the positive and negative consequences of the risk, and the likelihood that those consequences can occur.

The overall level for each material business risk is analysed by determining consequences of the risk eventuating and their likelihood. Existing risk controls and their effectiveness (as perceived by management) should be taken into account when considering how likely the risk event is to occur and the impact/consequences the event will have on the business.

Different risk-analysis techniques suit different circumstances. The table below lists a number of common risk-analysis techniques:

MANAGE THE MOST SIGNIFICANT RISKS

Key factors impacting selection of risk- measurement methodologies• Severity or

volatility of risk

• Comlexity• Availability of

data• Desired

capability• Cost of

implementation

Degree of sophistication Risk-measurement/analytical techniques

Statistical analysis (probabilistic models)

Scenario analysis/simulation

Sensitivity analysis

Position reports (exposure/volumetric)

Risk rating or scoring

Risk indicator analysis

Groupfacilitated qualitative prioritisation

Individual qualitative self-assessment

HIGH

LOW

MODERATE

Source: James DeLoach, Enterprise Risk Management, Prentice Hall

DEFINE THE OVERALL RISK PROFILEA

6


AMANAGE THE MOST SIGNIFICANT RISKS

Where the level of risk is above the company’s risk appetite, management should develop and execute an action plan to address the risk in one of the following ways:

Where the level of risk is above the company’s risk appetite, management should develop and execute an action plan to address the risk in one of the following ways:• Transfer the risk through the use of contracts or insurance arrangements.• Reduce the risk by adopting alternative approaches to achieving the same

objective or implementing appropriate risk controls. • Accept the risk, and develop contingency plans to minimize the impact

should the risk eventuate.

Identify and monitor the interdependencies: The complexity and interconnectedness of the global business environment makes it very difficult to see how one set of events can affect another. The ability to understand interdependencies and understanding the tools used to monitor them will help the organization understand its critical dependencies, how long it can go without them, and how it can improve its chances of survival.Managing key connections requires an in-depth understanding of the organization, knowing where vulnerabilities lie and making conscious decisions about which ones to accept and which to mitigate. Without the resulting transparency, the organization may be unprepared for either profound disruption or opportunity.One useful tool in performing in-depth risk analysis and identifying interdependencies is a bow-tie diagram. In a bow-tie analysis, the causal factors of a risk event are identified (without necessarily working all the way back to the root causes) as well as the (potential) consequences of the risk event. Bow-tie analysis is a technique often used to provide structure to a brainstorming session. It is also often used to present or communicate key risks.

Take action:1. Identify and

document interdependencies between the identified risks

2. Communicate the interdependencies to the risk owners

3. Keep track of interdependencies during risk mitigation and monitoring


A

8

Allocate ownership for the top risk vulnerabilities: Once significant risks or vulnerabilities have been identified, management should develop and execute an action plan to address them. Any action designed to reduce the risk exposure should be owned by a member of the management team and the responsibilities and timeframes should be documented.

Check how effectively known risks are currently being controlled: One of the low-hanging fruit is to analyse how well identified risks and vulnerabilities are currently being controlled. Some risks are known and are easy to identify—take a simple example of foreign exchange. If the company has loans in foreign currency or has international sales or obligations, it has exposure. Risk managers can provide significant value by analysing the extent of the exposure and identifying whether there are any hedging or other controls currently in place. Other known risks include any risks that may have quantifiable legal or compliance implications, such as insurance or safety, for example.

Take action:1. Test how well the

company currently controls known risks

2. Discuss with the risk owners whether additional risk controls need to be implemented

Take action:1. Allocate risk owners

to all significant risks 2. Discuss with the

owners possible risk mitigations and the resources required



BDefine corporate risk-management policy: For many organizations, it may be appropriate to document management’s view of risk management in a policy document. A company’s risk-management policy should be designed to document the company’s risk-management approach, its willingness to accept risk, accountabilities for managing risk, and the resources and processes dedicated to the management of risk. It should ideally include and be reflective of a set of objectives that guide and shape risk-management activities, and it should outline how performance against these objectives will be measured.

An article published by Michael Rasmussen on October 5, 2010 (“Enterprise Risk Management Policy Structure”) provides an outline of what should be included in a risk-management policy. The organization’s policy and descriptions should not be “boilerplate.” They should reflect the actual activities undertaken by the company and its attitude and approach to managing material business risks..

Facilitate the assessment and communication of the company’s risk appetite: This is another crucial step to get executive management on board. One of the key elements of risk culture is consistent risk language and common understanding of risk appetite. This is unlikely to get formulated in a vacuum, as employees and managers come from different backgrounds and may have different perceptions about what level of risk should be tolerated by the company. The most practical approach is to break down the key risks faced by the organization into three groups:• Completely intolerable or “zero tolerances” • Tolerable, if the risk creates value for the shareholders and we can measure it • Tolerable, if the risk creates value but it’s difficult to measure As a bare minimum, risks that fall into the “zero tolerance” category should be clearly communicated across every level within the organization. Examples could include health and safety risks or fraud and other issues that are simply not tolerated by the executive management. Other risks, like foreign exchange exposure and turnover of key employees, can be quantified and as such, quantifiable measures should be put into place to detect when the level of risk is exceeding the desired threshold.

Again, it is important for employees (whose performance may have an impact on the achievement of these targets) to understand them. Some risk exposures may have a purely reputational impact and be more difficult to quantify. In this case, qualitative thresholds may be set, like in the case of supplier risk. However, any risk thresholds that are set for the company should be clearly communicated to the management and staff. More importantly, controls should be put into place to monitor these.

Both the board and senior management should have a clear understanding of what the company’s risk tolerance is and the extent to which they wish to manage risk. This should be reconsidered at least annually.

HELP SET THE TONE AT THE TOP

Take action:1. Draft risk-management

policy based on your template

2. Interview selected senior managers to validate key drivers and values relating to risk management

3. Update the risk-management policy and validate with the CEO/board

4. Publish the risk-management policy on the corporate website

Take action:1. Identify and clearly

communicate “zero tolerances”

2. Include controls measuring “zero tolerances” into the company’s employee performance reviews

3. Identify key risks and set quantitative and qualitative measures against them

4. Include both monitoring and forward-looking indicators to track company risk appetite

B

10

Include risk messages on the board of directors’ agenda: This is an important step in getting the board’s buy-in and educating board members to the risk-management language that could be potentially adopted by the company. The key point to remember is that some sensible output has to be generated by the risk-management team before risk messages can be placed on the board’s agenda. Another important point is that it is much more valuable to spend ten or fifteen minutes every meeting talking about risk matters than one hour once a year. Last but not least, the board members’ core competencies should be developed and maintained. It may be much more valuable for the company to spend the board members’ time discussing emerging strategic risks, rather than talking about an old and well-understood operational or compliance issue.

