Playing it safe

Business management sits down with a panel of experts to gain some insight into effective risk management strategies.

“Companies must ensure that risk awareness and management practices are embedded in the culture of the organisation.”

What factors are driving the need for organisations to have effective and comprehensive risk management strategies in place?

Jürgen H.M. van Grinsven. Risk management is an essential part of the economic activities and economic development in organisations. It supports decision makers to make informed decisions based on a systematic assessment of risk. The three main factors that motivate organisations are: the volatility of today’s marketplace; costly catastrophes and regulatory-driven reforms. However, research indicates that from a business perspective there are three underlying dynamic factors that are driving the need for organisations to have effective and comprehensive risk management strategies in place. The first dynamic factor is decentralisation and employee empowerment. Organisational structures that become flatter make decision-making authority more widely distributed across the financial institution and more significant decisions are made at the operational level. This increases the need for management to understand the risk posed by these isolated decisions. The second dynamic factor is market pressure, which forces financial institutions to broaden and adapt their product and/or service offerings to the rapidly changing market, thereby exposing the institution to greater risk. The third dynamic factor is E-commerce, which has made business activities more transparent to the customer, while increasing the need to achieve speed to market with products and services, gain efficiencies in business processes, and allocate capital to activities that have a higher return/risk ratio.


Mike MacDonagh. The factors can be broken into external and internal issues. The former category has the most impact and of these, increased regulation is probably the most important across almost all industry groups. Every organisation now has a wealth of regulation to comply with, covering general areas such as employment law, data protection, and health and safety regulation as well as its industry specific regulations such as in financial services, life sciences and many others. Markets, shareholders customers are also a significant source of drivers for better risk management. This may be rating agencies (some of whom are now rating organisations’ ERM capability), investors and insurers wanting to ensure organisations are well managed, or customers needing to know that the products they buy won’t cause them harm, or that their data and payments are secure.

Internal issues are becoming more important as organisations start to realise the business value that can be delivered by better risk management. By linking risk management to business objectives and to measures of performance, as recommended by standards such as ISO31000, organisations can make sure they are deriving the greatest benefit from their risk management efforts. Effective and comprehensive risk management ensures that risk management reduces risks that the business actually cares about and can help it to make more effective use of risk management resources and help to guarantee achievement of performance objectives.

Both the internal and external drivers are magnified by other business trends, such as an increasingly global economy with larger, more complex and interconnected structures that are exposing organisations to greater and more complex risks.

Anil Jogani. These are times of increasing change and regulations. Every change brings with it risk and opportunity, which also implies risk of loss of opportunity. Every regulation brings with it risk of non-compliance and severe consequences with stiff penalties. Faster change in both internal and external environments and more and more regulations are exposing organisations to increasing risks. As you know, risks have grown and they are of various types including strategic risk, environmental risk, market risk, credit risk, operational risk and compliance risk. These exist everywhere but need to be identified and managed effectively. You cannot manage only a few and leave others. The impact of failure can be very crippling. 

Gisle Bråstein. Over the last few years there have been a number of critical events, seen both from the financial and operational side, which have lead to an increased awareness and focus on risk management in general.

Governance, Risk and Compliance (GRC) requirements are becoming increasingly important for corporations looking to succeed in a globalised world. Stakeholder’s demands for corporate accountability and transparency, and globalisation calls for businesses to address risk quickly and demonstrate their risk performance almost real time.

In addition to meeting national and international regulations, most companies need to demonstrate their risk, safety and quality and even environmental performance to suppliers, partners and clients. By seeing all these factors in relation, treating them with common tools and procedures companies will be in a position to create common overviews and performance sheets and to develop common risk response strategies that will have overall effects.

Most organisations understand the value of proper risk management and have moved from a reactive risk management strategy to a proactive preventing strategy, hence minimising risk of even smaller incidents and deviations that could later result in unnecessary costs. Of course, you cannot protect yourself against every eventuality. However, what can organisations do to minimise risk in case the unforeseen does occur?

MM. Much risk management in organisations is targeted at reducing expected losses by regular risk assessment, appropriate controls, insurance and other mitigation techniques. These are less effective against very rare events, situations that are caused by a combination of other factors and systemic risks. For these, scenario analysis is by far the most effective way of identifying, understanding and mitigating the impact. Taking recent events, European airlines have no experience of dealing with the effects of an ash cloud closing large areas of European airspace, they do however have experience of mitigating the effects of smaller interruption events and some of them did run scenarios of a larger closure that helped them manage the impact of the recent event.

