Evolving dynamics in corporate risk management

Evolution of corporate risk

Corporate risk in its simplest form can be described as a risk which can question financial stability as well as the going concern feature of a company and become a key hindrance in achieving sustainable wealth creation for any organisation. It may impact the stakeholders of the company, shareholders, lenders, employees, government, creditors, customers and even the society at large. In earlier times, corporates had a very limited definition of risk which primarily focused on the risk of misrepresentation in financial statements and operational risk, and therefore, the efforts were also concentrated on managing these risks. However, increasingly changing scenarios in business, society, geography and politics mean corporate risk managers across the globe struggle to manage these challenges and overcome their impact. With the growing importance of Technology, Environment & Data (TED), many catastrophic risks such as cyber risk, data leakage, privacy risk and reputation risk have now been staring at the face of the organisations.

Risk management dynamics

The financial sector has always been a backbone of the real economy, giving it the much required impetus by way of either funding, insurance and/or other forms of risk management. However, failures in financial markets have time and again proved that no corporate, sector or economy is shielded from developments across the globe. With an increase in global trade, there is an ever increasing dependence on different interconnected financial markets and sectors for overall sustained growth and hence, newer risks in one economy quickly cascade to the rest of the sectors and economies.

Risk and its management by corporates has always been dynamic and evolving. Long back the two key categories of risk which were perceived important to the management were financial and operational risk. There were controls being devised to ensure there is no financial misstatement, strict reliance on documented procedures and concepts of delegation of authority over key activities to avoid operational failures. Risk management policies were developed more from a point of view of giving shareholders comfort rather than any active risk management. Then came an era of regulatory driven risk management which basically meant corporates had to comply with a plethora of regulations, failing which hefty penalties were levied besides legal charges which could derail an organisation’s growth strategy. This suddenly drew huge attention as no management wanted to cross the line with the regulator. Compliance departments were set up and manpower deployed to keep a check on any regulatory changes impacting their business and the risks perceived thereof.

Cybersecurity risk and reputational risk are the latest entrants to the complex web of risks. Further, with very limited tools and resources available to quantify the amount of damage these risk can cause, they have quickly become the topmost agenda of any boardroom discussion. Technology adoption is inevitable for any company to grow, however, if not adopted in a measured way, technology opens the doors to IT and cyber-security risks. On one hand, concepts such as machine learning, internet of things and artificial intelligence are helping risk managers perform their tasks with efficiency and on the other, the growing use of these concepts in the financial sector has led to many frauds.

The world of risks is growing more and more complex and intertwined. Whether it’s a political change in a country, commodity demand – supply concerns, or an unpredictable/unfavorable central bank policy, each of these has made the job of risk managers challenging and demanding, and therefore, the response from corporates has also been resilient with corporates overhauling their risk management processes. We now see separate departments being carved out, each responsible for identifying, monitoring and managing of risk, investments being made in people, processes and technology and elevation of the role of the Chief Risk Officer (CRO).

Risk mitigating measures have to be commensurate with the organisation size, the industry in which it operates, its presence around the globe, strength of human resources, past trends of un-favourable circumstances, etc.

In order to set up such a risk management function, the following should be considered in detail:

1. Dynamism in organisational culture – Organisation culture comprises of the work force who belong to different cultures, societies, races, castes, etc. A strongly embraced multi-cultural work force can support in managing the ever-changing risk environment; the right mix of millennial, generation X, etc. can further add to innovation, stability, analytical mindset and creativity

 

2. Rethinking and reassessing the risk appetite of organisations – Realigning the existing risk appetite with the risk appetite of a diversified risk environment. Risk managers should rethink, reassess, and re-apply their strategy on risk mitigation architecture applied at various levels of the organisation. Strategy must consider business strategy, digital strategy, human resource strategy, investment strategy and other factors affecting the organisation

 

3. Continuous review – For any strategy to work, there has to be a continuous monitoring and review of the actual state of affairs with what was expected, to understand how things are to be modified for better management

 

4. Right mix of technique – For any risk management strategy to work, there has to be the right mix of risk management techniques covering all risk types. Techniques can be dependent on various factors such as organisation size, industry in which it operates, its presence around the globe, strength of human resources, etc.

