The importance of risk management - Coggle Diagram
The importance of risk management
All organisations manage risk. Every activity that an organisation performs and every decision it makes involves risk
Risk is an essential part of any organisation and the management of risk is essential to help preserve and create value for stakeholders
Little is certain in the world in which organisations operate, meaning that almost every decision that is made will have multiple potential outcomes.
Organisations exist to meet the needs of their stakeholders. They inevitably make risky decisions that generate stakeholder value, while at the same time reducing the risk of adverse events such as pollution, injury or bankruptcy
Risk is both an input into the strategic decision making process and an output. From an input perspective, the risk exposures that exist will influence the types of strategy that are chosen. For example, an organisation might launch a new product to exploit a new market or choose to merge to help address an increase in the cost of regulation or to survive in a competitive marketplace
Risk management may be an essential activity but that does not mean all organisations manage these risks effectively or devote sufficient resources to risk management. Managing an organisation effectively, including the adequate management of risk, requires significant time and financial resources: employees, managers or directors do not always appreciate the value of this investment.
The organisation as a nexus of global stakeholders
Organisations serve to meet the needs of multiple stakeholder groups, including consumers, creditors, owners, shareholders and third parties
These stakeholders can come from a variety of different countries whether the organisation itself is internationally active or not.
In addition, the actions of organisations can have international consequences (such as pollution).
Meeting the needs of these stakeholders in relation to risk - or more specifically the risks they may want an organisation to take and the risks that they do not wish it to take - is a key way in which risk management can create and preserve value
Organisations meet the needs of their stakeholders through setting objectives that provides an appropriate balance between risk and return and by ensuring that these objectives are achieved. This includes managing the risks that may threaten the achievement of these objectives, such as competition or compliance risks.
How an organisation balances risk and return and the degree to which it manages the risks associated with implementing its objectives, will depend on the risk attitudes and preferences of these stakeholders
Each of these stakeholder groups 'invest' in the organisation with their time, skills, money or something less tangible, such as their health and wellbeing. Stakeholders expect returns, such as salaries, safe and reliable products and services or interest payments to meet the cost of these investments.
A shareholder perspective on risk management
Most stakeholders are inherently risk-averse. They prefer certainty to risk and will sacrifice some of their wealth or income to achieve this certainty
Shareholders may not behave in a risk averse way for three reasons
Shareholders may receive dividends and they may benefit from an increase in the value of the shares they hold, allowing them to be sold for a profit. Generally risk and return are positively correlated. The more risk an organisation takes, the more return it can generate: a return that should translate into increased dividends and share values. Shareholders may value an increase in risk, providing that there is the prospect of higher returns.
The shareholders of most companies, whether public or private limited companies, have limited liability. In the event that the event that the company becomes insolvent or goes bankrupt, shareholder liability is limited to the value of their investment stake. Limited liability shareholders cannot be forced to provide additional funds once they have invested in a company
Diversification of risk
Shareholders often choose to create diversified portfolios of investments. They purchase shares in multiple companies or some other form of investment asset. Through diversification, shareholder can insulate their investment portfolio from company specific risk events such as fires, frauds or a decline in sales.
Like any other stakeholder, the average shareholder is inherently risk averse but that does not mean they will demand the same level of risk reduction as other stakeholder groups. This is because shareholders have different objectives to some other stakeholder groups, and because they have their own tools to manage risk.
Although there are reasons why shareholders may be risk neutral or even risk preferring, in practice most will value effective risk management. This may be because of ethical concerns and a desire to protect employees, third parties or customers from harm. It may also be because of concerns about
High levels of risk taking may result in financial distress and ultimately bankruptcy. In theory, shareholders should be indifferent to bankruptcy, providing that the organisation can be sold and they receive back their investment stake.
In practice, shareholders rarely get back the money they have invested and almost certainly will not receive any of the appreciation they may have received on this investment (though well-informed investors may be able to sell their shares before they start to fall in value)
When an organisation becomes bankrupt it can incur a range of costs. These may include legal costs, other administration costs and legal liability claims. In addition, the organisation will lose the value of any goodwill (such as brand value) that has been built up over time. It also may have to sell assets are far below their market value
Bankruptcy costs significantly decrease the chance that shareholders are repaid the capital that they have invested in a company. While they may have limited liability, they will still want to get back the funds that they have invested. Shareholders will typically value risk-management activity that can help to prevent the costs associated with bankruptcy.
