Pages

Tuesday, 18 June 2013

What every Risk Manager should be asking himself

Stanley Epstein - Principal Associate - Citadel Advantage

The whole aspect of Risk Management has taken on a much higher profile over the past few years, driven by many new factors. In the financial industry the crisis that so unpleasantly arrived on our doorstep in 2008 has been a major catalyst while other recent events such as 9/11, the recent Japanese Tsunami linked to the Fukushima atomic incident, hurricane Katrina and more recently hurricane Sandy, have each, in their own way added to the knowledge of and the pressure to be more aware of risk and to take positive steps to better manage these.

One of the most important aspects of risk management lies in the creation the correct culture within the organization. In this short article I pose ten questions aimed specifically at Risk Managers. If you can answer “yes” to all of these you have created the appropriate risk management culture. The more “no’s” you have on your list the more work you need to do.

1. Have you identified the potential business risks to the organization?
The starting point of any risk management program is to obtain a clear understanding of all the potential risks that face the firm. The emphasis is on ALL the risks. Remember operational risks become business risks as well.

2. Have you assessed the likelihood and consequence of the significant risk being realized?
There are risks and there are risks. Once you have established what risks face your organisation the next step is to determine what are the chances of such risks being realised as well as what effect such an occurrence will have on the business or operation.

3. Have you assessed those risks that could:
  • Damage your organization’s reputation?
  • Affect your organization’s market position?
  • Result in prosecution?
We often tend to focus on the financial risks only. However risks are always much wider than just the lost of income or the added expense of replacing a server. You need to give serious thought to the risks that could affect your organisation in the wider scheme of things. Reputation, market position and the threat of prosecution, just to name but three. A current example is the “horse-meat” scandal that is sweeping across Europe.

4. Have you established controls to manage significant business risks?

Of course it is impossible to eliminate all risks that the firm faces. Yet there is a very significant range of risks that your business is exposed to regularly. The starting point in managing these risks is to make certain that the right controls are in place to do just this.
5.  Have you established a positive culture for controlling the risks?

Although risk represents a danger to the firm and a potential loss, risk should be seen in a positive light as an issue that you need to be aware of and that needs to be managed. A positive culture in managing risks is based on ensuring knowledge and understanding of what risk is, its implications and how it is managed or mitigated. This culture is further enhanced by ensuring that ALL the organisation’s staff receive the appropriate training.

6. Have you established a contingency plan to mitigate disaster?

What would you do, if tomorrow morning, you were faced with a situation in which you were unable to open your business? The reason why is largely irrelevant. The real disruption would be that you would be unable to open for business. Contingency planning is exactly how you would overcome this unfortunate situation and be able to continue operations/ serving your customers. Do you have a Business Continuity Management plan that covers everything? Has it really been tested? Will it work?

7. Have you established continuity management control arrangements?

Business continuity management control addresses an organization’s ability to offset interruptions to normal operations. Key elements of this include;
  • Business continuity planning – a business continuity strategy based on a business impact analysis.
  • Business continuity testing – testing and documentation of business continuity strategy.
  • Business continuity maintenance – identifies ownership of business continuity strategy as well as ongoing reassessment and maintenance.
8. Do you regularly audit compliance with control arrangements?

It is one thing to have a comprehensive set of control arrangements to help mitigate the various risks. But this does not mean that you have managed your risks effectively. Are control arrangements being complied with? Compliance auditing will help keep this in check.

9. Do you regularly review these arrangements with respect to their adequacy and effectiveness?

Nothing remains static over time. What was true today need not necessarily be so tomorrow. The same applies to control arrangements. New processes, new operations, new clients all subtly change the risks you face. And with this change comes the need to ensure that the controls that you have put in place remain adequate and effective always.
10. Do you report annually on your risk and control measures?

Is there a higher body that keeps a watching brief over the businesses risks, the risks that you manage and you control measures? Do you report regularly to someone on these issues? You should be …. and you should be doing this at the very least annually.

At the start of this article I wrote that a positive answer to each of the ten questions posed above would indicate that you, as a Risk Manager, have created an appropriate risk management culture. But culture is not enough. That culture has to lead to effective risk management. You do this in the doing, in showing positive results, in bringing down risks faced by the business, in reflecting a positive financial outcome.

Of course this is just the beginning to creating an effective risk management program. Acquiring the knowledge and the expertise is the next step on Risk Management ladder.
Remember – risk management is a journey, not a destination!

The fun stuff is yet to come!