There is nothing new about risk management. For as long as there has been commerce there has been a need to consider risk and its impact. What has changed in the last 50 years is the apparent sophistication that modern businesses can apply in order to identify, quantify and manage risk – or at least so it appears.
Complex statistical risk management tools
– often derived from attempts to predict the stock markets in the US and UK – have gradually brought the wider risk management industry into being. However, the legitimate concern for any organisation is to distinguish the useful risk management techniques from the snake oil, and to be aware that risk management is not a panacea.
Too much risk management is based on the idea that risk is bad and must be mitigated. However, risk can be good. Being the first to market with a new product or service is risky, but the benefits can be huge. A good risk management programme should highlight risks that are worth taking. It is reasonable to attempt to quantify those risks, however, this is where serious problems can arise. Risk management is simply another way of saying good management, and not all the benefits can be quantified.
When senior management are considering embarking on a risk management programme, either internally or externally, they will have proper regard to the financial savings which might accrue. Unfortunately, not all risks are readily quantified.
Before developing this point further it should be recognised that there are indeed many direct financial savings which derive from the risk management process. For example:
- The identification of inefficient processes, such as working capital management, failure to use e-procurement for efficient purchasing or poor physical security practices
- Savings in training costs generated directly by exposing staff to skills and techniques used by external consultants working as an integral part of a risk management project
- Savings on insurance premiums by re-negotiating them downwards based on having mitigated certain internal risks.
Similarly, having been given a clearer view of their risks, organisations may well decide that some of those risks can be carried – that is that the benefits of insuring are not clear and that henceforth insurance will be bought on a selective rather than blanket basis.
There are also many indirect savings stemming from risk management, such as operational changes that will have an immediate financial impact, or longer term. For example:
- Enhanced corporate reputation stemming from adoption of best practice techniques
- Improvements to staff morale through working in an efficient and well managed organisation
- Regulatory compliance, which will head off the potential for future fines and bad publicity
- Savings to future investigation, legal and specialist advisory costs arising from risk mitigation of events, which might otherwise have led to serious internal problems.
One danger of seeking to quantify risk is that it can lead to certain significant risks being disregarded if they cannot be readily measured. The more fundamental issue for any organisation is how it can identify all the risks it might face. If a given risk is not readily quantified then many risk management processes will fail to address such a risk, which will only become apparent when a particular event happens.
Take an example from the world of fraud risk management: the attempt to identify operational and behavioural weakness that might encourage or exacerbate fraud. Surveys, and indeed personal experience, show that the majority of fraud occurs with the compliance of staff and directors, yet fraud-aware pre-employment screening is still relatively sparse outside the financial services and military sectors, where staff screening is demanded by regulation and law. This is ostensibly because organisations see pre-employment screening as an expense rather than a benefit. Business risk consultants usually begin their analyses by considering a client's corporate objectives – the idea being that risk management is essentially an organisation's failure to meet its objectives – fine as far as it goes, but say the objectives are wrong or incomplete?
One might summarise risk management as an attempt to identify the things that keep directors awake at night, but business life is not that simple. It is unlikely that the directors of Barings Bank were being kept awake worrying about rogue traders in the Far East. It is less likely that the auditors of the Maxwell group were tossing and turning over potentially serious problems with the pension fund. Risks have a nasty habit of causing surprises and risk management will never mitigate that problem away.
To return to the world of fraud risk management, how can any organisation be sure it has identified all the significant fraud risks? The answer developed at Network International is to look for 'control delusion' in corporate operations – the naive tendency to look at controls from an internal, compliant viewpoint rather than from the fraudster's viewpoint. The basis of this approach is to list all corporate assets and then assess each of the threats that they face.
Where this approach leads towards a full assessment of all fraud and related risks is in recognising that assets not just as balance sheet items, they are also information, access, people, reputation and so on. In this way we have found that control delusion, whilst ostensibly a means of highlighting fraud risk, is now taking us and our clients into the wider area of identifying general operational risk itself.
Good risk management will provide any organisation with an operational rapier rather than a bludgeon, but it will never replace good business management. Given enough time, all types of risk will ultimately have a financial impact. But, if senior management are not concerned with the long term view, are they that concerned with anything other than readily quantifiable and fairly short term risks?
Although it is important to attempt to quantify risk, it is more important to manage an organisation flexibly and imaginatively and not to lean too heavily on risk methodology.
Steven White, a Director of Network International, is a speaker at The ICAEW 2000 Operational Risk Conference, run in central London, by ABG: Courses on Wednesday 28th June. Insurance Times readers can claim a 10% discount on its £600 + VAT price. For more details contact ACC Customer Services on 0800 783 5000 (ref: Serial No.200733) http://www.abgcourses.com; & Network International on 020 7344 8100