What you actually place on the board’s agenda is entirely up to you. You could allocate fifteen minutes to discuss general risk-management topics (this is usually more suitable for more mature organizations), or facilitate a more focused discussion on a particular emerging risk in order to reach agreement on next steps.

Create a separate risk committee, or expand the responsibility for risk oversight to an existing board-level committee: Risk oversight is an important element of risk management, and someone with a sufficient degree of independence should be given the overall responsibility for ensuring that significant risks have indeed been identified and appropriate action is being taken by the management to protect and enhance shareholder value. In the ideal world, the responsibility for risk oversight (and specifically for regular review of the state of risk management) should be shared by the full board.

In reality, however, there are quite a number of companies where risk-oversight responsibilities are given to existing board-level committees (such as turning the audit committee into an audit and risk committee) or given to a separate brand-new committee. This is usually a step taken by companies that have reached a certain level of risk maturity.

Take action:1. Examine existing

Board agenda 2. Identify current

items that may be used to trigger risk management conversation

3. Interview selected Board members to understand their needs in terms of risk management information

4. Prepare for the first meeting and be present to answer questions, agree format and frequency

Take action:1. Review existing board

and board committees’ agendas to identify any risk-related items

2. Select a concise list of risk issues that would benefit from board’s review

3. Pilot test the introduction of risk-management items on the agenda with a selected few board members

4. Include risk-management matters as a standing item on the board’s agenda



BTake action:1. Identify opportunities

to present 2. Discuss these

opportunities with the management

3. Present at external opportunities

Take action:1. Communicate your

contact details and talk to staff often

2. Create and communicate “no blame” policy

Promote risk management both internally and externally: Once the company achieves tangible results by managing certain risks well, share this information both internally and externally. This can be done by presenting at various industry events or publishing small articles in relevant magazines. This will reinforce a positive risk-management image, both within the company (by creating pride) and externally.

Create a “no blame” environment: At every opportunity you should encourage staff to raise risk issues: This can be done by giving out your contact information and spending time walking the floor and talking to the staff.

Motivate the staff to proactively identify and prevent risks. You may consider introducing special awards. Discuss this with the senior management to get support and buy-in. Create a “no blame” policy, and communicate it across the company.


C

12

HELP DEFINE RISK-MANAGEMENTROLES AND RESPONSIBILITIES

Clearly defining roles and responsibilities is critical for establishing a robust risk-management culture. We have established the following five recommendations to provide you with some practical advice on how companies can ensure that risk-management is everyone’s responsibility.

Define a risk-governance model suitable for your company: Making sure that risk-management roles and responsibilities are clearly defined and understood by all levels of management and staff is critical to the success of risk-management. One way to approach this is by implementing a risk-governance model. This was recommended to us by one of the risk managers we interviewed. This supports our view that ethical compliance (which is more about hidden information) does not solve a principal–agent dilemma here. Stakeholders should be looking not only for hidden information, but for evidence of risk-management actions. It is important to appoint and enable the right professionals with the right set of skills. For example, it is important that a chief risk officer (CRO) understands the core principles of business, ethics, risk management, and compliance.

A risk-governance model could be built upon the concept of three lines of defence: • Frontline or business: Executives, business unit management, and staff are

responsible for timely risk identification, management, and reporting. They are also responsible for applying tools and techniques designed for managing risks.

• Risk-management functions: Risk-management teams (including dedicated teams responsible for dealing with safety, insurance, and financial risks) are responsible for methodology development, facilitation, education, guidance, and support. Sometimes, the risk-management team also plays a role of quality control and aggregation of risk information. This is more common sense, as the risk management team is not involved in day-to-day management decisions and it would be unreasonable to expect the risk team to be responsible for proactively managing risks.

• Internal audit team and the board: Independent bodies like the internal audit team and the board provide an independent oversight that the organization’s risk-management is in fact working as documented in the policies and procedures, and key corporate risks are being managed.

Together, the three lines of defence provide a sound foundation for establishing robust risk-management within the company. More recommendations on how to roll out the risk governance model are provided below.

Take action:1. Design a risk-

governance model that is aligned with existing governance arrangements in the company.

2. Define and document risk-management roles and responsibilities in a risk methodology document, position descriptions, and committee charters

3. Provide adequate training in risk-management roles and responsibilities for different levels

4. Review existing business processes to determine whether minimal adjustments could be made to integrate risk-management culture into day-to-day activities


CDocument risk-management roles and responsibilities in both job descriptions and committee charters: The first step in establishing a risk-governance model is to document risk-management roles and responsibilities. The common practice—as was confirmed in our interviews—is to document risk-management roles and responsibilities in a risk policy or methodology document. This is, however, of limited use, as the risk-management policy could be treated by the employees as a “technical risk-management document” that is irrelevant to the usual business practices. A good idea is to keep risk-management methodology documents in plain and simple English. An even better idea is to draft risk-management roles and responsibilities for different levels (say, each of the three lines of defence), validate them with management, and include them in job descriptions and committee charters. As was identified by one of the companies we interviewed, this has proven to be much more effective than just listing risk-management responsibilities in a methodology document.

Adjust existing business process documentation to reflect risk-management responsibilities: Speaking with a large group of risk managers at a forum held by a large risk-management consulting firm also helped us identify another recommendation that will help to cement risk-management roles and responsibilities. Instead of putting risk-management roles and responsibilities as an add-on to existing business processes, try to truly embed them. Let’s review an example that was successfully implemented by one of the companies we interviewed: Instead of documenting in a risk-methodology document that a risk assessment had to be completed for any project of a certain size, the company changed its project approval procedure, requiring a risk assessment to be prepared and reviewed before a project could be signed off on. No new “risk-management” document was created; instead, the long-standing project management procedure was modified to reflect the new organizational risk-management culture.

Check the management and staff’s “risk temperature” at least annually, or include risk-related questions in other behavioural assessments. All risk managers we interviewed believe that periodically checking the company’s level of risk-management culture maturity actually helps to reinforce and strengthen the culture. Numerous tools exist in the market that are designed to test risk-management culture; however, a simple comparison against the elements of better risk-management, provided in the appendix to ISO31000:2009, could be sufficient. Regularly discussing culture and attitude to risk amongst senior management and the board and communicating these expectations to other staff is an important foundation of risk management.

Take action:1. Select a risk-management

benchmark that you think would be appropriate for your organization. ISO31000:2009 would suit most companies

2. Perform a self-assessment to set the current state to measure against

3. Chose the desired state of risk culture that would be appropriate for your company and the frequency of assessment.

4. Perform periodic risk-culture surveys


C

14

Take action:1. Develop a set of

risk-management KPIs for each level in accordance with the company’s risk governance model (executive, business unit management, risk- management, internal audit, etc.)

