Print Edition
August 2010 
|
|
|
|
|
|
|
Creating A Successful Risk Management Culture |
« Back
|
|
Claire Spencer, March 2009 |
|
|
|
For too many companies, it is generally the case that risk management is of most concern when things start going wrong. While it is true that the financial crisis has made the need for effective risk management strategies increasingly acute, such measures are not only for rainy days. “The big question is whether the financial crisis will create a permanent change in the way companies manage risk,” says Prakash Shimpi, a principal and an ERM Practice Leader at Towers Perrin. “It would be a real shame to lapse into old habits once the financial crisis subsides.”
Indeed, it is now much harder to create a strategy that encompasses all the risks that companies are likely to face in today’s global market. It is even harder to achieve this if the company is already distressed. Relatively healthy companies should act now to develop a risk management framework that will allow them to survive the downturn – and to prepare for the next one.
Executives are more alert than ever to the importance of risk management, and its successful implementation throughout their businesses.
With the financial crisis never too far from anyone’s minds, it is desirable to mitigate the many risks it creates. “Last year, I spoke with a group of risk managers who all noted that their departments were some of the few in their organisations that were not just spared from budget cuts, but were also getting more staff,” recalls Bill Coffin, the director of publications at the Risk and Insurance Management Society, Inc. (RIMS). “That says quite a lot about the mainstream executive acceptance of risk management.” Risk managers thrive when times are hard, as crises give them plenty of opportunities to implement their strategies, perhaps completely changing the way in which companies manage their risk profiles.
Perfecting the ERM framework
The use of enterprise risk management (ERM) frameworks may be on the rise, but it is still the case that most companies do not have a true risk culture that makes effective ERM possible. Specific areas of deficiency include financial risk, with particular focus on portfolio risks. Executive liability will become more important as the number of shareholder class action lawsuits in the pipeline increases. There is also the potentially more pressing area of operational risk, with several companies failing to even identify what operational risk is. “Operational risk is clearly overlooked or misunderstood by many companies to mean operations risks, such as day-to-day processing errors,” says Mr Shimpi. “Operational risk is driven in large part by catastrophic failures in management, such as unauthorised activities, for example rogue traders, or excessive risk taking. The current financial crisis is, at heart, a failure of operational risk management.”
When American International Group (AIG) began to reveal the extent of its distress last year, its former chairman Maurice Greenberg placed the blame squarely on the shoulders of internal risk management. In a statement for the House Committee on Oversight and Government Reform, he said that “reports indicate that the risk controls my team and I put in place were weakened or eliminated after my retirement.” He particularly faulted his successors Martin Sullivan and Robert Willumstad for failing to exercise proper oversight of AIG's London-based AIG Financial Products division, whose $500bn portfolio of credit default swaps were arguably at the root of the company’s troubles.
This is not to suggest, however, that day-to-day risks are not equally important. “We should not let these things distract us from other risks that are not going away and that still need to be addressed on a daily basis,” asserts Mr Coffin. “Contingent business interruption, product liability, environmental risk, information security, worker safety and health, insurance procurement, captive management, risk financing, accounting transparency, none of these can be left alone, regardless of how many headlines other risks might be getting at the moment.” This sort of risk can only be fully addressed if it is communicated throughout the organisation, with each employee understanding their impact on risk taking, their responsibility for acting within acceptable limits, and their ultimate accountability. Conversely, it will not work if left exclusively to the treasurer or risk manager, for example.
This is clearly the basis of the problems that companies have had with ERM frameworks. Indeed, ERM frameworks are relatively commonplace; the majority of the now troubled financial institutions on Wall Street technically have them. However, a framework can accomplish nothing if it can be ignored or suppressed. “Looking at the banking sector, it is easy, but quite wrong, to conclude that ERM was a failure,” says Mr Shimpi. “Even within the sector, banks such as Goldman Sachs had an effective ERM framework that enabled them to escape the worst of the carnage on Wall Street. A better example still is the insurance sector, where a more rigorous ERM approach has protected all but a handful of companies from the worst of the crisis.”
Ultimately, it is the firms who need to change, in order to realistically engage with their risk profile. Executives and management need a new perspective on risk. It is an important element of an overall business strategy that should inform everything they do. Furthermore, it requires an in-depth knowledge of the financial and human resources that the company uses, or will use, to manage the risk profile. It is not a bureaucratic box-ticking exercise. As such, those firms which are yet to implement a risk management strategy need to start now.
|
|
|
|
|
= requires subscription
