Written by: Chizubel Egwudo
Every now and then we hear of history repeating itself when companies fail to deliver on their strategies, completely fail, incur monumental loses or don’t deliver benefits on major initiatives undertaken. Surprisingly, a lot of these are major or medium enterprises who employ some of the ‘brightest brains’ in the industries they operate within; supposedly. When this happens, we hardly hear them mention that it was due to the lack of effective risk management. They blame the economy, market trends, technology, processes, people etc. but fail to recognize that these things they have mentioned are the risks which they have not managed.
How are organizations going to succeed when ‘risk’ or ‘Risk Management’ is mostly not considered being ‘top list item‘ on the agenda of board meetings or Senior Leadership governance forums? The time allotted to risk at key forums indicates the level of value placed on it, sadly in most cases less time or it is pushed to the end of the line almost as an AOB (Any Other Business) item. This culture which has existed for decades is one of the reasons why history in business will continue to repeat itself, leading to some of the consequences mentioned in the first paragraph of this article.
Based on research carried out by Dedrach by sampling10 of its previous clients from a range of sectors, it was found that only 2 took great care to align risk management to its corporate objectives and regularly campaigned on the importance of good risk management with senior executives taking the lead. 3 of these companies had some semblance of risk management alignment with corporate objectives but it was mainly a case of identifying and knowing what the top risks to the business were with less focus on risk management while the other 5 largely let risk be driven by the Risk Managers or the risk team. Other findings showed that major initiatives have commenced well down the line and objectives not clearly defined or mapped out and people just worked without knowing what they are delivering to. Obviously clear in this case that whatever risk management is being done is pointless.
Very briefly, here is a summary of our findings:
- Limited understanding of the subject matter, risk management. Most executives lacked sufficient risk management knowledge required to operate at board level, making it a challenge to align risk management to strategy. This limited understanding of risk or its management also means that the focus of most executives has been on implementing its corporate goals with less consideration as to how risk management will enable them achieve these goals. This often leads to re-planning, renegotiation, ’re-understanding‘ of strategic requirements, just to mention a few ‘start and stops,’ which costs time and money to the business when things don’t go as expected. The media reports has been a testimony of some of these failures as have been seen in the banking sectors, high street retailers, automobile and also within government.
- Misalignment or non-alignment of Corporate Objectives to risk. On every occasion when I take up an assignment, I ask to review the corporate strategy of the business. In the worst case scenario, I find them not to have been well mapped out, documented and not communicated or aligned to risk. In the best case scenario, they have been documented but not aligned with risk management or the strategic risks of the business. In both cases, this demonstrates the level of weakness on the path to the achievement of business goals; whether it is revenue growth, new markets, increasing market share or fraud reduction.
- Spend to resolve. This is a major issue I find in the banking sector where money is used to try to solve problems instead of developing or following effective control measures established in a well-developed risk framework. This is like taking pain relieving pills for a headache to suppress the pain instead of identifying what the root cause is and address the root cause which solves the problem of the headaches.
The problem with this is that the headache or in this case, the risks which have always been there but not managed resurfaces again and often comes back twice or ten times worse which can often be ‘debilitating’ to most businesses.
- Company executive’s heavy reliance on bottom up led risk management but unable to provide top down direction for risk management. This is the case of putting the ‘cart before the horse’. Who should be leading the organization’s directive on risk management? Certainly not the risk managers or the risk function! Every executive and board level or senior leadership team member should have an adequate knowledge and experience of risk management in order to help their organization thrive with fewer shocks that could have an impact on the business goals, revenue or profit. In addition, C-Level executives are responsible, with the help of the Chief Risk Officer who also sits at that level, for defining and establishing the risk appetite for the organization. This can be achieved more accurately when senior executives understand their risk profile. With the support of the Chief Risk Officer or Risk Director, he or she would be able to influence their peers to ensure that the corporate strategy/objectives of the business will be aligned with the risk management framework, as long as he or she remains independent of the board while carrying out board level duties.
These challenges can be easily turned around to positive outcomes that are measurable. Company executives need to start thinking ‘outside of the box’ and not stick with age old tradition that risk management is just another piece of work that needs to be done by someone else in the organization to tick that box of due diligence. Far from that! Companies are meant to deliver value to its staff, clients, customers, the community, the economy if it is all rolled up (aggregation of risk), not create economic disruption in any of these capacities due to poor performance of risk management or lack of alignment to its objectives. As with building a house, every brick plays a vital part in ensuring the house is solid, right from the ones laid in the foundation to the ones at roof level.
Risk management is a vital set of bricks and cement responsible for the solidity of every SMLE (Small Medium Large Enterprise). When done properly, risk management creates measurable benefits. So:
- Work with risk practitioners who will help shape the strategy of your business by keeping risk management in focus. Risk Practitioners have better experience at delivering the benefits risk management should far better than ‘big’ consultancy firms. This will reduce cost as one risk practitioner or two in most cases will deliver measurable benefits of ‘multitudes of headcount’ put on client sites by most consultancy firms. As part of the research we conducted, we found that benefits delivered by large consultancy firms is in most cases far less than the cost paid to recruit these consultancy firms, if of course the benefits can be measured in the first place.
- Trust the judgement of your risk practitioner if you have one. If you don’t have one, find one not just a risk manager. There is a difference between a risk practitioner and a risk manager. As me later…
- Ensure risk management objective is clearly mapped out at the beginning of each financial year and it is aligned with the overall objectives and strategy of the company at all tiers of the business.
- Ensure the CRO, Director of Risk, Head of Risk has complete oversight of the business and acts in that capability. When heads of risks lose independence and are drawn into bureaucratic activities, they lose the ability to direct the business and inform the board objectively.
- Keep it simple! Risk Management is not rocket science. It is actually fun and easy but you need to know how to use it just like any toy to derive the benefit or joy it gives.
A set of well-defined and realistic objectives set by a company will not produce the benefits required without an implementable risk management framework.
Chizubel Egwudo is a Risk Practitioner and Managing Director at Dedrach, an independent practice working with clients to resolve challenges faced by businesses using risk management principles, techniques and common sense. He has developed a simple model for delivering risk solutions known as Risk-3D. Risk-3D stands for Risk Design, Develop and Deliver. They DESIGN a tailored solution for your business, DEVELOP the concepts in the design, test it and DELIVER it to address your organization’s risk challenges. Simple!