2. Review the existing annual performance review process, and develop a strategy for incorporating risk-management KPIs into the process. This has to be done together with HR and followed by an extensive communication program

3. Track employee performance against risk-management KPIs for the first year as a trial

4. Reward positive signs of risk-management culture and reinforce good risk-management behaviour beginning with year two. Signs of poor risk management should be identified and fixed

Include assessment of risk-management roles and responsibilities into the annual staff performance review process. Once the risk-management roles and responsibilities have been documented in the risk-methodology document, job descriptions, and committee charters, they need to be reinforced by appropriate KPIs and assessment during annual/semi-annual performance reviews (depending on company’s procedure).

As we have mentioned before, risk management is everyone’s responsibility: however, as experience shows, extra responsibility is rarely accepted without appropriate motivation. This was supported by our findings from our interviews with our sample companies. The companies that have formalized risk- management KPIs have shown significantly greater progress in developing a risk-management culture within the organization than those that have not.

Risk-management KPIs should be set in accordance with the risk-governance model, as discussed above. This means that there usually are different KPIs for different levels within the company. For example, a KPI for the CEO could include an annual review of risk appetite and risk-management policy, reporting to the shareholders, and so on, while a KPI for staff would include timely risk reporting, appropriate risk escalation, and risk mitigation.



DThis is the golden rule of risk-management: keep it simple! As a risk manager, your objective is to help your company implement a risk-management process that is part of the corporate governance system. Risk-management initiatives should be clear to everyone and easy to embed into normal business activities; otherwise, you will most likely meet great resistance or ignorance. Talking the accepted business language rather than using risk-management terminology often helps increase the effectiveness of risk-management communication. Using risk-management measures like VaR, EaR, and so on may be appropriate when speaking with the CFO or other financial officers, yet they might be a turn-off to the marketing director or corporate lawyers.

REMEMBER TO KEEP IT SIMPLE

CASE STUDYOne of the strongest examples of risk-culture growth we have observed took place at one of Australia’s airports, which happens to be the busiest airport in the Southern Hemisphere by plane movement.

For almost two years, we (at the time working as risk consultants) would meet with the management team every quarter to discuss and map out the major company risks. Normally, we would conduct a series of interviews, where we would track the progress of the risk mitigations that we had previously designed and agreed upon. A summary report would be prepared, showing the progress in managing the known risks plus any emerging risks that had come to management’s attention. Then we would gather the management team together for a joint discussion around what the risks were and how well the company was able to deal with them.

Then the financial crisis hit and—without noticing—the management team shifted from quarterly risk reviews to real-time risk management. Just one remarkable example was when the airport’s CFO decided to conduct a risk analysis of their key customers, as he was alarmed that financial crisis may impact the customers’ financial stability and, in turn, the airport’s revenues. He followed the analysis with an action plan to counteract the potential impact on the company.

There were other examples as well where the management team identified emerging risks and took active steps to prevent them. Now, imagine what a risk specialist working at the company full-time can do to shift the CEO’s perspective of risk management.

E. INVOLVE STAFF AS MUCH AS POSSIBLEF. ALIGN RISK-MANAGEMENT, STRATEGIC PLANNING, BUDGETING, AND PERFORMANCE MANAGEMENTG. CREATE A NETWORK OF RISK CHAMPIONSH. PROVIDE RISK-MANAGEMENT TRAINING I. ASSIST MANAGEMENT IN EVALUATING PROJECTS AND OPPORTUNITIES USING RISK ANALYSISJ. FACILITATE OPEN COMMUNICATION

OBJECTIVE 2: HELP INTEGRATE RISK-MANAGEMENT INTO BUSINESS

16


ETake action:1. Identify internal

stakeholder groups2. Consider how each

group can be involved to provide the most value

3. Don’t overcomplicate it, but keep track of the important stakeholders, as it is easy to lose sight sometimes

INVOLVE STAFF AS MUCH AS POSSIBLE

At the end of the day, the success of risk-management is all about corporate culture. To make sure that the process is not alien to the staff, risk managers need to involve the employees in the process from the very beginning. This means involving them in the way that is accepted in the company (e.g., workshops and/or individual meetings). Make sure that all important risk-management messages from the board or the senior executive team are communicated throughout the company. Where particular risks affect several business units, facilitate collaboration between the units to agree on the risks’ causes, consequences, magnitude, and actions.

It is considered good practice when a risk manager does the preliminary risk research, comes up with some suggestions for potential vulnerabilities and risk-management strategies, and then brings in the management and staff to actualize the risk identification, assessment, and mitigation.

F

18

Risk-management plays an important role in developing a robust strategy. It is instrumental in challenging strategic plans and prompting executives to think about the other side of the coin. Risk-management objectives help a company reasonably articulate which risks associated with strategy the company is prepared to take on and which risks the company should manage at all costs, or when the company should alter its strategy if the unacceptable risks cannot be managed.

Opportunities exist to achieve a better alignment among risk-management, strategic management, and business-planning processes. This could involve establishing more transparent links between strategic risks and strategic objectives, considering outcomes of strategic risk profiling in preparation of strategic planning assumptions, and incorporating risk-mitigating strategies in the organization’s business plans.

The starting point for embedding risk-management is to link the risk-identification process to the company’s strategic and business plan objectives, using risk assessment as an element in strategic and business plans. Risk and performance are managed and monitored in an integrated manner to help achieve better overall governance.

Practically, risk-management objectives can be aligned to strategic objectives through:

• Articulating risk appetite;

• Identifying major risks to strategy and informing the strategic plan;

• Performing a scenario analysis of major strategic uncertainties in the middle-term horizon;

• Developing actions to mitigate major current risks and prepare to address emerging ones;

• Including the costs of risk-management actions in budgets;

• Assigning accountability for the risk-management actions and including those in the executives’ performance metrics.

Effective risk-management provides increased confidence that we can deliver desired outcomes, manage risks and threats to an acceptable degree, and make informed decisions about opportunities. Alignment of risk-management to strategic planning, budgeting, and performance management can deliver a range of benefits by:

• Improving planning processes by enabling the key focus to remain on the core business and helping to ensure the continuity of service delivery;

• Reducing the likelihood of potentially costly “surprises;”

• Preparing for challenging events and improving overall resilience;

• Prioritizing budgeted resources;

• Optimizing performance through efficiencies in service delivery, major change, and quality-assurance initiatives; and

• Contributing to the development of a positive organizational culture of improved governance, clear purpose, and roles and accountabilities for all staff.

