In a big corporation, risk management is taken care by either a Chief Risk Officer (CRO)—which is getting more and more popular lately, or a Chief Financial Officer (CFO), or could be its Chief Executive Officer (CEO)—surprisingly 23% reported on latest Accenture Global Risk Management study. Contrary, in a small-medium enterprise risk management often falls on a controller (or even chief accounting) desk. Forget about who really owes the risk management. Anyone in the accounting and finance field supposed to have the (risk management) knowledge at the minimum.
What Risks Supposed To Be Managed
If you think that risk management,
- is just about managing financial risks (risks relating to currency, hedging, insurance, or changes in the price of commodities), you’re wrong!
- is just about managing the risk of failing to comply with laws and regulations, you’re also wrong!
- is just about the risk of errors in the financial statements, please update (maybe upgrade too) your knowledge!
- is also just about operational and strategic risks, such as the potential failure of a sole supplier, wrong again!
In the nut shell, managing the risk management is about all of the above; it is about managing the potential effects of uncertainty throughout the business operations. Therefore:
- Whenever executives and the boards discuss strategies, they should be considering risk.
- Whenever managers make decisions, they should be thinking about the risks and doing something about them.
When Risks Supposed To Be Managed
Whoever on the top of the risk management area, he should understand that risk is not something that can be managed once each quarter, month or week. Risks appear and have to be addressed all the time. They need to be integrated into routine decision-making, strategy-setting, and performance management. Moreover, he should not view risk management as a compliance chore ONLY. Companies with effective risk management are better equipped to deliver optimized, reliable, and sustained performance over the long term. They are prepared for what might happen—to not only mitigate the effect of adverse situations or events but also take full advantage of opportunities.
The Committee of Sponsoring Organizations (COSO)’s framework for enterprise risk management states succinctly that Enterprise Risk Management (ERM) “helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.” But the state of risk-management practices is still poor. In a recent study of executives conducted by KPMG, two-thirds indicated that “their board is unable to leverage the risk information it receives to improve strategy.”
How Risks Supposed To Be Managed
So, how a risk management supposed to be managed? You ask. Let’s have a look at the principles in the global ISO standard 31000 (2009) on risk management:
- Risk management creates and protects value.
- Risk management is an integral part of organizational processes.
- Risk management is part of decision-making.
- Risk management explicitly addresses uncertainty.
- Risk management is based on the best available information.
- Risk management is dynamic, iterative, and responsive to change.
Some companies have implemented risk management using periodic assessments of their more-significant risks. But,
- Are these reviews making risk management ‘part-of-decision-making’ as COSO suggests?
- Has risk management become ‘an integral part of organizational processes’?
- Does this practice make the organization sufficiently nimble to handle situations that arise with little notice or quickly take advantage of a competitor’s inability to support market demand?
Risk management, in the words of COSO, “helps an entity get to where it wants to go.” Even CROs/CFOs/CEOs who do not have organizational responsibility for risk management should ask these questions:
- Is our risk-management program mature? Is the consideration and management of risk part of how we make decisions at all levels of the organization?
- Are we prepared both to handle potential negative events and seize opportunities?
- How often are we surprised when we shouldn’t be?
- Do the executive leadership team and the board have the risk information they need to set and then modify corporate strategies?
- What actions are we going to take? When?