Assessing your risk appetite is an iterative and not a linear process. The evolving business landscape poses previously unimagined risks, and an ERM or integrated risk management process must be designed in order to capture risks proactively and assess their impact on your business.Download an Insight
When GRC practitioners and consultants come together, it is not surprising to hear a few thought-provoking perspectives arise on how organizations can manage the risks that keep pouring in from a business world that is constantly evolving and disrupting.
During the GRC Summit, 2016, Anthony Bria, Director at MetricStream has one such conversation with professionals from Uniper Global Commodities, KPMG, Umpqua Bank, First Data Corp, and AFERM, who revealed their views on how you can build a successful Enterprise Risk Management program.
Aligning Risk Appetite and Risk Tolerances to Risk Management.
The first few things that you need to take into consideration is your organization’s risk appetite. Quoting Warren Buffet, “Risk comes from knowing what you are doing”, and Edmund Green, Managing Director at KPMG, argued that lack of a clear understanding of risks will threaten your organization’s ability to achieve its strategic goals. Defining your risk appetite is critical.
An organization’s risk appetite is a boundary defined by policies and procedures, and Gulillermo Cisneros, SVP at First Data Corp, added that when those boundaries are breached, alerts must be triggered. Aretina Trepcyz, VP and ER Manager at Umpqua Bank, went one step further by saying that, as a best practice, you need to create a risk appetite statement that details all the risks faced by your organisation, including qualitative measures and KPIs indicating thresholds.
These measures would not only outline the risks but also specify their response processes and their corresponding mitigation measures and are significant when strengthening your ERM program. However, measures should be taken to ensure that this process is continuous and collaborative, scrutinizing the impact on business goals by the risk management processes. Thomas Stanton, Former President at AFERM, however, lamented the lack of a clearly defined risk appetite in the government sector, which is too cautious to take even qualified risks. He felt that a reward program for risk takers could bring in some positive action.
On the flip side of the discussion, Green pointed out, “the bar can be raised on your organization’s risk threshold in pursuit of aggressive growth, provided you continuously assess your risk appetite and recognize the headroom it may develop.” Risk, after all, is also an opportunity that can be cashed in on if there is proper collaboration both internally within different functions of the organization and externally with the industry, regulators, and even the government.
Balancing Risk Appetite with Long and Short Term Goals
Assessing your risk appetite is an iterative and not a linear process. Given the changing business environment replete with stricter regulations, tougher competition, and wider applicability of globalization, the millennial business culture blurred the lines between long and short term risk appetite goals. However, the best approach is to maintain a balance between these goals in order to develop an ERM program that maintains the long term sustainability of your organization, while outlining the qualified risks in the short term, felt Peter O’ Neil, CFO and CRO at Uniper Global Commodities. Focusing your ERM program only on the short term goals may adversely impact your ability to build an enterprise-wide ERM strategy.
Having said this, this balance between the short and long term goals depend vastly on the dynamics within each industry. The focus, according to Green, should be on what he calls “galaxy class risks” that pose a direct threat to the existence of the business itself, the business model, or the underlying business strategy. Additionally, it is important to understand risk velocity when defining short or long term goals, insisted Stanton, while Cisneros maintained that proper rewards for sustained growth oriented risks that look beyond short term gratification can go a long way in building a risk cognizant organization culture.
The evolving business landscape poses previously unimagined risks, and an ERM or integrated risk management process must be designed in order to capture risks proactively and assess their impact on your business. This forewarning, which anticipates this change, assesses its impact, and informs the business strategy, can only protect your enterprise in uncertain times. The strategic objectives and goals that your organization pursues must be tied to your risk response approaches to clearly assess its business impact. It would also act as a clear indicator to determine if you need to push your risk appetite boundaries further to nurture certain business goals, added Trepcyz.
Using Technology to Build a Successful ERM Program
While technology certainly increases efficiency, it is vital to defining detective and preventive controls, as well as automating certain responses. With technology solutions, organizations can leverage best practices for unmatched risk preparedness without huge capital expenditure, felt O’Neil.
The enormous amounts of risk data coming in to your organization underscores the importance of using a technology solution to analyse this data and extract actionable insights. Trepcyz furthered this point by saying that technology not only speeds up the process of collecting and analysing this data and frees up the bandwidth of your risk managers but it also provides them with significant insights allowing them to make informed decisions.
Stanton agreed that one of the biggest challenges government agencies face is collecting and harmonizing data from disparate systems and varied formats. Technology can certainly make the system more coherent.
Judging the Success of an ERM Program
The success of an ERM program cannot be judged with a standard yardstick. Market forces, industry environments, the competitive landscape, and even your organization’s culture have a bearing on the success of an ERM program. According to Cisneros, how an organization prepares for risks and creates mitigation processes around it contributes a lot to the success of an ERM program. He, however, had a word of caution for the risk averse or overly guarded enterprises too much preparation can make an enterprise apprehensive and hinder day-to-day business processes.
O’ Neil on the other hand sees ERM as a continuous process of assessing a defined path, and building on that. According to him, an indicator of your ERM program’s effectiveness is how prepared the organization is for risks when compared to your competitors. Whether your ERM program is able to keep pace with the latest technologies your industry is adopting also reflects on its success, opined O’Neil.
The availability of information to the right people at the right time and their ability to act on it defines the success of your risk management practice, emphasised Stanton, who has seen firms collapse due to a mismanagement of their information flow. Organizations with a proactive risk management culture focus on building a strong first line of defence that understands, assesses, and escalates information to the responsible authorities to effect right responses.
Citing the example of one of the large financial services firms, he said that the firm could save itself if they had effective information channels. One part of their organization noticed increasing delinquencies, and this information was shared with the senior management. Instructions were then sent to the investment banking division to get rid of subprime mortgages. This was not the case with their London office, which contributed heavily to their failure. The flow of information – top to bottom, bottom up, and across the organization is critical, and an ERM program must be designed to facilitate this smooth flow.
When all is said and done, we must bear in mind that risk management cannot be seen as an exclusive activity. It has to be embedded into every process and function that ensures business success. Green pointed out that it is only when the risk management function is viewed as a capable and contributing partner to the entire business management process, the true values of investments in setting up the ERM processes or GRC technologies are harvested.