ALIGN RISK-MANAGEMENT, STRATEGIC PLANNING, BUDGETING, AND PERFORMANCE MANAGEMENT

Take action:1. Review the current

decision making process and any templates used

2. Update the template to include risk analysis (it can be complex or simple depending on your needs)

3. Provide adequate training/ guidance to the users of the form

4. Pilot test and implement


FTake action:1. Include a strategic risk

profile discussion on an executive strategy session agenda

2. Articulate parameters of risk appetite and agree to them individually with executives beforehand

3. Prepare an executive risk discussion paper that includes:

• Results of the environmental scan for the main current and emerging risks.

• Obtain risk-monitoring reports from the business units and analyse the status of risk-mitigating actions. Highlight changes in the internal environment that might impact the risk profile.

• Refresh the company’s risk profile, highlighting major current and emerging risks that are above the company’s risk appetite, and provide comments on the changing nature of these risks and the status of the mitigating actions.

• Develop two to four scenarios around major emerging risks to discuss how the company could benefit from applying risk-management principles.

ALIGNMENT TO STRATEGIC AND BUSINESS PLANNING

Understanding how risks align with the planning processes enables us to effectively integrate risk management into our governance and management structures. Risks are dealt with as part of any planning and implementation process, including strategic planning, business case evaluations, and major projects. Key risks are also an important part of the funding plan submissions to the treasury (for state enterprises).

Strategic risk-management applies to the process of considering and managing the strategic risks on the executive risk profile, which may impact the company as a whole.

Strategic risks are those that may have a direct and significant impact on the plans. The strategic risks are managed by the executives collectively and each member of the executive committee individually.

Business plan risk management applies to the process of considering and managing risks to the delivery of major projects and services. Business plan risks include tactical and operational risks. Risks associated with major projects and initiatives relate to the delivery of infrastructure projects.

The key to success is to include a strategic risk agenda for the annual senior executive strategy sessions. This is where the CRO or risk manager should manifest himself/herself as a strategist, being able to facilitate challenging conversations with senior executives. These discussions may involve a range of areas: major strategic uncertainties to strategic objectives (including emerging risks and opportunities), consideration of how these may evolve in the middle term (scenario planning), and what strategies a company may need to develop to seize opportunities or deal with a potential downside (e.g., mitigate it or change the strategy). Considering the “risk upside” may involve a risk-based approach to the prioritization of opportunities and evaluating opportunities as part of the strategic risk-assessment process.

The executives should achieve an agreement on major risks at the entity-level, prioritize them, and agree on a management approach; initiate implementation of risk-mitigating actions; and collectively analyse a report on the major risks and the company’s progress on the actions on a regular basis. Outcomes of strategic risk profiling should be considered in finalizing strategic planning assumptions and incorporating risk-mitigating strategies into divisional business plans.

It is important that this link to strategic and business planning is maintained throughout the business period (e.g., a financial year). The effectiveness of risk-management actions can be demonstrated through:

• Monitoring key risk-mitigating actions and reporting on the progress to the executive; and

• Delivery of the business plans and effectiveness of the key business processes.


F

20


ALIGNMENT TO BUDGETING

Risk information helps identify resourcing requirements and assists in the prioritization of available resources as follows:

• Risk information and estimates of resource requirements for the mitigation of major risks are included in program and project proposals and considered by the executive.

• Risk-management resourcing implications are included in the business unit plans and the corporate plan and approved by the executive.

• The risk-management resource implications are included in the funding plan (for state-owned enterprises) and approved by the executive.

• The budget prioritization process takes into account the company-wide and business unit risk profiles.

The risk-management framework allows the escalation of risks throughout the year, with any financial considerations being subject to the executive and the board of directors’ decision as appropriate. However, the identification and assessment of risks will not necessarily be a trigger for additional funding. If additional funding is available, then this can be used to accommodate the risk-treatment activities required to manage the areas of high risk. In most cases, however, the reduction of the risk exposure in a particular area will be accommodated by reprioritizing the available activities, resources, funds, or other investment into that area.



Take action:1. Review the members

of the executive board and their direct reports’ KPIs and performance agreements and—if necessary—update them to include high and extreme risks, current risk-mitigating activities, and future initiatives to be implemented

2. Align risk-management objectives and other performance objectives to ensure they are not contradicting

3. Analyse the risk profile and identify the “people component” of the risk. The following areas should be in focus:

• Leadership, commitment, and support

• Knowledge and capabilities

• Behaviour and development

• Ethical risk (ensure that policies, practices, and communication support ethical behaviour).

4. Ensure that performance agreements, KPIs, and risk-treatment strategies effectively address these components

RISK MANAGEMENT AND PERFORMANCE MANAGEMENT

Risk-management objectives are linked with performance management at all levels of the organization. Appropriate risk culture is supported by ensuring that risk-management objectives and overall performance objectives are aligned. This is supported in the following ways:

• The executives (members of the executive board) and their direct reports’ performance agreements incorporate risk-management objectives such as high and extreme risks, target (or acceptable) risk ratings, risk-management strategies, KPIs, and due dates.

• Identification of the “people component” of major business risks—leadership, knowledge, capabilities, behaviour, staff turnover, succession planning, training and development, and culture. Relevant risk-management strategies are developed to address the root causes of these risks.

F

F

22

ALIGNMENT TO DECISION MAKING

To slowly shift the corporate culture toward risk-management, it is important to steer away from the perception that risk-management is detached from the business. One of the most useful, yet simple, ways of doing this is to integrate elements of risk analysis into decision making. This can be done in a way that suits your company best. Here are two examples:

• Major business decisions can be put through the risk-management team, so that appropriate risk analysis can be done and attached to the decision proposed. This will help to present a much more complete picture to the management and the board; however, this is also quite time-consuming and demanding, so the pros and cons need to be carefully considered. The volume of transactions/decisions would be a key factor in deciding whether to adopt this process or not.

• A minor adjustment can be made to the document template currently used for submitting key decisions to management or the board. By including a section on the “risks associated with the proposed decision,” the risk manager can encourage staff to actively think about the downsides of any proposed decision and document them.

Other examples may include:

• Investment decisions. By adopting a probabilistic approach to investments, companies can avoid many of the pitfalls inherent in more traditional evaluations. Instead of a single net present value (NPV) point estimate, companies can determine the probability of a whole range of outcomes, including the probability of a negative NPV. The range of probabilities can then be compared with those associated with alternative project structures.

• Financial decisions. Most financial policy decisions involve risk trade-offs that should be viewed within the context of enterprise cash flow and value trade-offs. Too often, these decisions are based on arbitrary debt/equity guidelines or target credit ratings instead of cash-flow-at-risk and value-at-risk principles.

