Enterprise risk management Trends
By Lloyd Chirindo
Positively embrace risk to improve company performance.
THE concept of risk management is a multi-disciplinary approach which entails various processes, systems, frameworks and methodologies. For a firm to succeed, it must have the ability to optimise the risk and reward equation for both strategic and operational matters. We have witnessed several risk management disasters in Zimbabwe and across the globe due to lack of proper risk management.
What is risk?
Firms must understand that profits are rewards for proper risk management and losses are punishments for disregarding risk management. However, the word risk was borrowed from the Italian word “risco” and the French word risqué, from the mid-17th century and they both translate into the term danger. Risk is defined as the effect of uncertainty on objectives. Uncertainties may be positive such as achieving more than the firm has planned, conversely, there are threatening uncertainties, which may affect the achievement of objectives. As a rule, risk is often measured in terms of its consequence and likelihood, with the combination of consequence and likelihood indicating the level of risk.
What is enterprise risk management?
Enterprise risk management is a process effected by a firm’s board of directors, management, other personnel, applied in strategy formulation across the enterprise and designed to identify potential events that may affect the firm. This is done to manage risk so that if falls within its risk appetite.
The concept of risk management (RM) existed since the end of World War II, where corporates have always managed risks, though sometimes they have done so subconsciously, implicitly or inconsistently. Enterprise Risk Management (ERM) simply categorizes risk management practices into a framework that enables entities to manage risks in a more consistent and coordinated manner. Similarly, understanding the E in ERM is important, since ERM is not just a financial risk view or an IT risk view, but also an organization-wide view of risk management. Identically, it involves all staff and all areas and processes of the firm and concentrates on all critical risks.
When should we manage risk?
Risks must be managed at all levels of the organization, including all functions, activities and projects. Some think that risk management only occurs when you undertake a risk assessment or complete a risk register. Nevertheless, risk management happens every second, minute, hour and daily. Again, risk management is not a stand-alone function that exists within a firm with responsibility limited to a few people. Rather, it is an integral part of strategic, operational and project management. Correspondingly, risk management should be embedded in all our procedures, activities and continuously monitored.
How do we manage risk?
We manage day-to-day risks by implementing a range of effective internal controls designed to negate potential negative results and enhance opportunities. For this purpose, internal controls are often documented and reflected in business processes, such as disposal of fixed assets. Thus, insurance can also be used by corporates as a risk transfer mechanism especially for those risks which firms cannot retain as well as risk transfers through contracts. Undoubtedly, risks that arise from strategic initiatives like innovation, are more complex and subject to more uncertainty. These risks will require more rigorous analysis and formal risk assessment when pursuing new strategies.
Who is responsible for managing risks?
Certainly, risk management is everyone’s responsibility, but it is primarily the responsibility of managers in a business. Along with the Three Lines model which highlights that the 1st Line of defense is Management, second line which is Risk Management Function- Head of Risk and Principal Risk Advisors to support front line managers and the third line is the Internal Audit Function. Furthermore, risk owners are responsible for managing risk in a structured, consistent manner and maintaining a risk register for their projects, group, branch, or unit that covers all current and future activities. Moreover, risk owners will allocate control owners for each risk control. Ordinarily, these control owners will make sure the controls are put in place and maintained. They will also report to the risk owner on their controls.
In addition, risk owners will also allocate an action owner for each risk treatment action. These action owners will make sure the treatment is implemented within the timeframe set. They will also report to the risk owner on the status of their treatment actions and flagging any delays or changes in the effectiveness of actions.
All employees are responsible for identifying risks and reporting those risks to their managers. Employees are often the first to identify emerging risks so escalating them to managers for evaluation is really important.
What are the benefits of managing risk?
Managing risk has considerable tangible and intangible benefits.
The combination of proficient risk management capabilities by all senior managers and risk owners and a proactive, structured, systematic and integrated approach to risk management will help ensure a positive risk-awareness culture that will deliver a range of benefits. These include, increased likelihood of achieving short- and long-term objectives, achieving a balanced approach to risk taking in order to reduce uncertainty, better, consistent decision-making and planning, better identification of opportunities and threats, mitigating the likelihood and impact of undesirable events, pro-active rather than re-active management, more effective allocation and use of resources (human, financial, intellectual), improving stakeholder confidence and trust, improving compliance with key regulatory requirements, better corporate governance and protecting and enhancing reputation.
Lloyd Chirindo is the Enterprise Risk Manager Institute of Zimbabwe (ERMIZ) award winner for Risk Manager of the year 2022, a certified Risk Manager and a Corporate Governance expert with more than 16 years of experience. He can be reached on +263718403403 or on chirindochamoko@gmail.com