The effect of cash flow fluctations on opportunities for growth
Almost all risks will affect an organisation's cash flows. Gains from risk-taking will help to increase the level of cash flowing into an organisation.
In contrast, losses from risk taking will result in cash flowing out of the organisation.
Fluctuations in cash flow can be very disruptive. A large, unexpected loss - such as from a fire or major fraud - could mean that there are insufficient funds to invest in profitable opportunities such as new product development or process efficiencies via the purchase of a new IT system
From a cost perspective, large and unexpected losses may necessitate high cost debt finance or lead to other financing and contractual costs, such as late payment charges
Companies with stable cash flows will be able to invest for the future and control their costs, generating higher profits and dividends for shareholders over the long term.
Shareholders will typically require much higher rates of expected return from organisations with less stable cash flows.
Managing conflicts of interest stakeholders
Just because stakeholders are typically risk-averse, that does not mean that they will be averse to the same risks or have equal levels of risk aversion
One way to understand this is to remember that different stakeholders may have different risk objectives
Shareholders look to maximise their dividends and the share price. Creditors want the security of knowing that their loan will be repaid with the agreed level of interest, and consumers will prioritise safe, reliable products and services
Where conflicts exist between stakeholder groups, risk management takes on a new objective: to further protect and create value by managing these conflicts and increasing the overall level of stakeholder satisfaction.
Effective risk management is needed to help balance the conflicting interests of different stakeholder groups, weighing up different priorities and assessing the costs and benefits of different risk management decisions and risk exposure levels.
The board and senior management are very important as they are the ones who have to make the difficult decisions. These decisions will influence the riskiness of the strategy that the board chooses for the organisation, along with the level of investment in risk management to help ensure that organisational objectives are met
Reasons for risk management regulation
The risk management decisions of an organisation are subject to a range of regulations. Common regulations include health and safety regulation, environmental regulation and legal liability regulations (such as compulsory insurance for employee and public liability)
Certain industries, such as financial services, are subject to additional risk management aimed at protecting the overall financial system and preventing financial or legal misconduct (protecting consumers from being mis-sold financial products that do not meet their needs). Much of this regulation is now global, as global financial markets become more interconnected.
Compliance with regulation can also be very time consuming and expensive. However regulation is necessary because organisational stakeholders are not always able to ensure an optimal level of risk management on their own, primarily because of issues around self-regulation and market failures.
The problem of self regulation
One regulatory option is to have a self regulatory system where a group of organisations or professionals agree to set and enforce specific risk management standards. Co-ordination and enforcement may be managed by a trade association or institute to help prevent the collapse of the self-regulatory agreement.
The advantage of self regulation is that the regulation is agreed and enforced by those being regulated. This should ensure that the regulation is appropriate and proportionate cutting down on the costs of compliance.
The disadvantage is that self regulation is hard to sustain because of the limited incentives to enforce such an agreement.
Organisations may be reluctant to punish their contemporaries because they may be next to receive enforcement action
Stakeholders need efficient markets to ensure that their risk preferences are reflected in the risk management decisions made by organisations. For example, customers need to have a clear understanding of the health and safety or quality risks associated with the use of a particular product if they are to decide whether to purchase it at a given price, or whether to choose to pay a higher price for a safer product.
A key factor that is needed to ensure market efficiency is information. Stakeholders need to know the types and degrees of risk to which they will be exposed in order to generate market incentives for effective risk management. This can be hard to achieve in practice
Customers are unlikely to know how safe or reliable a product is before they purchase it, whereas the organisation manufacturing the product will have a much better understanding of the product's safety and reliability. This is known as the asymmetric information problem.
The problem of opportunism can arise in the presence of asymmetric risk-management information between stakeholder groups.
A second market failure that can help to justify risk management regulation is the public goods problem. Publc goods are products, services or other benefits that are enjoyed on a non-executive basis by all the members of a society.
From a risk management perspective, key public goods are the environment and the protection of shared systems such as the global financial system.
The problem with these public goods is that individuals or organisations may make risk management decisions that benefit them, but which do not protect the wider environment or financial system.