• Operational decisions. Decisions on a company’s manufacturing footprint, supply chain design, outsourcing, and inventory policy involve significant risk-return trade-offs that can also benefit from an enterprise risk perspective.

Take action:1. Review the current

decision making process and any templates used

2. Update the template to include risk analysis (it can be complex or simple depending upon your needs)

3. Provide adequate training/ guidance to the users of the form

4. Pilot test and implement



GTake action:1. Define roles and

responsibilities to be fulfilled by risk champions

2. Determine appropriate number of risk champions

3. Provide adequate training to allow risk champions to fulfil their new duties

4. Develop an appropriate motivational package for risk champions (this could be extra recognition at the annual performance review or a slight salary increase)

CREATE A NETWORK OF RISK CHAMPIONS

Another useful technique that is being adopted by companies with mature risk cultures is establishing a network of risk champions. Risk champions are the “glue” between the risk-management team and the business unit staff. Risk champions could either be a representative from the management team or a staff member, although in each of these cases, the roles would differ. The management risk champion would be responsible for driving the risk-management agenda and reinforcing risk culture within his/her business unit. The staff risk champion would be responsible for coordinating risk-identification activities, working with risk owners to define risk-mitigation actions, monitoring their execution, and aggregating risk reports.

There is no one-size-fits-all approach in regards to risk champions. For some smaller companies, it may be appropriate to have one or two risk champions supporting the core risk-management team. People who are naturally motivated toward risk-management are usually given this extra opportunity. It goes without saying that extra responsibility should be reinforced with extra motivation as well. You will find more information about this in the risk and reward section below. For larger organizations, it may be required to allocate a risk champion for every geographic location where the company is present, or even a risk champion for each major line of business. As our experience shows, having a network of risk champions within each business unit usually proves to be excessive and overly time-consuming.

H

24

Risk-management is not a “one-off” activity—it has to be sustained through regular communication and training. In this section, we have grouped key recommendations that will help build strong risk-management communication channels and provide good training. These recommendations will reinforce and strengthen the risk culture within your company.

Include risk-management in the training for new hires: Dealing with uncertainty and managing risks may sound like common sense, but it’s not straightforward for everyone. Nor should it be, as employees come from different backgrounds and experiences. Hence, it is especially important once the company has started on the path of formalized risk-management that all employees who join the company are taught the foundation. One of the risk managers we interviewed confirmed that an introduction to risk management needn’t be lengthy—in fact, it could be as quick as ten minutes and cover only the basics like risk-management policy, key roles and responsibilities, and the frequency of major risk events (e.g., quarterly risk assessments, semi-annual risk reports, and so on).

Provide training to executives and the board of directors: It is equally as important to provide adequate risk education to the top management and the board. We have already mentioned that it is critical that the company leadership all speaks the same risk language and shares an understanding of the firm’s risk appetite. This is an important action, as noted by all the risk managers we interviewed. Executives and the board must share the vision of risk-management created by the risk-management team, and this is only achievable by providing sufficient education and guidance at the top level. Consider using external facilitators to provide the most impactful and powerful training. (Unless, of course, you yourself are a wizard at facilitation.)

Provide training to risk champions: Risk champions are very important to the successful rollout of risk management within the organization. As soon as risk champions are nominated, they are given extra risk-management responsibilities. In order for them to fulfil their new responsibilities, they must be adequately trained. Risk-management training has to provide a good foundation and include: • Risk-management terminology; • Risk-management roles and responsibilities;• Risk-management processes;• Risk reporting; and• The indicators of a positive risk-management culture, etc.

It may also be appropriate to provide additional training to the risk-management team itself. Various certifications are available from international risk-management bodies, which can help significantly raise the competency level of risk-management staff.

PROVIDE RISK-MANAGEMENT TRAINING

Take action:1. Draft the risk-

management curriculum for the company, including training for new staff, senior management and the board, and risk champions

2. Build risk-management training into the existing training schedule for the company. You will need to coordinate with your HR team

3. Consider risk-management certification programs for the risk-management team itself

4. Consider annual certification for employees in high-risk areas

Take action:1. Identify learning priorities

for the board (if any)2. Develop the program3. Include the annual

development plan for the board

4. Consider using external facilitators


HMake training competency based: A minor but important point—training is an investment decision for a company, like any other. It costs money to develop training, invite trainers, and take staff away from their day-to-day work. Just like any other investment, the company should track the return on investment from training. As suggested by one of the risk managers we interviewed, any risk- management training provided by the company should be competency based, so that management can see whether the lessons have been learned and the risk culture of the organization has improved.

Consider annual certification for employees in high-risk areas: Another useful suggestion is to consider annual risk-management certification for employees in high-risk areas. This will help ensure that employees working in areas like trading, hedging, insurance, safety (this is, by the way, done already in most organizations), high operational risk, etc., possess the necessary risk-management skills required to fulfil their job responsibilities. The certification may include knowledge of relevant legislation or standards and internal company procedures related to risk-management.

PROVIDE RISK-MANAGEMENT TRAINING

There is value in applying risk analysis during the evaluation of major projects or other management decisions. If such an opportunity arises, risk managers should seek the responsibility for conducting such analysis.

Analyses should be comprehensive, yet easy to read and understand. The risks need to be analysed from different perspectives, including financial implications, reputations, safety, environment, and so on. It would also help to document and analyse any key external drivers that may impact the project.

The downside, of course, is that every project will require risk-management review and thus will take up most of the risk-management team’s time. This is probably not preferred; however, it is entirely up to you.

ASSIST MANAGEMENT IN EVALUATING PROJECTS AND OPPORTUNITIES USING RISK ANALYSIS

Take action:1. Identify financial,

reputational, safety, environmental, etc., risks associated with the project

2. Identify and test key external drivers that may affect the project in the future

I

26


JTake action:1. Identify all the

stakeholders you need to influence

2. Identify their mainmotivators, hobbies, and interests

3. You need to do yourbest to make what you want to achieve seem tangible to your target audience

4. Speak their language

FACILITATE OPEN COMMUNICATION

Speak the business language: Bryan Whitefield said it best in his newsletter: "Identify all the stakeholders you need to influence. Identify the order in which you wish to tackle them. It is always best to get senior management’s buy-in first; however, sometimes that just isn’t possible, and you have to win over their key influencers before you can tackle them. Make sure you have a clear strategy.

Identify their main motivators, hobbies, and interests. Your best opportunity for engaging someone who does not already know you and trust you is to ignite his/her interest through something he/she is already passionate about.