AJ. Organisations need to have comprehensive risk management processes in place; risk governance, risk response and risk evaluation. They must ensure that risk awareness and management practices are embedded in the culture of the organisation. It does not mean that one does not act for fear of risks; it means that one should consider the risk factor in all decisions and adjust expected benefits for risk. In other words always strive to optimise risk-adjusted returns.

GB. In a risk management framework the conventional incident focus is only a supplement to the more proactive prevention of events. In most organisations a balanced and holistic approach to risk vs event management would be the solution. Clearly, when events happen it is necessary to react to them. The reaction should however be planned and well thought out, as the best managed companies are proactive first and reactive second. Naturally, proper incidents and emergency plans should always be in place.

A well structured and fully implemented management information system will bring value to this balanced approach by providing information to support short and long term planning and decision making. Reliable and credible data from the risk sources aggregated to the levels of decision making is a key factor.

This will reduce indirect costs by improving the efficiency and effectiveness of the operational risk and event management processes and will reduce direct costs by reducing the overall risk level preventing loss from unexpected events.

JVG. One hundred percent protection against risk is not possible and the costs will be too high. However, organisations can learn important lessons from publicised losses and the ever-increasing attention to risk management. They also have to realise that they have a responsibility, not only to their board of directors and management, but more importantly to their employees, shareholders and the tax payer, to manage their risks. Organisations can start with registering and monitoring their loss data. From experience, we know that this is not an easy task. Moreover, organisations can raise their risk awareness and dedicate resources to risk management. This often leads to significant efficiency and effectiveness benefits for organisations.

What are the common mistakes people make when managing risk?

AJ. I should think the common mistakes are: predicting the future using past events; putting too much emphasis on quantitative risk models; making assumptions when assessing risks but when assumptions change the assessment does not; and using worst case, best case scenarios and then normalising them ignoring a wide range of possible scenarios. Then you have the classic case of having disaster recovery plans that are not updated nor communicated so people are not in the state of readiness to combat risks and they often do not implement security based on risk.

GB. Today, most companies do have the procedures in place to consider risks and unplanned events, but they often miss a structured approach for dealing with them. Furthermore, the knowledge gained from the risk management process and the potential this has to influence the overall performance of the company is often left unreleased. Far too often, risk assessments are done, left in the drawer and forgotten.

Those companies that can use this information in a structured way, defining and following up on risk response strategies, will learn and develop their company as a response to their risk profile. For these companies, values are created both through finding sustainable solutions, and through avoiding risks that materialise in losses.

JVG. We observe that business managers and risk managers are under pressure. They must participate in a highly competitive environment while solidly honoring their professional obligations and navigating their business safely toward the future. Paramount to their success is the ability to identify, formulate, assess, deliver and communicate value propositions to their clients. Sometimes they seem to forget this. We argue that the success of an organisation goes in tandem with the collaborative participation of its clients and a well-implemented risk management framework.

Each client is unique and in order for a value proposition to be effective it has to be tailored to the client’s specific needs. Furthermore, organisations should realise that the most obvious benefit from such a framework seems to be preventing catastrophic losses, other less obvious benefits are that it prevents rework and stimulates win-win situations.

MM. While many organisations would admit to managing risk in disconnected silos across an organisation, which has a significant impact on their ability to manage risk on an enterprise-wide basis, probably the most common and damaging mistake is the failure of many organisations to implement a culture of risk management across the organisation, from top to bottom. Just as happened before the introduction of Total Quality Management in the 1980s. Until managing risk becomes the responsibility of everyone in the organisation, rather than just that of the risk team, it cannot be managed effectively and organisations will fail to realise the positive benefits of good risk management.

Do have an example where your services have benefited a company with its risk management recently?

