Grabbing the Tiger by the Tail - Taking Charge of Enterprise Risks
By Peter Deans, Chief Risk Officer, Bank of Queensland
In a prior era, the management of risks was very much an intuitive activity–with executives and managers left to manage risks as they saw fit. Often key business risks were not even identified or fully understood. Today however the scale and breath of business activities—particularly the increased use of technology and third parties requires a more structured and sophisticated approach to the management of risks.
Across many industries and businesses, an enterprise risk management approach has been widely used to better understand and manage business risks. The adoption of ERM as an embedded business activity has significantly improved in recent years. This approach usually involves:
• Establishment of risk registers across business units, functions, and specific activities
• Periodic workshops being undertaken to identify key business risks
• Rating of key business risks using a consistent methodology–usually rating the likelihood and severity of particularly risk event(s) occurring
• Development of action plans for risks identified as posing an unacceptable business risk, if not mitigated, and
• Periodic assessments of controls in place to ensure that controllable business risks do not unexpectedly materialize.
Much of the focus of an ERM approach is on existing, known business risks or operational risks. This is the correct approach. The imperative is to focus on business risks or events that can disrupt a key business activity and/ or have an adverse financial impact. These can include events such as technology or power outages, supply chain disruption, operations or process failures, and weather events that disrupt business activities. Breach of regulatory requirements is an important category of risks that can also be captured in an ERM system.
Implementation of an effective ERM framework will ensure that each key risk is appropriately assessed and documented.
Confidence in the overall resilience of an organization can often lead to a superior value being assigned to that organization by equity investors
The outcomes of the risk assessments can, in turn, form the basis of Business Continuity Planning (BCP). This will build organizational resilience and assists avoid reputational damage for failing to identify and mitigate known business risks.
Many regulated businesses – such as those in the banking, transport, and infrastructure and energy industries-are required to have clearly documented ERM and BCP processes in place. In addition, audit firms are increasing looking at risk management frameworks and controls as part of their ongoing audit processes.
There is sound business reason to have documented ERM and BCP processes in place even if not formally required however. A deep understanding of the risk profile of all aspects of an organization can assist and identify material risk issues or gaps that can adversely impact on its financial performance, regulatory compliance, customer experience, and reputation. This will in the long run improve financial performance. In addition, confidence in the overall resilience of an organization can often lead to a superior value being assigned to that organization by equity investors.
Challenges will exist in being able to accurately assess the likelihood and impact in many risk categories. Cyber security is a good example of this and perhaps the most topical risk category in recent times. How do you assess the likelihood of a cyber event taking place, what type of cyber issue will you have and what will be its impact? It is true that it is difficult to answer these questions definitively. Using the ERM approach, the first steps of understanding an organization’s cyber risk profile will be a series of workshops to develop a baseline assessment (using external expertise if necessary). This will in turn guide the organization’s assessment of the likelihood of cyber risk events occurring.
Similarly, business operating models that involve the use of third parties for specific parts of the value chain should follow the ERM approach to understand the business risks of these arrangements. Often risk assessments have either never been done or only done as part of an initial due diligence or approval process for an outsourcing or supply arrangement. What happens if a key supplier or outsourcing business part has a business disruption, elects not to renew a contract or ceases operations due to financial difficulty? Supplier or third party outsourcing contracts usually enable periodic reviews to be undertaken of the contracted party and its performance. These provisions provide an opportunity to gain a deeper understanding of the risk profile of outsourced activity and the contracted third party. This is particularly common in IT and business process outsourcing. Cloud computing arrangements should also be assessed in the same manner.
The frequency of risk reviews and management reporting of the overall risk profile will vary from organization to organization. The most effective ERM frameworks will require ongoing monitoring of risks–with the onus on risk owners (the role or function within an organization that owns a particular risk)–to document and promptly report any material change in a risk category. Periodic management reporting of risk profiles can be monthly, quarterly or half yearly depending on the size, complexity and maturity of an organization. A comprehensive, pan-organizational review of all risks should be undertaken at least annually.
More mature and sophisticated ERM frameworks will see the assessment of strategic business risks incorporated into the ERM process. This will look at the potential impact of medium to longer term trends on an organization’s overall business profile. These can include demographic, technology, competition, social, and other changes that may pose a longer term threat to the sustainability and financial performance of the organization. This is very much a top down exercise that is usually undertaken as part of the strategic planning process.