Professional Documents
Culture Documents
of risk management
The risks
of risk management
Imagine you are an audit or risk committee member and it’s that There are many symptoms of poor
time again. The committee agenda says something like ‘Review risk management, but common
themes seem to be:
of top 12 risks’. Dutifully you and the other committee members
run down the list, discussing, asking probing questions, getting / A focus on risks, with little or no
updates from management. linkage to desired outcomes,
business objectives or strategy
You look around the table and everyone seems engaged. But you can’t help feeling the / No measurable improvement
whole thing is something of a waste of time. The trouble is, the same process is used by in business performance
your other boards, so this must be how it’s done... despite a significant investment
(money, time and effort) in risk
This paper sets out Halex Consulting’s thinking on risk management. We help boards management
and audit/risk committees see through the fog of traditional risk management
approaches and ensure appropriate focus on what the business is trying to achieve, and / Risk and control processes that
what might prevent its achievement. seem to be an end in themselves,
being somehow divorced from
the routine operation of the
business
Sound familiar?
A new approach
to risk management
Let’s start with the basics. The purpose of risk management is not to
manage risks per se. The purpose of risk management is actually to help
Moving the focus away
the business achieve its strategic business objectives. from risks and on to
Therefore, having clarity of strategic objectives is a pre-requisite business objectives (or
for effective risk management. key goals) is also a more
We suggest categories for: natural and engaging
• strategic aims • legal & regulatory compliance way to consider risks.
• operational efficiency & resilience • ESG
• financial performance & reporting • continued viability
• conduct & culture
Moving the focus away from risks and on to business objectives (or key
goals) is also a more natural and engaging way to consider risks. In effect,
it puts risks in the context of reward and focuses senior management and
Board attention on the things the organisation is trying to achieve, and what
they need to do to increase the certainty these things will be achieved. It
should also lead to a more forward-looking mind set, increased focus on
priorities and greater responsiveness to unexpected events.
Risk appetite and
conflicting priorities
Fortunately, this approach also helps deal with the knotty problem of risk appetite
(an organisation’s willingness to take on risk). If truth be told, many organisations
There will never
struggle to get to grips with risk appetite in any meaningful way. Even in risk- be a simple
mature businesses it can remain a largely esoteric concept.
answer to the
Far better, and more meaningful, is to consider risks in the context of what you,
as a business, are trying to achieve. For example, it is easier to assess whether you
question of
are taking on too much risk (or perhaps not enough risk) when you consider those competing
risks in the context of the objective you are trying to achieve. If the objective is very
important (such as compliance with law & regulation), you might decide that you priorities, but
can’t take any significant risks that might undermine its achievement. Therefore, on
a cost versus benefit basis, it’s worth spending more money on controls to mitigate
presenting the
the risk. Board and senior
Counter-intuitively, the opposite might also be true. For example, you may have
management with
an important objective, such as entering a new market, which requires you to take objective-based
more inherent (gross) risk in order to achieve it – although even in this case it is
likely that the organisation will want to minimise residual (net) risk to increase the risk information
chances of a successful outcome.
should facilitate a
Setting risk appetite by objective (or category of objectives) provides the Board good discussion.
and senior management with the necessary context to make well-informed risk
decisions. Standard risk appetite statements don’t help with this thinking. Putting
risks in the context of what you are trying to achieve does.