GB. We have had some really positive feedback from the companies that we work with. Annica Örn, patient safety coordinator, Landstinget i Östergötland said: “Instead of assuming why things happened, you can document it and spark real actions”.  Another very happy client is Ørjan Storesund, HSE Coordinator, STX Europe, who said: “Our HSE changes programme is worth seven million Euros per year in reduced insurance costs”. Elaine Rust, Global HSEQ System Manager, Subsea 7 said: “Synergi is a highly flexible system. Once you understand the possibilities you will realise what a phenomenal and massive tool it is”. And finally Kurt Kriter, Vice President EH&S for Exploration and Production, Hess Corporation said: "Synergi provides us with real time reporting of EH&S issues and the opportunity to learn from each other. Additionally, Synergi provides us with a consistent action tracking and reporting tool which supports continuous improvement. These factors are important aspects of a growing business".

JVG. We have recently engaged in a project that aimed at implementing IT risk management within a bank. The services of this bank are highly dependent on its wide variety of IT applications. The portfolio of different systems, technology and the different life cycles of the applications demand a well-structured risk management process. With our GRC software, managers are enabled to store their risks and controls, and link them to IT processes, projects and applications. This provides them and the board with valuable insights.

We used our embedded control framework for evaluation of the controls against best practices. The workflow in our GRC software provides support in the follow-up process for all actions within the organisation. The bank will start soon with monitoring the effectiveness of the key controls and measuring their key risk indicators. The scheduler, in our GRC software, helps in planning the required testing of controls and collection of evidence. Using our methodology and tooling helps the bank with their required SAS70 certification. The bank further experienced an increased risk awareness among management and all IT staff.

MM. We partnered with the Operational Risk Consortium (ORIC), implementing Sword to upgrade its web-based IT platform to capture, aggregate and analyse operational loss events in the insurance and investment industry. ORIC was created by the Association of British Insurers (ABI) in 2005 to help insurers share industry-wide data on operational losses, with a view of improving their measurement and management of operational risk and is used by around 25 insurers. Sword’s powerful reporting and graphical tools help ORIC members to visualise risks, analyse trends and predict loss outcomes. Sword data is used to benchmark individual firms relative to the whole industry or selected peer groups. It can also be used for more sophisticated statistical analysis, such as internal modelling of operational risk under the Solvency II Directive. “Gathering good-quality operational loss data is a major challenge for the insurance industry – perhaps more than in banking,” said Mariano Selvaggi, Director of ORIC. “We therefore believe this world-class IT platform will greatly enhance our members’ data collection and reporting systems, not only for modelling purposes but also for their scenario analysis exercises. Sound operational risk measurement and management play important roles in the European Solvency II Directive.”

AJ. We specialise in automating governance, risk and compliance processes and help companies save up to 70 percent of their costs and time. Our enterprise-wide risk and compliance management system at a large internet-based business ensures they do not fall foul of about 80 regulations that they have to comply with. High-risk areas that were identified were compliance risks, data theft, vendor risks, and misuse of credit cards. The cost of compliance and risk management that they were incurring was significant. A lot of time was spent on collecting risk data, on surveys and disseminating risk information. Different people had different views of risk across the organisation. We have helped them establish and maintain a common risk view across departments and levels and make risk-aware business decisions. In particular, it has helped them reduce the time and cost incurred in the risk evaluation processes of collecting data, maintaining risk profiles, and analysing risk. At the same time, the system has strengthened security and provided a platform for continued compliance.

Biographies

Dr.ing. Jürgen H.M. van Grinsven is Director at Artena Business Consulting. He is the author of the books Risk Management in Financial Institutions – formulating value propositions  and Improving Operational Risk Management and many other publications. He is a member of PRMIA, GARP, a frequent speaker at (international) congresses and is teaching risk management at Nyenrode University.

Anil Jogani has 25 years of global experience in enterprise and IT governance, risk and compliance management, audit, finance and general management and has operated at senior levels internationally. He is an experienced workshop facilitator and trainer and is presently a director at Milan Solutions, a boutique GRC solutions company in London.

Mike MacDonagh is ERM Product Manager for Sword, part of ARC Logics, a Wolters Kluwer company. Mike has more than 25 years experience helping financial institutions across the globe manage enterprise and operational risk more efficiently while effectively addressing banking industry regulations, guidelines and standards.

Gisle Bråstein is Business Innovation Manager, Synergi Solutions AS. Previously he has had several positions related to risk management and MIS including consultancy, project management, sales and account management. He has worked in the energy, transport and process industry sector and has an MSc in technology management and industrial economics from the Norwegian University of Science & Technology.