Following are some important pointers that should be considered while selecting any particular risk technique:

• Analysing the scenarios – What can go wrong that may lead to any unfavorable impact
• Quantification of failure – What would be the probability of a particular failure to happen
• Assessing the impact (stress) – If it happens, what consequences are expected.

The risk management framework is an important aspect at the centre of our entire discussion. Following are the steps for establishing an effective and efficient risk management framework:

Step 1: Identification – Risk management activity starts with identification of risk which involves discovering, recognizing and explaining the risks that might affect the organisation and its stakeholders. During this step, risk managers start preparing the risk register which includes the bouquet of all possible risks faced by the company

Step 2: Analysis – After the risk register has been prepared to identify all risks, the risk manager then estimates its likelihood and consequences for each of the risks. During this step, the risk manager develops an understanding of the risk’s nature and the magnitude with which it can affect the organisation’s goals and objectives

Step 3: Ranking – Once the identification and assessment of risk is done, it is imperative for risk managers to sort them into an order of ranking which would signify which risk is an utmost priority of an organisation in order to decide the risks that are to be managed and those that are to be absorbed. This sorting depends on various factors such as probability of occurrence, exposure level, impact on operations, velocity, acceptance, shared or not, etc.

Step 4: Treatment – All risk management activities have an important objective or goal, which is to mitigate the identified risk. Risk managers invest a lot of time in developing techniques to respond to these risks. Responsiveness can be prepared considering the sorting done in the previous step. This helps risk managers to focus on the risks which are high on the priority list. While planning responses, the aim should be to minimize the chances of these risks materializing, reducing their unfavorable impact and developing a contingency plan

Step 5: Monitoring and Reviewing – This is the last step in the risk management framework which includes periodic monitoring, tracking and reviewing of risk registers. This helps risk managers update risk registers with new risks, new ranking order and removing/updating already existing risks. Periodicity of monitoring, tracking and reviewing should be defined by the management and may be different for various types of risks.

Risk is about uncertainty, and putting a framework around it can support in effectively mitigating it. All this helps in allowing the organisation to achieve its ultimate goal and objective of sustainable growth, regulatory compliance, and creating economic wealth for stakeholders.

The risk management process helps to manage risks effectively when they occur, as the issues have been anticipated, and strategies to treat them have already been established. This makes for an efficient and effective teams and happy stakeholders. The end result – risk managers help minimize the impact of threats and seize the opportunities that occur.

Board Members, Risk Committees and key personnel have to identify key risk areas in order to develop policies and strategies that are comprehensive, flexible and easily deployable throughout the organisation. Strong leadership and active oversight can determine the success of a company’s risk management programme.

Conclusion

Risk management was always a part of corporate strategy, however, there has been a remarkable shift in companies’ outlook towards active risk management. Today, we notice that the velocity of information has increased exponentially and therefore the time for corporates, to react to any external event, has reduced. Due to algorithmic trading and machine learning models, the financial markets tend to react much faster than the risk managers in any corporate. Thus emerges a need to potentially foresee and predict, with a degree of certainty, the type and magnitude of risks faced by the business in order to react quickly.

Further, as organisations mature, their tolerances to any fraudulent activity and hence, tolerance for reputation risk, decreases. Earlier, companies relied on internal audit based on sampling methodology to give the management comfort on the operations of a particular department. However, corporates have now started embracing technology in this space as well, and with the help of data analytics tools, it has now become possible to do a complete population testing instead of relying on a smaller sample. This again shows that the tolerance level to any risk event has decreased and corporates are looking to invest in technologies and human resources which would enable them to identify, assess and manage the risks appropriately.

The bigger question still being debated is, with the advancement in technology and automated tools: Will bots pose competition to humans? – a question to which we shall probably have the answer in the near future!