The need for effective risk management today has never been clearer, according to Martin Metcalf, chief executive officer, Strategic Thought. He sees risk as “anything that could negatively impact the ability of an organisation to deliver on its obligations and forecasts.”
He adds: “There is a growing demand from shareholders, regulators, credit agencies and customers in the private sector and citizens, taxpayers and government in the public sector, for transparency and evidence of strong risk management. There are similar calls to identify and make the most of every opportunity - to maximise the upside to gain more business or deliver best value to citizens.”
Is this demand being met? Many believe that the development of enterprise risk management (ERM) still has some way to go to meet this goal.
Rupert Chapman, senior consultant in IT solutions and infrastructure practice, PA Consulting Group, considers that the implementation of ERM has been patchy. “Risk functions have tended to operate in silos. Functions such as business continuity planning, disaster recovery and operational risk do sometimes come together but often they manage to form larger silos rather than develop a broad approach to managing risk across the whole enterprise,” he says.
Matthew Bates, managing director of risk management Heath Lambert, is
also not convinced that many organisations have embraced ERM. “It’s almost certainly on most board agendas but it’s still evolving,” he says. “Sometimes organisations find it difficult to identify what ERM means to them and to perceive value. Obviously at the moment there are conflicting priorities,” explains Bates.
He believes most organisations view business continuity planning as offering better value. “The plan may not always be fully documented but that is not a problem if an organisation is fairly nimble and can respond in a positive way,” says Bates.
Chris Lajtha, principal of Parisbased ADAGEO, warns that a common pitfall for companies that do embrace ERM is over-enthusiasm. “There is a tendency to plunge into comprehensive risk mapping, risk register creation and ‘top risk’ triage. Risk maps are produced and action plans apparently linked to the risk map output. However, not enough consideration is given to the flaws in such a process and the cost-benefit of the output. Further, the skewed focus on risk, often uncoupled from considerations of economic return, can send conflicting signals to operations managers around the world who are charged with developing and growing the business. They understand implicitly that risk and reward are two sides of the same coin – and that uncoupling them is a largely artificial exercise with a potential downside – encouragement of risk aversion.”
This is linked to a second common pitfall – naivety – he says. “It should not be overlooked that the much-trumpeted practice of ERM (which is by no means a child of the 21st century but rather a clever rebranding of some of the better past risk management practices) has been largely driven by politicians and consulting firms. Regrettably, ERM has become more concerned with compliance and communication than performance as a result of the relatively recent regulatory requirements for more formal risk/risk management communication. This misses the key point: that the business proposition of effective risk management is intelligent risk-taking and not risk avoidance.”
It is not just ERM that is under the spotlight. With today’s focus on resilience, Dr Paul Roberts, managing consultant in Marsh’s business continuity management practice, says that increasingly companies are asking how continuity planning fits in the picture. “Companies have been focusing on getting leaner and reducing costs with consequent less resilience in the supply chain. Now they want more clarity about things like supply chain risk,” he explains. “ERM looks at impacts and threats and business continuity tells us what is critical to the business. We need to bring the two together; both can add value.”
Simon Perry, partner, PricewaterhouseCoopers, considers many companies have neglected aspects of continuity planning. Only a few have focused on their supply chains, he says. This can be a costly oversight – and not just in terms of potential disruption. Perry cites examples of risk managers achieving insurance premium reductions by making their businesses more resilient.
A key element in building a resilient business is looking at the business from the top down and deciding what the most critical parts are, says Roberts. “This lets you understand what is the value of the business and why. Then you know what you need to protect and you can make the right investment in the right places first.”
“If a business cannot reduce the risk of some things happening, it has to think how it will respond when they do happen,” Perry suggests. “There can
be considerable exposure across a number of big manufacturing companies that are all using one supplier. There’s now a focus on supplier solvency but there are other reasons why suppliers may have problems. For example, there may not be access to enough energy or there may be a shortage of raw materials,” he warns.
Rick Cudworth, partner in Deloitte and head of its UK business continuity and resilience services, sees ERM as assessing risks and putting in place controls which deal with both prevention and protection. “The natural extension is deciding how the organisation should react if controls are not available or fail. This preparedness is basically what’s encapsulated in continuity planning.”
Chapman believes that one effect of the economic crisis is that risk and resilience have become decoupled. “The risks that have been addressed, particularly in terms of continuity and resilience, are not the ones that are facing companies now,” he explains. “Resilience strategies simply won’t address the wider business issues that shareholders are interested in such as maintaining business continuity if liquidity ceases or the key customer base disappears.”
Chapman points out that some organisations have culled their continuity planning or disaster planning function, rather than looking at how they can re-engineer to deliver a more sophisticated and more relevant capability when they emerge from the economic crisis.
“We all recognise that effective risk taking is a key contributor to growth,” explains Stuart Anderson, principal consultant, defence and security practice, PA Consulting Group. “Today’s situation could mean that organisations become more risk averse, and I think we’re already seeing the move into ‘paralysis by analysis’. Such caution may increase the risk of missing opportunities, which could ultimately cause an organisation to stagnate and shrink.”
“Risk management is about degrees and volatility in business achievements. Likewise it is about the impact of opportunities on business objectives,” says Metcalf. He warns that stakeholders and citizens are just as likely to ask “what did you do to maximise an opportunity?” as they are to say “what did you do to mitigate a risk?”
PRINT
EMAIL
TWITTER
FACEBOOK
LINKEDIN
FEEDS