Please enable JavaScript.
Coggle requires JavaScript to display documents.
Role of risk management in organisations - Coggle Diagram
Role of risk management in organisations
Reducing uncertainty
Uncertainty in terms of the absence of a clear understanding of the probability and impact associated with the range of possible outcomes that may result from a decision or activity is rarely ever desirable
In the face of uncertainty, risk management can be used as an information gathering tool. This might include collecting data on past risk events to build a clearer picture of what can occur
Trend analysis and risk modelling may be used, as can scenario analysis which involves asking 'what if' questions and imagining worst case scenarios
Anticipation and resilience
Risk management is a tool that can be applied in two main contexts
As a means to anticipate and predict risk events so that the probability of negative events can be reduced as positive ones increased
As a means to help organisations respond effectively to and recover quickly from risk events that have not been anticipated
Controls are used to manage probability and impact in order to achieve more favourable outcomes and reduce an organisations exposure to those outcomes
The anticipation of risk is an important part of the risk management process. Risks are identified, assessed and monitored before they are controlled - identification is used t highlight the range of risks that an organisation is exposed to and assessment and monitoring is used to help prioritise scarce control resources
Not all risks can be anticipated, risks may be unknown. Even where they have been identified, it may be impossible to calculate probability and impact with sufficient accuracy
From time to time, organisations will encounter risk events that they did not foresee. This failure of foresight may be because a risk event was unknown or because the event was known but it was impossible to estimate probability and impact
In the face of high levels of uncertainty, organisations may find that they need to invest in resilience. This means
Responding quickly to mitigate the immediate effects of unanticipated events as they unfold (effective crisis management)
Recovering quickly from the aftermath of an unanticipated event to ensure that the organisation is able to maintain operations and achieve its objectives (business continuity management)
Reviewing past unanticipated events in order to improve future resilience
Supporting the internal control environment
Risk events due to a breakdown in internal control arrangements can be very costly, damage the reputation of an organisation and divert attention from strategic and operational priorities
In most organisations, ensuring effective internal control is an important part of risk management - this is emphasised by many types of regulation
Risk management can help to strengthen internal control by providing a means to identify, assess, monitor and control internal control risks - this can be done as part of an organisation's regular risk management activities
Risk based compliance reviews
Many organisations assess whether their employees and managers are complying with applicable laws and regulations
Compliance reviews are often risk based, meaning that more detailed and more frequent reviews are conducted in areas where the consequences of non compliance are high or risk assessment and monitoring activities suggest that there is a higher risk of non compliance
It would be very difficult to organisae a risk based compliance review without effective risk management
Internal audit
Most organisations conduct internal audits to ensure that their policies and procedures are designed and implemented in an effective way and to check that operational processes are working efficiently
Internal audits may incorporate compliance reviews to investigate the degree of compliance with applicable laws and regulations
Internal audits often identify issues that relate to risk management practices in organisations, typically failures in the design or application of risk controls
Effective risk management in advance of an audit should help to reduce the number of control failures identified in internal audits
Risk management can be used to support the practice of risk based auditing where more detailed and more frequent internal audits are conducted in organisational functions, activities and processes that are assessed as high risk
External audit
External auditors review on an annual basis whether the financial reporting controls within an organisation are adequate - this is to ensure that the annual report and accounts are accurate and free from material Financial misstatements
Many external audits go beyond the more immediate financial reporting controls within an organisation to review broader governance and internal control environment for an organsation
The accuracy of an organisations financial statements are not solely dependent on financial controls. A broader review of controls will help the external audit provide a more accurate opinion on whether the organisation is likely to continue as a going concern
Linking risk to strategy
There has been a growing demand for more effective risk management practices to cope with the rapidly changing business environment, especially since the financial criss of 2007-08
Many organisations focus on assessing and managing risks that arise from a chosen strategy or different components of a strategy
Expertise and mission alignment is particularly relevant when an organisation is pursuing a sizeable business
There remains a further need to strengthen the strengthen the strategic risk framework to better connect different decision making steps including
The initiation of a strategic review
The assessment of alternative strategies (including their overall fitness)
The execution of a strategy
Monitoring and managing risks that arise from a chosen strategy
The role of the board
Boards have undergone a considerable evolution in relation to their oversight of both risk and strategy
Boards are already responsible for formally approving the aggregate level of risk an organisation can take in pursing its strategy (risk appetite stratement)
They also set the strategy that must be reflective of the organisational value and behaviours (corporate culture)
As organisational strategies evolve and business threats become more complex and frequent, bringing risk closer to strategy is the next logical step in order for boards to remain effective in their oversight of an organisation
A more comprehensive understanding of non financial risks that emanate from strategy is also an area that is evolving. Many boards hire third party experts to help them independently review different aspects of external threats and understand how these threats may translate into actual losses for an organisation
