A glimpse into the art of managing risk

The importance of managing various business risks effectively is widely acknowledged and accepted by business leaders. However, one of the most common questions I get as a consultant from executives and business owners relates to the journey of formalizing the processes related to risk management. While most have an idea on the concept of Enterprise Risk Management or ERM, most of the time they are also unsure of whether such is a painstaking and resource-hungry initiative that would lead them nowhere.

To enlighten these business leaders, one would first point them to a standard definition of risk management, such as the one from the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, one of the authorities on ERM: “The culture, capabilities and practices, integrated with strategy setting and its execution, that organization rely on to manage risk in creating, preserving and realizing value”.

Having a readily available, standard definition is very helpful in bringing everyone on the same page. Unfortunately, there is a tendency for most people to limit ERM to its common definition, when in reality it has so much more to offer.

Make no mistake, though, since the definition of ERM is an excellent one. But, in attempts by ERM practitioners to standardize risk management, some of the intricacies that explain what makes risk management important got lost. Ironically, having a structured guidance on risk management has also led to the misconception, particularly among budding organizations, that risk management is “very difficult and costly to implement”.

In my view, beyond resource constraints, it is actually this “loss in translation” that’s causing most organizations to overlook the importance of ERM. In fact, other oversight functions such as corporate governance and audit also suffer from this. Along with risk management, they are sometimes treated as mere “secondary functions” – or good-to-haves in some organizations. This has prevented organizations from harnessing the benefits of having an appropriately structured ERM and oversight systems in place.

In starting the conversation for ERM journey in any organization, let me share my two important views:

Important, yet overlooked role in strategy and operations

Furthermore, the process of managing risk should not begin with the execution of business plans. It should start earlier – during strategy formulation. In crafting the strategy, the risks that may prevent it from being implemented need to be considered. The correct tactics and mechanisms to address these risks must also be identified early on to ensure the success of the strategy.

Think of it this way – when you start the process of building a house, you begin by identifying the materials (strategy components) that you want. As you look at the available options, you debate on the pros and cons of using each material (risk identification), carefully considering how they would help build a sturdy house (risk assessment). You also try to determine which areas of the house will be more prone to damage, reworking the design (risk mitigation) as needed. This ensures that the house can be used (operated) for its intended purpose (strategy) and will be durable and long-lasting – one that would require infrequent and less costly maintenance in the long run (continuing risk management efforts).
Applies to all businesses, regardless of size and industry.

It is never too late or early to start doing ERM—organizations need to find the right ERM approach that suits them. As an example, small and medium-sized enterprises (SMEs) can take baby steps. They don’t need to immediately go for a sophisticated implementation right off the bat. Given the owner’s active hand in day-to-day management and awareness of what’s happening on the ground, ERM can be as basic as keeping and maintaining a risk-conscious mindset. For instance, he thinks of what could go wrong and what to do if a major customer goes out of business. Or a warehouse for raw materials becomes inaccessible for a long time due to natural calamities.

For SMEs that somewhat started their ERM journey and are looking to expand their market reach through public listing, this would be a good time to revisit their current ERM practices since SMEs’ growth can be exponential after the listing. A sound and “refreshed” ERM for the newly listed company will help identify and prepare for future problems that might be brought by the abrupt increase in business activities. For example, risks related to technology and processes may be identified by ERM, e.g., manual spreadsheets may no longer be adequate to support the growth trajectory of the newly listed business. Another example would be risks related to information and analysis to enable it to make sound decisions. In the above scenarios, a practical and well-thought-out ERM process comes in handy.

Needless to say, ERM supports the greater demand of existing and new investors, regulators, and other stakeholders for transparency and reliability of information. A working ERM framework strengthens the credibility of the reports and disclosures prepared by these companies. This would, in the longer term, fuel further growth by boosting market and investor confidence. No wonder, regulators around the world encourage and support listed companies in adopting ERM practices.

The fact is, risk management is part of everyday life. With risks being all around us, so does the natural consequence of having to manage it well.

I hope you found the glimpse into the art of managing risk to be interesting and something you can use to kick-start or reinvigorate the ERM within your organization.