You are on page 1of 4

Risk Management

Risk management is the process of evaluation and quantification of business risks in order to take the necessary measures to control or reduce them. Risk management in organizations includes the methods and processes used to manage risks and seize opportunities related to the achievement of their objectives. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. Risk management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and all other risks that a business might be exposed to. Different organizations face different kinds of risks according to their core business, culture and external environment. Therefore, there is no one-size-fits-all approach of handling risks within an organization. However, one can argue that, for risk management to thrive in any organization, risk awareness must be embedded in the wider culture of the enterprise through easily understood behaviors. Risk management is most successful when it is explicitly linked to operational performance. The complete hierarchy from top to bottom of the managerial pyramid should be completely aligned on risk to ensure that there is a consistency of approach. They should understand instinctively that good performance includes good risk management. At Tesco, a global grocery and general merchandise retailer headquartered in Cheshunt, United Kingdom, customer satisfaction is the main objective and measure of operational performance. Of course, achieving such objective is not a walk in the park. As a simple business buying and distributing goods, marketing and managing cash Tescos principal risks revolve around the robustness of these processes. Any failure in the supply chain, for example, damages the business in the eyes of customers and hence the main business objective becomes in peril. So any risks to its smooth operation must be identified and managed. Tesco uses valuable measures in order to overcome such risks. The most effective measure would be embedding risk management in day-to-day operations, but is rarely discussed as such. A relatively flat structure also helps. Although Tesco employs almost 470,000 people, it only has five levels of management. Tesco has a standard governance hierarchy a top-level board of directors controlling strategy, supported by more operationally focused subsidiary boards and functional committees. There is no distinction between the UK and overseas businesses, which ensures strong consistency of processes for strategy and risk management. The complete hierarchy is well aware about key strategic objectives for five core areas customers, community, operations, people and finance. The goals are consistent with the groups rolling five-year plan and are further divided into KPIs that connect strategy with day-to-day operations. Such measures have the greatest effects towards managing the major risks Tesco faces. The invisibility of risk management into a clear and easily articulated objective instead of being a series of systems and controls that might be perceived as counter-cultural, bureaucratic measures prevents the drain of resources. It also encourages workers to be more involved rather than skeptical about accountability. Therefore, the actual processes behind either exploiting or mitigating risks are quickly devolved to people who are much closer to those risks. The relatively flat structure is also of great asset. Since the hierarchy levels are set to minimal, senior management is closer to risks. That insures the quick identification of areas where objectives are not being met so they can be addressed.

Another good example of risk management is the one employed by the Department for Culture Media and Sport (DCMS) of the government of the United Kingdom. The government adopted a structured approach to central risk management that has become the norm in recent years. It also laid out a risk assessment framework a standardized tool to help departments judge their risk management capabilities in areas such as leadership, strategy, people, partnerships and processes. The Department for Culture Media and Sport (DCMS) has a broad spread of activities including lead policy responsibility for 54 public sector bodies that fall outside its departmental accounting boundary. So its risk challenges are complex. Its 2009 Risk Management Guide sets out a feedback loop to ensure risks are handled properly. It starts with clear objectives for the department. Then a strategic risk register is mapped onto the major objectives described in the corporate plan. Program level and project/operational risk registers help ensure that strategic objectives are properly cascaded through the organization. The first step in the DCMS Risk Management Framework is to identify risks to those objectives, then assess them. Once identified, the risks are assessed at a departmental level, to ensure they are not compartmentalized in individual projects or divisions using a matrix. The matrix allows the risk to be categorized and dealt with according to their degree of severity. There are four elements in the risk monitoring process at DCMS: individual ownership; maintenance and updating of risk registers; internal audit/risk reviews; and the end of year risk self-assessment. The four elements were the corner stones for a coherent management plan. Individual ownership means that risk should reside with those most able to act on it. Most risks end up on project or sector risk registers, close to the related operational responsibility. Both individual ownership and risk registers encourage staff to be more involved in risk management and avoid the need for a bureaucratic layer of risk professionals. They also increase the commitments of members to work hard to implement the decisions they have made. This creates a culture where risk management is part of the organization overall culture. Keeping the risks close to the operational departments means that risks will be better exploited or mitigated, which will surely enhance the overall performance of the organization. Of course, internal audit and the end of year risk selfassessment are also very important for keeping track of the risks and the progress achieved to deal with such risks. The measures taken to tackle the risks can be then reviewed, modified, or even substituted all together. As we saw in the previous examples, good risk strategy is essential in any organization. However, sometimes, even a seemingly good strategy can go bust. There is no better case than that of the Royal Bank of Scotland (RBS). RBS had a well-staffed risk management function which more than doubled in size to 4,250 staff in the two years to 2006, prior to the financial crisis. Group Risk Management (GRM) helped co-ordinate a three-line defense. Managers were the first line, handling risk in day-to-day operations. The second line, GRM itself, was responsible for administering a structured operational risk framework to oversee controls. Finally, internal audit ensured controls were properly applied. The group board spelled out the overall risk appetite for both financial risk and qualitative risks, such as customer satisfaction. High level risks were assigned to a named executive and the audit committee reviewed overall risk management processes. The chief risk officer in the pre-crisis period was clear that risk management was a multi-faceted role, including enforcement of policies and acting as an ambassador to communicate good practice and a consistent approach across all business divisions. And the risks faced by the organization were well articulated. Six main categories of risk were clearly defined and evaluated: credit risks (including country and political risks);

