Organizations today are staring at increasing business complexity. A whole array of risks and opportunities emerge daily, not just from within but also outside a business. When it comes to risk, a golden rule to be remembered and followed is that ‘Things which have never happened before, happen very often’. It is becoming exceedingly hard to have a single, all-encompassing definition of risk. One of the most concise definitions of risk given by the ISO 31000 standard related to risk management, is the ‘effect of uncertainty on objectives’. An effect is a positive or negative deviation from what is expected.
The above definition, however, fails to address the unpredictable nature of risk and due to its frequency and severity, risk management becomes a difficult and challenging task to accomplish. While credit, market, operational, liquidity, strategic, business and reputational risks cover what is often referred to as types of risks, they do not define the entire universe of risks that an organization faces. An analysis of businesses that have failed even after having a risk management system in place shows that those organizations failed to comprehend the dynamic nature of risk.
Traditionally, companies have always managed risk on a one-by-one basis. This provides a certain level of understanding about a business but does not show it in conjunction with the rest of the portfolio. The need of the hour is to have a unified view of the risk factors. There are comprehensive risk assessment tools available in the market for companies to take corrective informed decisions. These give an institution the ability to undertake a detailed companywide risk assessment with information on trade payment data, legal events, corporate family trees, and other third-party web and social information. Consolidated information at one place helps the top management to understand the patterns that emerge across a portfolio, helping make faster and better credit decisions.
Sometimes people have raised doubts on the importance of risk management as a framework and if risk management can be implemented beyond theory. In today’s business reality risk management is the most important framework that an organization needs to develop and implement. A strong risk management system also helps in risk-return trade off, which is key for an organization to grow and prosper. What is pertinent here is that opportunities and risk come in pairs. A robust risk management framework also provides the necessary impetus for an organization to manage change and overcome challenges in the often discussed “VUCA” (volatility, uncertainty, complexity and ambiguity) world.
The most common risk management framework comprises:
- Identifying potential events that may affect the enterprise
- Managing the associated risks and opportunities
- Providing reasonable assurance towards the achievement of organizational objectives
Risk management framework differs across organizations. For example, there is a Basel framework for banks, Solvency framework for insurance companies, and Coso framework, which many other organizations adopt. A risk management framework, as mentioned above, encompasses the entire organization and puts accountability of risk from a top-down perspective. In this framework, accountability starts from the board of directors. Specific responsibilities of risks are assigned to various heads of the organization and a chief risk officer runs the show at the operational level. Hence, a risk function leadership team becomes an integral part of the process.
An important aspect of the above framework is that it does not work in silos but is more of an integrated approach. The key focus areas of this approach towards risk management are risk response, control activities that an organization develops, information and communication within an organization, and oversight and monitoring. Building of a risk culture is therefore very important within an organization. A risk culture is the system of values and behavior present in an organization that shapes risk decisions of the management and employees. Another key element of such a culture is the common understanding of an organization and its business purpose.
To conclude, we need to understand that risk management does not mitigate risk completely. However, it helps an organization achieve its objectives by preparing for adverse situations. It also helps an organization gain confidence of various stakeholders of the business. However, the ultimate objective achieved by risk management is the enhancement of a shareholder’s value. No wonder Alan Greenspan once remarked, “Indeed, better risk management may be the only truly necessary element of success in banking.” It won’t be an exaggeration to say that this holds true for other organizations as well.
– Vivek Sharma is senior domain specialist and trainer at Dun & Bradstreet India