Risk-management has so many intangibles. You need to do your best to make what you want to achieve seem tangible to your target audience. People comprehend best when you provide them with both visual and verbal descriptions—so draw a picture and tell a story. Choose examples that are most likely to relate to the motivators, hobbies, and interests you have identified.

Speak their language—I call it moving from “risk speak” to “c-suite speak” when engaging senior executives. Too often we simply blurt out what we know is needed in what we might consider to be simple risk language; however, it may mean almost nothing to our audience. Try talking “inherent risk” with a CEO. You know—the world without controls. You would probably agree that a better approach would be to discuss the need to identify where the organization may be able to save some compliance costs by understanding which of the company’s current controls are the most important and which are not."

Source: Risk e-Views Vol 4, December 2010, Risk Leadership: How to be Heard, Bryan Whitefield, Director, Risk Management Partners

Include risk messages in external company communications: Risk-management disclosure is very important. Increasingly, stakeholders look to companies to provide evidence of effective management of not only the financial risks, but also other nonfinancial material business risks in such areas as community affairs, human rights, employment practices, health and safety, and the environment.

It is recommended for disclosures to include the following items:• A summary of the company’s risk-management policy on the company’s

website in a section clearly titled “corporate governance”• A corporate governance statement for the annual report, including:

• An overview of your company’s risk-management processes• Progress made since last year in managing risks• The governance structure in place to manage risks• Any major achievements in managing risks.

The following disclosures are optional, and you may choose to exclude them from the annual report, as they may be considered commercially sensitive information:• Details of the company’s risk profile• Details of the risk mitigations• Historical losses from specific risks

When a company discloses information elsewhere in the annual report or on its website, it can cross-reference that information to avoid duplicating disclosures.

Take action:1. Identify key external

reports published by your company

2. Consider includingrisk-management topics into the external reports (i.e. risk- management section in annual report, risk management section in the reports prepared for the government agencies)

3. Include both theinformation regarding the current processes designed to identify and manage risks and the specific risks that may be relevant to the reader

J

28

Share information about key risks between divisions: Many organizations practice risk-management in “silos” and do not consider the possibility of risk interactions and risks in combination. Of course, silos (and the expertise within them) are a necessary component of effective risk-management, but the key for risk managers is to facilitate good communication. Risk managers need to help build a mechanism to escalate those risks, identify a key risk owner to compile and view those risks in a “portfolio” view, and analyse them across those silos. The goal is not to break the silos down; it’s to foster communication among and between them.

This can be facilitated by:

• Distributing the corporate risk reports to all company staff

• Posting all significant risk communications on the corporate intranet

• Including risk messages in company-wide communications, such asmagazines and newsletters

• Sharing key lessons learned from realized risks between divisions oflocations

• Sharing positive examples of risk management with everyone in thecompany.

Create simple methods for risk escalation: Employees are an invaluable source of information about emerging risks. It is common for junior and middle staff to talk about problems and pain points long before they become real problems for the company.

To take advantage of this source of information, risk managers need to establish a simple and transparent escalation process. It should be easy for an employee to call or e-mail the risk manager to share his/her concerns about an emerging risk. IT’s equally as important to notify the staff that such escalation mechanisms exist.

Treat this reporting line as an early warning system, and praise the people who participate.

Take action:1. Identify existing silos

2. Inform everyoneabout the company’srisk profile

3. Document lessonslearned, and sharethem across locationsand divisions

4. Share positiveexamples of risk- management witheveryone in thecompany

FACILITATE OPEN COMMUNICATION

Take action:1. Develop a simple

escalation mechanismfor reporting emergingrisks (provide contactdetails on the intranet,or develop a verysimple and short form)

2. Communicate theescalation mechanismto all staff


K. SCAN THE HORIZON OFTEN, AND REMEMBER TO CHALLENGE THE

ASSUMPTIONSL. INFORM THE MANAGEMENT ABOUT

EMERGING RISKS AND FOCUS ON THREATS M. CONDUCT RISK RESEARCH UPON MANAGEMENT’S REQUESTN. ESTABLISH A NETWORK OF RISK

MANAGERS FROM PEER COMPANIESO. FINE-TUNE YOUR OWN RISK-MANAGEMENT SKILLS

OBJECTIVE 3: BECOME A TRUSTED ADVISOR

For more information on Becoming a Trusted Advisor in Risk, please visit Bryan Whitefield’s website, www.rmpartners.com.au

K

30

Risk managers need to look beyond the boundaries of the firm and consider what is happening elsewhere. In recent years, businesses around the globe have become increasingly interdependent, which brings great benefits in both efficiency and innovation, but also increases companies’ exposure to risks–in many cases, risks they don’t even know about. Risk managers need to go beyond the known issues to look at links and interdependencies. Scenario analyses may be used for all types of risk with both short- and long-term time frames. With short time frames and good data, likely scenarios may be extrapolated from the present time. For longer time frames or with weak data, a scenario analysis becomes more imaginative.

By understanding current assumptions about the business environment and the existing business model and describing their antitheses, enterprise leaders can identify the characteristics of major shifts in advance and whether they are beneficial or adverse.

This topic has been covered very well in the book The Black Swan by Nassim N. Taleb. Two more recent studies by the Corporate Executive Board and Deloitte Touche Tohmatsu indicated that over 65 percent of the time it is the external/strategic risks that cause the most damage to companies. This is a significantly larger percentage than from financial risks or operational failures.

Take action:1. Identify key

assumptions used during company planning

2. Develop a program for periodically testing these assumptions (you may consider using key risk indicators)

3. Identify a set of plausible scenarios

4. Regularly (at least semi-annually) perform stress testing and scenario analysis

SCAN THE HORIZON OFTEN, AND REMEMBER TO CHALLENGE THE ASSUMPTIONS


LOne of the fundamental skills that any risk manager needs to possess is the ability to communicate emerging risks to senior management. This means having the right processes in place to scan the environment to identify the emerging risks, package the information appropriately, and present it in a timely manner.

In order to get the message across, the communication to senior management should include the following:

• Threat overview

• Immediate, medium-term, and long-term implications for the company (ensure that both financial and nonfinancial consequences are covered)

• Speed of the threat (how much time does the company have to respond?)

• Existing readiness (how prepared is the company?)

• Proposed solution/action, including responsibilities and timeframes

Take action:1. Once the emerging

risk has been identified, validate it with a superior

2. If the perceived threat is judged to be significant, prepare the communication and present it to senior management

INFORM THE ANAGEMENT ABOUT EMERGING RISKS AND FOCUS ON THREATS

M

32

Take action:1. Seek to understand

the background behind the request

2. Conduct the necessary research and provide a response

CONDUCT RISK RESEARCH UPON MANAGEMENT’S REQUEST

Sometimes management may request specific research into a particular threat. For example, they may believe that the company’s exposure to FX fluctuations is growing too quickly and ask you to investigate the full extent of the perceived problem and provide possible solutions.