The advantages of linking risk to strategy are that it allows for a clearer assessment of aggregate risks related to a particular strategy as well as enabling board level discussions on whether alternative strategies present a more attractive risk/return choice for an organisation
Boards have been taking a more significant role in linking organisational risks to strategy, by incorporating new processes and behaviours
Challenging management on key risk appetite assumptions and definitions. Boards are expected to have comprehensive understanding of the different risks that form the risk appetite statement and to treat risk as part of the decision making process
Seeking more comprehensive assurances from management on how the non-financial risks are monitored and mitigated vs a simple 'yes or no' approach. Boards are expected to ask management to quantify such risks in terms of their impact on the value of an organisation
Encouraging management to discuss risks in relation to the strategy
Hiring independent external advisors to evaluate risks of acquiring a sizeable business or asset
Connecting the internal audit function to strategic planning and strategic risk management processes as well as calibrating the output from the internal audit reports within the context of strategy
Creating value through risk
Ultimately the main objective of effective risk management is to make an organisation more valuable
Traditionally, the focus of risk management has been on protecting the value of an organisation by reducing the likelihood and the impact of negative outcomes, in the context of its tangible assets such as buildings, machinery or cash as well as its intangible assets such as reputation
More recently, by increasing the probability and the impact of positive outcomes, risk taking has been seen as a way of generating additional rewards for the organisaton
Organisations identify risk taking opportunities by understanding key drivers of revenue growth, operational efficiency, asset and investment efficiency, balance sheet optimisation and stakeholder expectations
Exploting risk as part of day to day operations
Exploitation of day to day risks usually refers to optimisation opportunities found within the existing risk management framework based on the current strategy
Strategic risk taking
Strategic risk taking refers to the willingness of an organisation to make strategic business decisions that may lead to an increase in its total value
Strategic risk taking activity often requires a recalibration of the existing risk management framework so that it remains fit for purpose
Strategic risk taking is considered to be a more risky alternative vs exploiting day to day risks. The most common barriers that hold organisations back include
Corporate culture: management does not support strategic risk taking initatives
Lack of risk prioritisation: organisations place higher priority on managing day to day risks at an expense of missing the bigger picture
Failure to perform adequate due diligence: organisations fail to properly conduct risk/benefit analysis to make management and boards comfortable about taking strategic risks
Lack of a designated risk manager: to stay on top of emerging trends and navigate different strategic risk taking ideas throughout the organisation
Adverse risk taking
Excessive risk taking may sometimes lead to an organisation assuming greater and less justifiable risks that can erode or completely destroy its value
Excessive risk taking is often linked to the corporate culture of an organisation through its risk attitude
Risk attitude is defined as a chosen state of mind or a response to a single decision or an action that could result in more than one potential positive or negative outcome (risk event)
An organisation promotes a particular risk attitude through an adaption of a range of allowable behaviours in response to a risk event with any differing behaviours leading to consequences
Organisations that promote excessively high risk taking behaviours and/or have inadequate compliance monitoring and training procedures are at risk of having their value significantly eroded or destroyed, often by the ends of very few people that put their own personal interests above those of the organisation EG ENRONS BANKCRUPTCY
The role of the board
Boards should understand different value creation initiatives available to an organisation and be comfortable with chosen risk taking initiatives that are presented to them by management
To ensure boards can provide effective oversight, management should present information in a receptive manner and seek timely advice and guidance from the board members
Whenever boards have a knowledge gap in evaluating a specific risk taking opportunity, boards should actively explore different avenues on how this gap can be addressed
Boards may wish to utilise organisational resources or hire independent third party subject matter expert
Regulatory view of risk
Globally the banking sector faces the most prescriptive regulatory risk framework - this was developed by the Basel Committee on Banking Supervision to strengthen regulation, supervision and risk management practices in banks
In Basel III, credit, market and operational risks are closely linked to the amount of economic capital held by banks. Regulators require a riskier bank to hold more capital to compensate for potential losses
Banks are allowed to either use an internal approach which takes into account their own estimated risk parameters or a standardised approach to calculate their minimum risk based capital requirements
Liquidity regulatory requirements are a fairly recent development - the importance of sound liquidity risk management practices was reinforced by the financial criss of 2007-08, when many banks faced a liquidity squeeze as they unsuccessfully tried to roll their overnight borrowings to fund illiquid long term assets
Banks must comply with additional requirements
The liquidity coverage ratio
The net stable funding ratio
Regulatory stress tests are another regulatory requirement introduced after the financial crisis. Regulatory stress tests measure banks resilience to severe macroeconomic shocks such as a sharp economic slowdown or severe interest rate shock - they are comprised of different scenarios meant to capture different types of risks, including credit risk
The PRA's annual reverse stress test - test vulnerabilities in the organisational business model by making banks come up with scenarios that would make their operations unviable
PRA's solvent wind down test, focuses on the ability of banks to wind down their businesses