Weighing up the costs and benefits of risk management regulation
The primary benefit of risk management regulation is that it intends to help mitigate market failures and to protect stakeholders from the consequences of excessive risk exposures
This does not mean that all such regulation should seek to eliminate all risks
A degree of risk - even potential downside risks like pollution - is an inevitable consequence of all organisational activity
Excessive risk management is rarely cost effective and few risks can be reduced to zero without stopping beneficial activities
The reasonable needs of different stakeholder groups must also be balanced, such as the need for shareholders to receive a fair return on their investment
The costs of regulation come from over regulation or ineffective regulation, where organisations are required to reduce risk below the optimum level that balances the needs of different stakeholder groups or where organisations face excessive costs related to compliance and enforcement without much benefit
Over regulation is relatively rare, but different groups of stakeholders have conflcting opinions on this
In all cases, compliance costs can be considerable and these costs may both decrease the profitability of an organisation and increase the price of goods and services
Compliance costs include the cost of maintaining a compliance function or providing information to regulators. This means that the stakeholder groups that regulation is designed to protect may end up paying some or all of the associated costs of compliance
The global regulatory environment for risk management
The global risk environment for organisations contains a range of international laws and regulations that address the management of risk. The number and complexity of these laws and regulations has grown significantly in the past few years, especially after the global financial crisis and the subsequent sovereign debt crisis.
In addition, many of the local laws and regulations are influenced by international laws and regulations. An organisation may be indirectly affected by a particular international law or regulation, even if they are not directly under its purview
In addition to formal laws and regulations, there are also International standards for risk management. These standards have also grown in their number and complexity
These standards primarily help to share good practice, improving the effectiveness of risk management within organisations and delivering further value to their stakeholders
These standards also help organisations to comply with international and local laws and regulations
The need for international regulation and standards
International regulations and standards are required because risk exposures often cross national boundaries
The removal of trade barriers, easier travel and resources such as the internet mean that organisations are now more multinational in terms of their operations and markets
Major risks to public goods - such as the environment or the financial system - can have far reaching effects
Diverse risks may be connected: for example, major environmental pollution events and weather events may affect financial markets across the world
In addition, problems in financial markets and institutions can affect the supply of credit and cause global economic problems
International regulation and standards in relation to risk management
Effective corporate governance is an important element in today's business environment.
Weak corporate governance can lead to corruption, costly standards, organisational failure and even systemic breakdowns that damage the interests of all stakeholder groups
International regulations and standards on corporate governance help to promote sustainable economic growth on a global level, ensuring that stakeholders are treated fairly and that organisations have cost effective access to global capital markets
One of the most influential standards on corporate governance is the G20/OECD 2015 Principles of Corporate Governance. These principles are often referenced by countries developing local governance codes or guidelines and have been adopted by international agencies such as the World Bank and Financial Stability Board (FSB),
The principles exist to provide a worldwide benchmark for good corporate governance practice and supervisory assessments of this practice. The principles cover issues such as the design of effective corporate governance arrangements, ensuring that fair treatment of shareholders and other stakeholders groups and the disclosure of corporate governance and associated risk management information
Environmental risks such as ground, water and air pollution along with global warming, do not respect national borders and are therefore a key part of the global risk environment
National regulation and standards in an area of significant global concern requires careful co-ordination to ensure that weaknesses in one national regulatory regime are not exploited to the detriment of stakeholders in other nations
Organisations that may be a pollution risk or who contribute in other ways to environmental concerns may be subject to international laws and regulations on environmental risk management.
These laws and regulations cover
Contaminant clean up
While making and executing strategic business decisions, organisations should ensure that they comply with these international rules and regulations as otherwise they may face fines (or worse).
This is an integral part of good risk management
The stability of the global financial system is a key source of risk for both financial and non-financial organisations
For non-financial organisations, a stable global financial systems is necessary to ensure that they continue to have access to capital resources to help finance their activities
Financial system instability can trigger worldwide economic problems, restricting access to consumer and government credit, threatening the safety of saving deposits and disrupting payment systems
There are few, if any, financial markets that are not interconnected in some way. Money markets are by their nature international and stock markets attract investors and other stakeholders from around the globe. Most other financial markets - such as commodities markets, bond markets and derivative markets, are also inherently international
The net result of these interconnected markets is that financial problems in one country or even in a single, large financial institution can have global implications
The large number of causes for global financial market instability and the potentially severe consequences mean that international regulation is especially strong in this area. Multiple international agencies and most countries are involved
The primary source of regulation for global financial stability risks are the Basel Accords. Under the patronage of BIS, these arrangements are negotiated by the Basel Committee, whose membership comes from representatives of the G20 countries.
