Risk Management Functions
Using different questionaries’ and interviews, when Company 5 was assessed against this scale, they were found to be at Level 1 – the ad hoc level. That was because the company operated in different countries as separate siloes. There was no connection between departments when it came to managing risk. The plan was to take them to a more optimized level of risk maturity with better integration, communication, synergy, and collaboration between departments.
The next step was to visualize the risk management framework. The RM team decided that the best approach would be to link KRIs to risks, risks to processes, processes to department/functions, departments to countries, countries to core businesses, and eventually core businesses to the larger group.
The RM team then met with the respective Board to determine Company 5’s appetite for various risks, including strategic risks, liquidity risks, credit risks, operational risks, financial risks, and market risks. A color coded table was developed to represent the company’s risk appetite level or willingness to tolerate a particular risk. For instance, in the Risk Appetite Table below, short-term strategic risk is color-coded green which indicates that the company is willing to accept this risk. However, long-term strategic risk is colored red, which means that company will want to avoid or mitigate this risk.
Capital risk and short-term liquidity risk are both green. At first glance, that might not make sense – why would the Board be willing to risk their capital? But the fact is that the Board did not invest significant amount of money in Company 5. They used their reputation to establish the company. That is why capital risk is green, but reputation risk is red.
Going further down the table, the company has a moderate appetite for customer concentration risk (yellow). Yet they are inclined to avoid exposure to supplier concentration risk (red) i.e. they don’t want to depend only on one or two suppliers.
Risk Appetite Table
The group structure diagram below demonstrates how the Company designed their risk management initial project. Out of their six businesses, Company 5 with a branch located in China was chosen for the initial project. This company has several processes, including payables, receivables, cash management, and fixed asset management. Each process has several risks, and each risk has several KRIs. For instance, the receivables process has 5 risks. Risk 2, specifically, has three KRIs defined.
Risk Management Framework
So, at the board level of the core business (Company 5), the risk appetite was defined, and then had to permeate down to the bottom. At the same time, risk information – all the way down from the KRI level of a particular risk and process – had to be rolled up from the bottom to the top. This way, the company’s vision of a top-down and bottom-up approach could be realized.
Company 5 then designed risk management policies and procedures, an example of which can be seen in the following diagram.
Liquidity Risk Policies & Procedures
At this stage, Company 5 in China implemented a risk management system/ software to manage and monitor all the processes that were discussed in phase 1 and 2. They also uploaded their KRIs into the system for reporting, along with expected, critical, and non-critical KRI values.
The receivables process, for instance has three KRIs – percentage of deviation from the sales target (percent value), value of cash in the bank (dollar value), and receivables turnover (ratio). With respect to the first KRI in the KRI thresholds chart, a 10% deviation from the sales target would be expected. But a 20% deviation would be critical and reportable (rising monitoring trend).
Similarly, the value of cash in the bank was expected to be $250,000. If it rose to $500,000, it would become critical because the surfeit of cash would need to be utilized. If it dropped to $150,000, it again would become critical because then the company would not have enough money to run their operations (both monitoring trend).
Risk assessments were the key focus of the implementation phase. The 5 risks in the receivables process were assessed, rated, and plotted on a risk heat map, as seen below. Therefore, at one glance stakeholders could study each risk in terms of its impact (incidental, minor, moderate, major, and catastrophic) and likelihood (rare, unlikely, possible, likely, almost certain to occur).
Risk Heat Map
Based on the risk score, the management team could decide how they wanted to respond. Take, for example, the risk of lack of segregation of duties in the receivables function, as mentioned in the Risk Ranking table above. After being assessed, the risk is ranked 8 (Impact + Likelihood). Based on the risk heat map, this risk seems to be major in terms of impact, and likely to occur. Therefore, the management would choose to avoid the risk. Similarly, the risk of “inefficient collectability to the receivables” is ranked 6 i.e. there is a possibility that the risk can occur, and have a moderate impact. So, the management’s response would be to reduce this risk.
After establishing risk assessment and response strategies, the company updated their KRIs with the actual values (vs. expected values) for each quarter (Q4 2012 – Q1 2014). In the table below, for Q4 2012, the actual percentage of deviation from the sales target was 30% vs. the expected deviation of 10%. By Q1 2014, when the expected deviation was 10%, the actual deviation was 25%.
In this way, the company calculates various KRI thresholds, comparing actual against expected values. All this data is uploaded into the risk management system.
KRIs: Actual values vs. expected values
Once the KRIs were defined, the RM team conducted a training workshop to ensure that everyone – right from the board level to the administrative personnel – understood their risk management responsibilities, and would be fully engaged in the process (hence, enhancing the risk culture awareness). They also performed evaluations to determine if the risk management implementation was effective and efficient.
The company developed risk reporting templates at various levels of the organization – board level, management level, and employee level (they all received portion of the risk reporting package). They also updated risk appetites, thresholds, assessments, and response plans. Continuous risk reporting and monitoring was facilitated, as were regular evaluations of the risk management processes. Risk reporting package composes of two levels – the risk level and the KRI level.
All relevant KRIs were plotted on risk reports to identify key issues and concerns. For instance, in the graph below, two reportable issues were identified. The first was in Q4 2012 and the second was in Q1 2014 where the percentage of deviation from the expected sales target was 30% and 25% respectively -- both above the critical maximum thresholds.
Reportable issues Risk-Reporting
Having identified these concern areas, the management team could proactively take steps to deal with the issues, and mitigate the risk of them recurring.
Implementing a Risk Management Software Solution
From the beginning of their project, the Company realized the need for a strong software solution to enable and support their new risk management processes. Given the company’s size, scale, and diversity, it would be impractical, inefficient, and ineffective to use manual spreadsheet-based processes or word documents to assess, manage, and report risks.
In the search for a robust risk management solution, the company conducted extensive due diligence processes and interviews across several vendors for a few months. Eventually, they chose MetricStream as the best suited solution provider for their risk management requirements.
Today, MetricStream’s comprehensive solution helps the company document and manage their risk appetite, as well as their risk threshold/ tolerance levels. The solution is used to manage the complete risk lifecycle -- ranging from risk identification and assessment, to risk analysis, monitoring, and mitigation. All risks, KRIs, and other relevant data are uploaded and maintained in a centralized library for easy access. Powerful dashboards, risk heat maps, and reports provide key risk insights to executives and other shareholders, enabling them to make informed decisions.
The Company has a 3-year strategic plan to deploy the same example provided herein (Initial project) on all its operations and investments in different core businesses and countries.