Risk Management in an Organization

This is Part 4 of my blog series: The Art & Science of Risk Management

Photo courtesy of Google

In the first 3 parts of my blog series, we’ve looked at risk management in the context of our daily lives. We will now study risk management in the context of business. I would like to point out though that, regardless of context, risk management will always be risk management – whether in life or business, it’s about balancing art and science. In business it is also about balancing people and processes which is essentially what the business is made up of.

The are many reasons why risk management is necessary in an organization. For one, it ensures that the company stays alive. Risk management enables us to foresee and act against most, not all, catastrophes (by ‘not all’ we mean black swans). Moreover, if the company stays alive then so do people’s jobs. Risk management also reduces earnings volatility i.e. as we protect our business against risks that impact the bottom line, there will naturally be less unexpected shocks to the bottom line. Risk management can also maximize shareholder value by solidifying the link between risk and reward. That is, we cannot find an optimal return if we are not fully aware of the risks, as indicated in the graphs below. A point to note is that there is no exact optimal return i.e. the optimal return lies within a zone (zone 2). It is within zone 2 that we need to decide our risk appetite; in other words, does the company choose risks that are closer to zone 1 or 3?

Photo courtesy of James Lam

An organization will not be sustainable in the long term if it cannot manage its risks correctly. The only alternative to risk management is crisis management – and crisis management is much more expensive to the business. Failing to manage crisis correctly will mean the demise of the business. To avoid or mitigate these difficult situations, we must learn the lessons of the past. Businesses fail all the time, including those we thought couldn’t. Although their failure can bring about great tragedies, there is also a great deal of knowledge that can be gained from them. Below I provide some insights (not my own of course, but from one – James Lam - who has taken the time to study major businesses that failed to manage their risks properly):

Note how some of these relate to the way we should manage risk in our daily lives, discussed in this post)

1. Know our business. While it is critical for managers with responsibility for oversight and approval to know their businesses, it is also important for all employees to understand how their individual accountabilities could affect the risks of the organization, and how their functions and responsibilities relate to others within the company. This will enable the integrated thinking with regard to risk in the organization (more of that in the next post).
2. Establish checks and balances. A prerequisite of effective risk management is that there should be a system of checks and balances to prevent any given individual or group of individuals from gaining excessive power to take risks on behalf of an organization. Having proper governance structures in place will ensure this.
3. Set limits and boundaries. Companies should establish a “statement of risk appetite” that provides explicit risk limits and tolerance levels of critical risks. Apart from this, we may also find limits and boundaries in the standards and policies of the business. We need to know our limits and tolerances, it would otherwise be like being in the driver seat of a racing car with no brakes.
4. Keep one eye on the cash. It is important to make sure that there are appropriate safeguards for managing cash positions and cash flows. These include basic controls, such as authorised signatures to initiate, approve and make cash transfers. They also include the development of internal processes to measure, monitor, reconcile and document cash transactions and positions. Actual cash flows and positions can also provide management with valuable reasonableness checks against the company’s trading systems and profitability models.
5. Use the right yardstick. Targets must line up correctly with our expectations. We need to also constantly re-evaluate our expectations to ensure that they remain realistic. We otherwise risk setting targets that are too weak or too aggressive. Naturally, because the organization behaves with respect to management’s or shareholder’s expectations, the yardstick must be accurate.
6. Pay for the performance we want. Compensation and incentives need to be linked to the performance we want. It is a fact that performance is directly linked to compensation and incentives. History also tells us that businesses with weak processes but good people tend to survive while those businesses with good processes but weak people tend to fail. We are not only speaking of increasing the remuneration so that employees perform better, more importantly, we are speaking of setting the right performance targets. Compensation and incentives linked to performance alone may lead to risky behaviour (because we know performance and risk are proportional), hence linking compensation and incentives with risk-adjusted performance may be more appropriate.
7. Promote the soft side. The hard side of risk management is concerned with policies, procedures, assessments, estimations, systems, models, etc. Traditionally, companies focus solely on this aspect of risk management. However, the soft side is equally important i.e. setting the tone from the top by ensuring management’s commitment, encourage honest and transparent risk communication, creating risk management incentives.

Next up – Enterprise Risk Management
Your Risk Connoisseur
J-MLN