The Basel Accords include requirements relating to capital resources and risk management practices. Their aim is to prevent financial crises through effective risk management but if that fails the capital resource requirements help to provide a financial buffer. The strictness of these requirements has increased significantly since the global financial crisis of 2007-08. Banks now hold significant levels of cash as capital to ensure that funds are available to pay for most of the losses that they may incur.
Health and safety
The protection of human right is a major focus for international law and regulation. This includes protecting people from work-related sickness, disease and injury and from harmful actions of organisations located near to their homes.
Overall responsibility for international health and safety regulation rests with the International Labour Organisation (ILO). The ILO produces a wide range of standards and codes of practice. It also works to address areas of international concern, such as forced labour and child labour
Global regulatory principles
Rules are direct legal requirements.
The contravention of a rule will lead to enforcement action in most cases which could result in a fine, imprisonment or some other civil or criminal sanction
Very few international regulations are rules. International bodies rarely have the legal authority necessary for rule making powers. As a result, it is up to individual countries and their governments to turn international regulations into rules that are then enforced by their own legal agencies
Guidance includes standards or codes of practice. Guidance need not be complied with as strictly as rules.
It is up to an organisation to decide how to interpret and implement guidance.
Guidance usually reflects established good practice, such as established practices for the effective management of health and safety risks. Organisations that decide to ignore guidance may be required to explain why
Principles and outcomes based regulation
Principles and outcomes based regulation relies on relatively high level regulatory principles and associated outcomes such as consumer protection or maintaining financial stability
The aim is to minimise the volume of detailed rules and guidance and to allow organisations more freedom when deciding how to apply the principles or how to achieve the intended outcomes in specific areas of regulation
Principles and outcomes based regulations work best when dealing with complex or dynamic risk management issues where there is no agreed good practice or where good practice has not yet emerged.
A further aim is to minimise the volume of detailed rules and guidance and to allow organisations more freedom when deciding how to comply with specific areas of regulation
Principles and outcomes based regulation can lead to a lack of clarity about how to comply
Risk based regulation
Risk based regulation may be combined with rules, guidance and principles and outcomes based regulation. The idea is that the higher the degree of risk, the stricter the level of regulation that is applied.
This means that lower risk organisations will generally be subject to lighter touch regulation than high risk ones
Risk based regulation is common in financial services risk management regulation, as well as in areas such as health and safety
International risk management standards
The ISO 31000 standard provides guidelines for managing risk in all types of organisations, regardless of their size, activities or industry sector
This standard covers the essential aspects of risk management practices in organisations.
It provides a set of principles, a management framework and a process that can be used to evaluate and further improve the organisation's risk management arranegements
The standard is used by regulators, external and internal auditors, risk management professionals and company secretaries/governance professionals to help improve the management of risk against an international benchmark for good practice
The 2018 update did not change the core philosophy of the original 2009 standard but places greater emphasis on top management leadership in the creation and preservation of organisational value through risk management
There is a greater focus on the integrated nature of risk management whereby organisations should review and regularly update their risk management practices to take account of new and changing risks such as cyber and terrorism risks
COSO Enterprise Management - Intergregated Framework 2004 and 2017
COSO was created to provide thought leadership on risk management, internal control and fraud deterrence to help improve organisational performance and governance
COSO is a US based organisation, but its influence is global.
The initial focus of COSO was on financial reporting and supporting US corporate governance regulation but its remit has grown since its creation
In 2004, COSO launched its initial guidance on what was termed enterprise risk management. This guidance was designed to support organisational stakeholders by improving risk management practices ensuring that organisations achieve their strategic objectives and balancing the needs of different stakeholder groups into the long term
In 2017, COSO released a major update to its Enterprise Risk Management - Integrated Framework which highlights importance of considering risk in both the strategy setting process and in driving the performance of an organisation. As such, it takes important steps toward ensuring risk is managed as an integrated part of managing an organisation
ISO 19600:2014 - compliance management systems
ISO 19600:2914 is the international standard for compliance management systems.
The standard is closely related to ISO 31000:2018 and is designed to help improve compliance management practices in organisations.
The standard has been designed as general guidance and does not cover issues in relation to specific areas of compliance. The content of the standard includes
The role of the board and senior management in providing leadership for compliance management
The roles of other organisational functions, including the risk function and the compliance function
Drafting a compliance management policy
Agreeing compliance objectives and plans
Communication and training
The operation of effective compliance management systems
The evaluation of compliance management performance
Dealing with non-compliance and improving the effectiveness of compliance management