Requests like this are always good news and highlight that risk-management skills are in demand. Should you receive such requests, go ahead and do them. If specific skills are required, you may be able to bring consultants on board to help you investigate the problem. Usually, this request is most effective after you have conducted some preliminary analysis first.


NTake action:1. Try and meet risk

managers from peer companies

2. Network during external risk-management events

3. Stay in contact, share, and learn from each other

Now here is a good idea–do not reinvent the wheel! Whenever possible, learn from others by establishing a network of risk managers from peer companies. You will invariably meet others while attending various risk-management conferences throughout the year. Stay in contact with them, learn from each other, and share experiences.

Obviously, every country is different. The risk conferences and events that I had an opportunity to attend in Russia were absolutely useless in terms of new knowledge. However, they did serve as a wonderful networking platform.

HAVE A NETWORK OF RISK MANAGERS FROM PEER COMPANIES

O

34

Risk-management is a very dynamic discipline, and you need to stay up-to-date on the current developments. However, fine-tuning your risk-management skills is as much about learning new risk-management techniques as it is learning about business in general. The days of the risk manager/methodology guru are over. Senior management now expects risk managers to both help identify emerging threats and work together with the business to develop mitigation plans. As a result, risk managers need to be very coherent in the specifics of the business and industry they work in.

This means that attending conferences relating to your industry is equally as important as attending risk-management events. It is crucial as risk managers that you understand industry-wide issues and challenges.

If you feel it would significantly boost your value to the company, you may consider obtaining the appropriate risk-management certification. Some examples include FRM (financial risk manager; Global Association of Risk Professionals), ERP (energy risk practitioner; Global Association of Risk Professionals), or PRM (professional risk manager; Professional Risk Managers’ International Association).

Keep track of the relevant risk-management standards and publications. Some of the core materials that you need to be familiar with include:

• Global Risk Report, published annually by the World Economic Forum

• ISO31000:2009

• ISO/IEC31010:2009

• ISO 73:2009

• King III

• ASX Principles

• Basel III

• Solvency II

• Guidance for boards and audit committees (monitoring the effectiveness of internal control, internal audit, and risk-management systems)

• Assessing the Adequacy of Risk Management Using ISO 31000 from The Institute of Internal Auditors

• Practice Standard for Project Risk Management from the Project Management Institute

• BS 25999:2003, Business Continuity Management, Business Continuity Management

• CobiT (Control Objectives for Information and Related Technology), and so on.

Risk-management consulting firms often provide free risk-management newsletters. It’s also a good idea to sign up for one or two of these.

Take action:1. Learn as much as

possible about your business by attending meetings and studying internal reports and industry publications

2. Continue to develop your risk-management skills by staying up-to-date on the latest thought leadership (large consulting firms regularly publish articles)

3. Consider risk-management certification

4. Be familiar with the common risk-management standards

FINE-TUNE YOUR OWN RISK-MANAGEMENT SKILLS


We sincerely hope that you found this guide useful. You are almost done reading it. So let us quickly recap some of the key points:

• Risk-management is as much about the tools and techniques as it is about the cultural change and the mindset of employees. In order to strengthen the risk-culture risk managers should start by defining the overall risk profile, while helping to set the tone at the top and defining the risk-management roles and responsibilities. And remember overcomplicating may do more damage to risk-culture than good.

• It is critically important to avoid positioning risk management as a separate and independent activity. Risk managers should help integrate risk management into business. This can be achieved by involving staff as much as possible into the risk management process, integrating elements of risk analysis into strategic planning, budgeting, and performance management, creating a network of risk champions, providing risk-management training and assisting management in evaluating projects and opportunities using risk analysis

• Risk managers should aim to become a trusted advisor to the company senior management and the Board. Some tips include regular scanning of the horizon for emerging and external risks, critically testing management assumptions and brining in in a risk perspective to the discussion wherever possible.

In the appendix we have provided two indicative roadmaps that help prioritise the 15 action points covered in the guide depending on the risk-maturity of your organisation. Implementing risk management is not an overnight process, it is a journey. We hope you enjoyed your journey so far!

An honest warning: there will be a time when you will experience pressure to produce quick results. Stay true to the risk- management profession! Breakdown your work into two streams:

• “Here and now” – help management identify and manage immediate threats or risks that have been neglected before. The good news for risk managers (the not-so-good for the business) is that there will always be risks that are poorly managed or completely ignored.

• “Future value” – don’t lose focus on the development of risk-culture within the organisation. It may take time for senior management and employees to embrace the positive aspects of risk-management, however the payoff will be great.

CONCLUSION AND NEXT STEPS

Good luck and thank you for taking the time to study this guide!

36

A RISK-MANAGEMENT ROADMAPSB BIBLIOGRAPHY APPENDICES


Based on experience, we provide the following sequence of activities for anyone who is new to the risk-management role or is a risk manager starting to develop a risk-management system at a new company. This, of course, is only an example and is subject to the specifics of your company.

For illustration purposes, we also mapped some activities as being relatively easy and not too time-consuming to implement, while others are more complex and may require appropriate preparation.

APPENDIX A – RISK-MANAGEMENT ROADMAPS

FOR THOSE NEW TO THE RISK-MANAGEMENT ROLE

38

Based on our experience, we provide the following sequence of activities for risk managers who are trying to raise the risk-management profile within their company or are just trying to reinvigorate the team. This, of course, is only an illustrative example and is subject to the specifics of your company.

APPENDIX A – RISK-MANAGEMENT ROADMAPS

FOR THOSE TRYING TO RAISE THE RISK-MANAGEMENT PRO-FILE IN THE COMPANY


• AM Best and Towers Perrin (2008). AM Best ERM criteria. www.towersperrin.com

• Australian Securities Exchange, 2007. Principles of Corporate Governance and Best Practice Recommendations. www.asx.com.au

• Buchanan, D.A. and Huczynski, A. (2010), Organisational Behaviour, 7th ed., Pearson Education Ltd.

• Carey, A. (2004), Corporate Governance. A Practical Guide. [online].London Stock Exchange plc & RSM Robson Rhodes LLP., London. http://www.londonstockexchange.com.

• Chryssides, G. and Kaler, J. (1996), Essentials of Business Ethics, McGraw-Hill International (UK) Limited, England.

• Davies, H. and Lam, P.L. (2001) Managerial economics. 3rd ed., Bell & Bain Ltd., Glasgow.

• Deloitte. (2006). Risk Intelligence in the Age of Global Uncertainty. Prudent Preparedness for Myriad Threats.

