Enhancing Business Performance through Risk Management
The following is an abstract from my latest research piece “Enhancing Business Performance through Risk Management“
While the market seems eager to grasp onto the phrase “risk intelligence,” it means nothing if corporations cannot take action on the intelligence it provides. Being intelligent is not the same as being wise – most organizations lack both risk intelligence and wisdom. There are organizations that acquire a lot of information, but without transforming this information into knowledge by understanding the context of their business risks, they fail to make better business decisions. Risk is often completely disconnected from business strategy, objective, and performance management.
Risk management requires the proper context across the entire culture of an organization. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk tolerances and appetites are defined and managed. The culture of risk tolerance at all levels helps formulate these tolerances: This is where risk management relies on governance. The board and management must clearly define and communicate the organization’s culture of confronting risk. If the governance function does not do this, risk strategy is left up to individuals and the integrity of the organization is in jeopardy.
A mature risk-management program does not operate in isolation from the business. A mature risk-management program is integrated with corporate performance, strategy, and objective management. This requires that the organization relate performance to risk, allows for multiple inputs impacting the risk environment from both internal and external contexts, and has a variety of ways to look at risk information to analyze, model, and relate risk back to performance and strategy.
Effective and mature risk management delivers:
- Alignment of risk in the context of business strategy. Risk strategy is fully integrated with business strategy where business management realizes risk management is an integral part of business responsibilities.
- Risk intelligent business decision-making. Risk-management culture and policies are effectively applied across the organization, supported by management. The business has what they need to make risk-intelligent business decisions.
- Risk-based business planning. Risk is a key component in business planning. Risk assessments and reports are structured to complement the lifecycle of the business to help executives and the board make effective decisions.
- Establishment of risk culture and policy. Risk policy is clearly communicated across the business and is effective at establishing a culture of risk management. Risk policies are current, reviewed and audited on a regular basis.
- A risk appetite harmonized with business strategy. Risk appetite and tolerance levels are established and reviewed. They are mapped over to business performance and objectives.
- Integration of risk and performance monitoring and metrics. Defined KRIs are in place and appropriate mapped to business KPIs. Risk indicators have established limits/thresholds, and are defined at all levels of the business, its operations, and relationships.
- Communication of business relevant risk information. Risk reporting and indicators are relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance, and timeliness to the business.
- Ownership of risk within the business. Every risk, both at the enterprise as well as business process level, has clearly established risk owners. These owners represent roles that can take action on the risk.
- Holistic awareness of the range of risks the organization faces. The organization has defined risk taxonomy at the enterprise level which drills down into specific risk areas. A regular process is in place for risk identification to keep the taxonomy current. Various risk frameworks used across the enterprise are harmonized into an enterprise risk framework.
- Multi-perspective risk analysis. The organization uses a range of risk correlation, stress testing, and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of its historical loss to feed into analysis.
- Effective risk treatment in context of business objectives and strategy. Risk treatment plans – whether acceptance, avoidance, mitigation, or transfer – are in place and monitored for progress. Audit functions conduct regular reviews. The solution reviews risk-treatment plans.
- Governance of risk from the board down into the business. The organization has a role and system in place to aggregate risk information across the business and effectively communicate, monitor, and manage risk. There is effective communication and accountability for risk oversight at the board of director’s level.
- Visibility of risk as it relates to performance and strategy across the business. An enterprise view of risk is in place and maps over to corporate performance and strategy. Risk is effectively communicated to stakeholders and the organizations track record shows successful taking and management of risk.
Consistent ranking and measurement of risk. Risk is categorized and structured according to its impact on business strategy, performance, and optimization.
Successful organizations face the challenge to move from immature to mature approaches to risk management. Immature risk-management programs operate in silos and are disconnected from each other: no consistency or efficiency is gained. Many ERM programs are not much better than this, as they are nothing more than an enhanced SOX strategy, focusing on a slightly expanded view of financial and other internal controls. A mature risk-management program is a seamless part of business performance, strategy, and objective management. Risk must be managed within the context of business. This requires the organization to take a top-down view of risk led by the executives and board, and make it part of the fabric of business, not an unattached layer of oversight.