6 Steps to Implement Risk Management

Are you just starting to implement risk management or enterprise-wide risk management? The following six steps will get the basics in place for minimal cost and maximum benefit.

Step One: Do risk management for the right reasons. In order to establish an effective risk management system it is critical for the CEO to provide and receive consistent support from the board and the senior management team. Clear messaging from the CEO is needed at all times (whether initially convinced or not) otherwise the key elements of trust and sharing will be seriously undermined. A good risk management process requires creativity and honesty if the CEO is going to get the best return.

A qualified or certified risk manager will help the CEO think through some of the important issues that might make the company go bust. They will be a helpful additional channel of information through the organization and will help get validation with the senior management team. Perhaps most importantly they will help you the CEO think through how and where resources will be allocated to the biggest problems the company faces. If the CEO is only doing risk management because the board or regulator directs, then don’t spend too much energy on steps two to six as the benefits will be marginal in any event.?

?

Step Two: Pick a committed risk manager. This could be the CEO, or a key team member. The following examples are commonplace in Asia but there are other options: CFO, General Counsel, COO, head of compliance or internal audit. For larger organisations it makes sense to promote internally or make an external hire as head of risk management. Another increasingly popular option in Australia and spreading across the region is to use out-sourced risk management services. For organisations that have a strong insurance management function it’s also a good potential option to give the head of that team the role. Many Treasury teams in Asia end up running risk and insurance management either directly or with third party support.

Risk management is not a job that demands or supports a large dedicated team. Usually in Asia there is a team of one or two. Even in the largest conglomerates it is unusual to see a team of three or more in the non-financial sector. In the financial sector many of the team with risk management in their job titles are really carrying out compliance duties. The compliance function is of course important but is not really core risk management.

?

Step Three: Get a structure or framework in place. Build a risk management system: Choose ISO31000, produce a policy and simple user friendly procedures, set some parameters, preferably around severity and likelihood that have meaning at a corporate level. There are some templates in the appendices that can be used for all these tasks for companies of all sizes. On the resource side help the risk manager appoint part-time ‘risk coordinators’ from every subsidiary or department. Decide on a cycle for the collection of subsidiary, departmental and other component risk registers. Then support the cycle of data collection. Don’t reinvent the wheel. Every company is already doing risk management in some form or other. The structure should be designed to capture and process that information formally and complement the existing processes and system. Creating additional bureaucracy unnecessarily is not part of the risk management process.

?

Step Four: Obtain value from the exercise. Give the risk manager some help to prioritize. Combining disparate data sets from various teams can be more of an art than a science. It can be very difficult and often futile to allocate a financial value to all the risks facing the business. Initial attempts at prioritization are sometimes only partially successful or perhaps play too safe. Set aside some time for genuine brainstorming with the management team and collating the top six to sixteen corporate killers for the organisation. Work through the list with the risk manager and the management team and prioritize the biggest worries to the top. Allocate risk owners and critical dates for progress on controls. Don’t make it too complex at this level and be prepared to allocate resources to fix the top risks. Otherwise, what was the point?

?

Step Five: Engage your Audit Committee. Share the output of the exercise in summary with the Audit Committee. (It is not vital or even necessary to have a separate board Risk Committee in most jurisdictions). Get their input and advice. They may have some very useful insights.

?

Step Six: Repeat, Refresh, Improve, Change. Keep supporting the cycle and the process. Encourage and embrace change. Risks will drift up and down the register as efforts to manage them and external factors vary. Embrace the change and use it to keep things fresh. It’s easy to allow the register to become stagnant and irrelevant. Consider how best to use this as a tool in the CEO tool box. The output can be a great way to improve risk awareness and reporting across the whole organization. But it can also be valuable for so much more – not least to test proposed changes in strategy and to keep key teams on the ball considering potential alternative and unfavorable outcomes. Using the above tools and techniques it’s easy to get going. But embedding risk management thoroughly in the organization is a longer-term task.

There is a lot of debate about the use and relevance of risk registers. It is very difficult to produce an accurate and meaningful risk register that prioritizes all risks effectively. So don’t spend too much time on this. The risk register should be a thinking tool. It is the means to an end, not the end itself. Next time, we will consider how to make risk management effective.

#PARIMA #PARIMA2023 #insurance #riskmanagement #resilience #sustainability #riskmanagers #riskprofessionals #riskandcompliance #APAC

Franck Baron Kelvin Wu Samantha Teo Ferine Tan Kate Brato Takashi Kubo Kei Masuyama Suchitra Narayanan Maxwell Davis Ma Victoria Tan Annacel Natividad Cecilia Cheng Joseph Ng Bernado Mochtar SE, ERMCP,ANZIIF(Assoc.)CIP, PA-CRP Mujalin B. Jan Mumenthaler Sharon Shi Keith Xia Maggie Sun Soni Srivastava Nitin Nair Danny Lin Melody Caffin Rehana Box Jagath Guru