funding and liquidity; market risk; insurance risk; operational risks (fraud, human error, and external events); regulatory risks; and other (primarily reputation and pension fund risks). The plan seemed like a good one. There were multi levels of risk management to insure the involvement of all business units. The people at RBS also understood the crucial fact that, despite being a bank, they were faced with many risks other than financial ones. Therefore, they recognized six categories of risk including country and political risks. They also spread out an overall strategy for both financial risk and qualitative risks, such as customer satisfaction, which can be easily overlooked as a risk in banking business. Unfortunately, the plan did not work and the bank faced major problems. It seems like an aggressive risk culture have permeated down through the organization. The CEO, whose opinions on risk management may have gone unchallenged, was a dominant figure. With key risk management committees sitting below board level, there were also questions about their level of influence over board decisions. In such a culture influenced by hierarchal dominance, many risks can be underestimated. Bosses fail to listen to staff members who are closer to risks. The results can be devastating where obvious risks can be easily missed due to failure in communication. Another aspect would be the compartmentalization of risk credit, market and operational risks sat in silos. It meant portfolio risks, aggregating across the silos, developed unchecked. Divisional CEOs had return on equity targets that perhaps encouraged them to take risks which were apparently managed within their silo, but not so clearly at group level. The compartmentalization is surely against the benefits of a structure designed to cascade risk management down through different divisions. Risks that are not evaluated at a group level represent a major threat to the whole group, a ticking bomb that can go off any second and anywhere across the group. Indeed, group decisions help to avoid tunnel vision and consideration of only limited options. It can be deduced from the above cases that risk management is a very subjective issue. The approaches that can be used are numerous and they vary from one organization to the other. Tesco started its risk management planning by recognizing its core mission, which is customer satisfaction. The companys risk management plan revolved around protecting and enhancing that mission, although one can argue that such approach focuses on a narrow measure and that many external or concealed risks can be easily overlooked in that sense. However, for a simple business of buying and distributing goods, the plan seems to be working fine. Tesco managed to reinforce the plan through a stress-free implantation. The managers succeeded in embedding risk management in day-to-day operations, making the staff more involved and task oriented. The semi-flat hierarchy insured the rapid discovery of concealed risks that might be threatening to the core mission of the organization. DCMS used another approach which seems to be working as well. Being a governmental department, DCMS is obliged to follow certain guidelines set out by the government. Also, since DCMS is responsible for 54 public sector bodies, the risks faced by DCMS are more complex than those faced by Tesco. Having to tackle such obstacles, the first step in the DCMS risk management plan was to identify risks to all the objectives of the department. A response appropriate to each risk was formulated, then reviewed, helping to clarify objective and mitigate or exploit the risk in question. Indeed, one can honestly say that people at DCMS realized the fact that dealing with so many different bodies mean that the department could be faced by horrific number of risks ranging from environmental to even new projects and policies risks. Monitoring the risk management plan of DCMS was successfully implemented by the four elements discussed above (individual ownership, maintenance and updating of risk registers, internal audit/risk reviews, and the end of year risk self-assessment).

The four elements work in a full loop insuring involvement of employees, excellent tracking of risks, and constant revision of measures implemented. On the other hand, RBS used an approach that looked like a very coherent one: three-line defense; and six main categories of risk. Unfortunately, managers at RBS failed to implement the good plan. The hierarchal dominance and compartmentalization of risks led to failure in communication between different levels of the management hierarchy. Eventually, the group failed not only to identify the concealed risks, but also the knowable risks. Although the three cases discussed above use three different approaches of risk management, there is a common factor that contributes deeply to either the success or failure of the approaches used, which is embedding risk management in the wider culture of organization. Risk management proves to be successful when easy measures are invisibly melted within the organization culture. The results are tremendous: people become more involved; risks are handled by those who are closer and more capable to handle them; and even the most concealed risks are easily identified. Likewise, failing to embed risk management in the organization culture can lead to horrific outcomes. Risk management is vital for organizational achievement of objectives. Therefore, it must be carefully assessed and implemented.

References
Margaret

Woods, Reporting and Managing Risk, A look at Current Practice at Tesco, RBS, Local and Central Government (Chartered Institute of Management Accountants, Research Executive Summary Series, Volume 6, Issue 8, July 2010) M. Stulz, 6 Ways Companies Mismanage Risk (Harvard Business Review, March 2009)

Rene

HELPS ME

You might also like