• Demidenko, E. and McNutt, P. (2010), “The ethics of enterprise risk management as a key component of corporate governance” International Journal of SocialEconomics, Vol. 37 No. 10, pp. 802-815. http:// www.emeraldinsight.com/0306-8293.htm

• Economist Intelligence Unit. (2009), Managing risk in Managing risk in perilous times. Practical steps to accelerate recovery. http://www.eiu.com

• European Corporate Governance Institute (n.d.), Codes of Corporate Governance in different countries. http://www.ecgi.org/codes/all_codes.php.

• European Union (2006), “Article 41. Audit Committee”, 8th Company Law Directive

• 2006/43/EC (2006). http://www.8th-company-law- directive.com/Article41.htm.

• Expert RA (2010), Risk Management System Quality Rating, www.raexpert.ru/ratings/risk/scale/

• Hampel Committee on Corporate Governance (2003), The Combined Code on Corporate Governance. London Stock Exchange, London. http://www.londonstockexchange.com.

• Hickson, D.J. and Pugh, D. (2003), Management Worldwide. 2nd ed., Penguin Global, London.

APPENDIX B – BIBLIOGRAPHY

40

• International corporate governance network (2005), ICGN Statement onGlobal Corporate Governance Principles. http://www.icgn.org.

• ISO. (2009). Risk management - principles and guidelines. InternationalStandard 31000. First edition 2009-11-15, ISO, Switzerland

• IFRS (2010). IFRS 4 Phase II, Exposure Draft Insurance Contracts.www. ifrs.org

• KPMG (2009). Never again? Risk management in banking beyond the creditcrisis. http://www.kpmg.com

• KPMG. (2011). Risk Management. A Driver of Enterprise Value in theEmerging Environment. http://www.kpmg.com

• Lam, J. (2003) Enterprise Risk Management: from incentives to controls, JohnWiley & Sons, Inc., New Jersey.

• McNutt, P. (2005), Law, Economics and Antitrust, Edward Elgar Publications,Cheltenham, UK.

• McNutt, P. and Batho, C. (2005), “Code of Ethics and EmployeeGovernance”, International Journal of Social Economics, VOL.32 No.8,pp656-666.

• McKinsey&Company. (2011) Governance since the economic crisis. Globalsurvey results. http://www.mckinsey.com

• Monks, R. and Minow, N. (2003), Corporate Governance. 3rd ed., BlackwellPublishing, Oxford.

• New York Stock Exchange (2003) Standards for Corporate Governance303A.09http://www.nyse.com/Frameset.html;http://www.nyse.com/about/listed/1101074746736.html;http://www.nyse.com/pdfs/section303A_final_rules.pdf

• PriceWaterhouseCoopers and Centre for Study of Financial Innovation.(2010). Banking Banana Skins 2010. Russia. http://www.pwc.ru

• RBCC (2006), Capital Markets: The next move for Russian business Bulletin,Issue. 3, February, pp. 24-25.

• Ricketts, M. (2002), The Economics of Business Enterprise An Introduction toEconomic Organisation and the Theory of the Firm, 3rd ed., Elgar Publishing.


• Risk e-Views Vol 4, December 2010, Risk Leadership: How to be Heard, Bryan Whitefield, Director, Risk Management Partners.


• Standard and Poor’s. (2010) Approach To Assessing Insurers’ Enterprise Risk Management Refined In Line With Industry Improvements, RatingsDirect on the Global Credit Portal, www.standardandpoors.com/ratingsdirect

• Standard and Poor’s. (2010) Expanded Definition Of Adequate Classification In Enterprise Risk Management Scores, RatingsDirect on the Global Credit Portal, www.standardandpoors.com/ratingsdirect

• Standard and Poor’s. (2010) Insurers In EMEA See The Value Of Enterprise Risk Management. RatingsDirect on the Global Credit Portal,www.standardandpoors.com/ratingsdirec

• The Banking Committee on Banking Supervision, (2010), Basel III and Financial Stability. http://www.bis.org

• The Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS), (2009). Solvency II Directive. http://ec.europa.eu/internal_market/insurance/solvency

• The Russian Federal Commission for Stock Markets (2003), The FCSM Code for Corporate Governance [online]. www.fcsm.ru; www.copr-gov.ru.

• The Institute of Internal Auditors. 2004. The Role of Internal Auditing in Enterprise-wide Risk Management. [online], FL USA., September: www.theiia.org

• Towers Perrin (2008). Highlights and Implications of A.M. Best’s New ERM Methodology.

• Vedomosti (2005), “Russia: Going Global”, Forum, The Wall Street Journal & Financial Times Magazine, November.

• Vysotskaya, O. and Demidenko, E. (2005), “The Audit Committees in the 21st century”. The Russian Economy. 21st century. No. 20. http://www.ruseconomy.ru/index20.html.

• World Economic Forum (2011). Global risks 2011, Sixth Edition. www.weforum.org


ABOUT THE AUTHORS

ELENA DEMIDENKO, ACCA (Association of Chartered Certified Accountants, UK), MBA (Manchester Business School, UK), ACCA, risk- management consulting specialist with over 6 years of Governance and Risk Consulting experience and more than 12 years of overall work experience across Singapore, Australia, Russia and Europe. A member of academic staff at Manchester Business School, UK

ALEXEI SIDORENKO, is a risk-management specialist with over 8 years of strategic and risk consulting experience across Australia, Russia, Poland and Kazakhstan, focusing on a variety of industries including oil and gas, energy, consumer goods, transportation and infrastructure, telecom, real estate and investment corporations, as well as government departments and state parliaments.

Currently working at Skolkovo Foundation, Alex is working as a risk manager supporting the development of the largest innovation centre across CEE, responsible for education, risk analysis and reporting for the Foundation staff and more than 300 start-up companies across fields of energy efficiency, biomedicine, space and telecom, IT and nuclear. Alex regularly presents at various risk-management conferences across CEE.

In 2011 Alex has co-authored global risk-management methodology for PricewaterhouseCoopers. In 2009 Alex has co-authored the risk-management guide for small and medium size businesses, published by Australian Stock Exchange.

42

CopyrightThis document is subject to copyright which is retained by the authors. No part of it may in any form or by any means be reproduced, adapted, transmitted or communicated without the prior written permission of the authors.

This document is provided as general information only and does not consider your specific objectives, situation or needs. You should not rely on the information in this document or disclose it or refer to it in any document. The authors accept no duty of care or liability to you or anyone else regarding this document and we are not responsible to you or anyone else for any loss suffered in connection with the use of this document or any of its content.

risk management guide - secret recipe for risk managers

Documents