Risk Management or Bust!

Since the Global Financial Crisis (GFC) in 2008, there has been an exponentially increasing need and push for organisations to significantly improve their risk management capacity and capability, in particular learning from the GFC failures and weaknesses.

Markets, stakeholders and regulatory supervisors are focused on analysing how organisations manage and mitigate operational and enterprise risks. There is also increased attention on understanding the scope of reliance on quantitative risk management and limitations arising from complex structures, models, input data and assumptions.

As a result, governance, risk and compliance (GRC) management functions can no longer simply be aligned with best practice through an isolated (and often detached) team, but instead require that the risk appetite, tolerances, policies and processes be established and set at the Executive level, taking into account client, governmental and regulatory expectations.

Managing operational and enterprise risk has become central to running a world class (and global) business. Risk management has transcended for these organisations into “normality” and any failure carries significant regulatory, financial and reputational consequences.

Risk is defined by ISO 31000 as “the risk of loss resulting from inadequate or failed internal process, people or systems or from external events”. It is inherent in all organisational activities and effective risk management has always been a known element of a service provider’s management program, if not always strictly followed.

Risk management is now, more firmly than ever, the responsibility of managers to ensure their organisations’ Directors and Executive put in place sound processes to risk manage the business’s portfolio of service lines, products, activities, processes and systems. A combination of diagnostic controls (measuring critical variables) and an interactive reporting framework (linked to strategic uncertainties) provides an integrated risk management framework covering the “three lines of risk defence”.

As a case in point, the Australian Prudential Regulation Authority (APRA) has recently published guidance that risk needs to be managed and mitigated through internal control mechanisms, using an effective model valuation process that evaluates conceptual soundness, continuous monitoring and outcomes analysis. This framework requires sound governance with stakeholder buy-in and contribution, including objective and informed “effective challenge” of model limitations and assumptions to produce appropriate change.

Strong quantitative measurement is an essential starting point to fully understanding risk, but there is a greater need to set the ethos within an organisation that dictates the risk management tone at senior management and board level and then cascades this down through the various layers of management to the front line.

Audit, compliance and technology solutions should all play important roles alongside the risk management function. The degree of formality and how the three lines of risk defence are implemented may vary depending on the organisation’s business strategy, complexity and the risk profile of its activities. However, in all cases, an organisation’s risk governance function should be fully integrated into its overall risk management structure.

Risk management is continually evolving alongside business and regulatory environments, and management should ensure its policies, processes and systems are continually reinforced and sufficiently robust to manage the complexities of constant change.

Focussing on addressing the effectiveness of your risk models, adopting methodologies such as the three lines of defence model, and updating and investing in risk technology are three areas to investigate as you look to evolve your risk management program in 2015 and beyond.

What is your organisation doing to manage risk in an environment of uncertainty and change?