In our everyday lives, any and every action we take, has an element of risk attached to it. Take a simple action of crossing a street; something we do umpteen times in our lives from the time we can remember. This too, has various risks that can manifest themselves with varying degrees of intensity.
Risk is a pervasive but subtle concept, widely used and discussed, but not very well understood. In the world of business today, the concept of risk is very important as it is the beating heart of all decisions that we make.
Successful management of risk requires constant tackling of the known, the unknown and the unknowable risks. Understanding the nature of the differences across risk types and their comparative contribution to total earnings volatility can shed light on the portion of the risk space within an enterprise that is known and knowable and hence manageable versus unknown and therefore unmanageable risks.
Identifying an individual cause of failure for a company is often not possible. More likely than not, letdowns occur due to a combination of factors and these may, or may not, be visible to external parties during the months or years preceding failure. There is, however, one factor that appears common to most failures, and that is the adoption of poor risk management practices.
If we look at the past, financial risks have caused major blowouts wiping out billions of dollars of capital from the system and pushing people and economies into bankruptcy. The stock market crash of 1987, Asian crisis of 1997, dotcom bust of 2000, September 11 terrorist attacks, rogue trading losses at a host of international banks and insurance companies, the global financial crisis of 2008 and the recent and still fresh Euro Zone crisis are some of the notable examples of risks going out of control. They are grim reminders of the potential impact of mis-management or ignorance of risk.
Historically, many organisations have looked at risk management in a somewhat fragmented way. However, for a growing number of organisations, this no longer makes sense and they are adopting a much more holistic enterprise risk management approach.
Organisations at the forefront of risk management now have risk committees, operational risk committee, information and cyber security committees which are often chaired by a senior or board member who has overall responsibility for risk management across their organisation.
The point is that a fragmented approach no longer works. In addition, risk management has clearly moved up the agenda for the board or management committee.
At its most fundamental level, risk management involves identifying risks, predicting how probable they are and how serious they might become, deciding what to do about them and implementing these decisions.
Any company that adopts an inappropriate approach to risk runs the danger of seriously damaging its business. It is important that companies understand that risk management is not an add-on but an integral part of the business.
In order for a company to be able to identify what risks it is taking and those that it is not prepared to take, it must first identify its long-term objectives and define its risk appetite and risk tolerance. Some companies have been much better than others in identifying in a concise but operational way what their business is about.
Having identified their objectives, companies should not seek to identify, say, 1001 risks. Boards of directors at both corporate and strategic business levels should focus on what they believe to be their main business risks i.e. the key risk indicators. These risks will depend on the industry.
For example, manufacturing firms would primarily face risks relating to supply chain, product safety, employee safety, intellectual property, emerging markets, third party vendors and information technology. While the banking industry would face risks which include credit, liquidity, concentration, operational and market risks. Additionally, there are a few risks which would be common among most organizations. These risks would include legal and compliance, staffing and succession planning, regulatory, informational technology and operational risks.
It is, however, important to keep in mind that while most risks for a company will remain the same (through its life), some risks will depend on the circumstances, environment and the projects undertaken at any given time.
When assessing the risks an organisation faces it is important to have the full support of the board. It is critical that they appreciate the importance and understand the benefits of risk management. The board should receive regular reports from management so that they are fully conversant with the risks identified and those which appear as more information becomes more apparent.
As with any process, the output is only as good as the input. Unless organisations have effective systems for identifying and prioritizing risks, there is a danger that they will build their controls on very shaky foundations.
Having an effective system means that people at all levels, in different parts of the organisation, are involved in determining its main risks driven by a robust risk culture and sponsorship from the leaders.
Despite the apparent widespread uptake of risk management, the extent to which risk processes are actually applied is somewhat variable. Many organisations adopt a minimalist approach, doing only what is necessary to meet mandatory requirements, or going through the motions of a risk process with no commitment to using the results to influence current or future strategy.
A universally accepted method of dealing with risks is to either avoid, retain, reduce or transfer the risk. It is in the transfer of risks that insurance companies play a unique role. They take on risks that companies cannot manage. This is done through various covers offered by insurers such as ‘Contractors Plant and Machinery’, ‘Marine All Risk’, ‘Public Liability’, ‘Fire and special perils’, ‘Erection all risk’ etc. These and other insurance covers ensure that companies while having to manage risks that are intrinsic to them, can transfer some of the risks to insurers.
The core business of any insurer is that of mitigating risks that other organizations’ face in return for a premium. At ICICI Lombard GIC, we go beyond just insuring a customer; the company has an active and well entrenched risk advisory service that is offered to our customers.
This not only helps the customer understand the risks it is exposed to, but also enables them to minimize the same by implementing best practices which in turn prevents a risk phenomenon or at least reduces the probability and impact of any potential loss to the business operations the organization from a risk incident as well as reducing the premium paid by the customer.
From a health point of view too, the company has launched wellness programs which encourage customers to lead a healthier and therefore, a more productive life. This to my mind is how the management of risks requires to evolve.
*Source: CFO, The Economics Times