Risk management is an imperative

STEVE MUNCEY, senior partner at KPMG East Anglia, offers a three-step guide to managing risk, whether operational, cost, fraud or regulation

STEVE MUNCEY, senior partner at KPMG East Anglia, offers a three-step guide to managing risk, whether operational, cost, fraud or regulation

OVER the last 18 months, we have seen an unprecedented focus on risk and governance in the aftermath of the financial crisis and the uncertainty it has created as we move through a recessionary period.

Many organisations have put in place enterprise risk management processes and frameworks to improve their risk visibility and reduce unwanted shocks. However, most have taken only preliminary steps which have delivered little more than compliance, improved risk reporting and awareness.

There are, in my view, three key practical areas that continue to be at the centre of the current risk debate.

Firstly, many have lost sight of the purpose of risk management and without purpose there can be no imperative. Without imperative, businesses will never engender a risk culture that supports the effective delivery of their risk management objectives.

The basics of risk management start with clarity of how much risk companies are prepared to take in pursuit of their goals, but how many have debated this with the board, clearly defined a risk appetite statement, and communicated this across the business?

Most Read

Secondly, there has been much talk about whether executive teams and board members are properly engaged in a genuine debate about key risks and risk management.

Questions remain over whether the Board has sufficient time, information and the skills to get under the surface of key risks they face; and, whether the risk management functional role is too removed from key strategic discussions to add any real value.

In my view, there is a need for a suitably experienced Risk Executive, charged with leading efforts to repair, restore and revitalise the risk management investment. They should be capable of challenging strategic direction, forcing debate on emerging risks and asking searching “risk return” questions of key investment choices.

Lastly, identifying and understanding risk is the most important part of the risk management investment. If the right risks aren't put on the table and companies don't understand how these risks may play out, then they will fail at the first hurdle. An annual workshop, traffic light report followed by board sign-off, falls short of the mark.

Businesses must remember that delivery of a risk profile is not the end game, it is just the start. They must do more to understand risk, its likelihood and impact, stress test their thinking and employ more advanced quantification analysis on those risks that are not understood well enough to justify further mitigation investment.

The financial services sector gambled with bigger stakes and for bigger rewards and some clearly got it wrong. Although the stakes may be lower, improving risk management is a business imperative for all of us in the hunt for sustainable business success.