A dedicated resource for Risk Management? If you believe the Enterprise Risk Management (ERM) Integrated Framework, the ISO 31000 Risk Management or any other guideline you followed for getting acquainted with the concept, requires an investment in a dedicated resource for implementing it, you aren’t alone and it’s not the first time a framework has been perceived to suggest a specific resource requirement.

The “being fancy” fever is real, but does it offer any substance too? Well, that’s debatable and that’s what we’re going to do in this space. A risk management department, the head of risk, or the prized Chief Risk Officer, all these terms offer a premium outlook of the investing entity but let’s unravel what’s underneath, before regulation or best practices over business management make these mandatory. And let’s also identify who has the best shot at risk management.

What is Risk Management?

Since I just love the definition of risk from ISO 31000; let’s begin with ISO and see how it defines risk management. According to ISO 31000, Risk Management is defined as coordinated activities to direct and control an organization with regard to risk.

COSO explains ERM as the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.

There are two vital aspects in both these guidelines:

  1. Activities and practices suggest risk management is a process.
  2. Coordination and integration aim to require harmony with the organizational processes and systems.

Decoding the guidelines

Being a process coupled with the fact that it’s a relatively new concept, one might think of it as something that needs to be carried out afresh and separately but at the same time it requires integration and coordination in execution. Let’s get back to these in a while but where exactly do these guidelines suggest a dedicated function / department / team / resource?

In fact, the risk management requirements across all industries are so mammoth and at times onerous, that no enterprise in any sector could delegate these to a dedicated team. Such a delegation besides being contrary to the theme, concept and intent of risk management, is also practically impossible if the process is desired to fulfill its objectives and add value.

Breaking down risk management

Let’s now break down the process to its core activities to dive deeper into how it could not be a task delegated to a dedicated team. The Risk Management process primarily entails:

  • Risk Identification
  • Risk Assessment
  • Risk Mitigation
  • Monitoring & Reporting

Each of these activities carries several components as listed below:

Risk Identification Operating environment and stakeholder influences, setting of business objectives, factors impacting objectives accomplishment, potential events, etc.
Risk Assessment Risk capacity, risk appetite, risk tolerance, heat maps, risk ratings, acceptable risk levels, etc.
Risk Mitigation Identification of controls, identification of risk mitigation strategies, mapping of controls, testing and determining residual risks, etc.
Monitoring & Reporting Frequency, dashboards development, report making, communication, etc.

Needless to say, the risk management process is a fully dynamic process since risks never remain static owing to the fluid environment in which business operate, be it unstable or the pursuit of higher stability coupled with growth ambitions.

So where do these components come from? Or more appropriately, who contributes to these?

  • The business objectives, the starting point for risk identification, are established and communicated by the executive management and the Board of Directors.
  • The risk capacity, appetite and tolerance, the building blocks for risk assessment again come from the executive management and the Board of Directors.
  • The risk management strategies hierarchy and the control actions, both of which lay down the plat form on which risk and control mapping is made, are established by executive and operational managements, respectively.
  • Monitoring and reporting frequency and what need to be monitored and reported, being the core elements of formulating a mechanism are decided by the executive management.

But then, what is that the dedicated risk management resource achieves here for each dollar invested? The work then left to be taken up by this resource is documentation & record (for instance making risk registers), results of assessments (risk ratings), compilation (mapping of controls and determining residual risk) and reporting (risk reports).

And are these delegated tasks required to be pulled off in isolation? In my experience and opinion, these aren’t, cannot be and shouldn’t be conducted in isolation. If these are conducted in isolation, how do we make those coordinated efforts, integrate risk management activities and develop an environment where each thought process and action first consider risk, the risk oriented organizational culture?

Role of Management and Board of Directors

The operational and executive management constitute the first line of organizational defenses and are thus the risk owners. They are responsible for the day-to-day execution of controls and thus management of risks. They are also responsible for necessary escalations or allowing/disallowing exceptions over transactions not covered by standard policies and procedures, suggesting control modifications.

Similarly, it is the management’s responsibility to decide if a unique transaction poses a risk not previously encountered and is thus not captured by the existing assessment framework. Also, it is for the management to decide if despite the correct assessment of a significant risk, its mitigation should be prioritized or not and vice versa.

Risk falling out of the entity’s risk appetite might sometimes be assumed by the Board of Directors. The revision in heat maps will thus also be proposed by the management and approved by the Board. Furthermore, the risks associated with strategic decision making and working that strategy is also identified and encountered by the executive management and the board.

Concluding thoughts

Thus, risk oriented conduct of business, where risk is thought of at every action or inaction is only possible when the risk management is also entrusted to the management! COSO’s ERM and ISO 31000 intend such an integration.

As for the BASEL regulatory framework for financial services sector, risk management is required to be a separate function, distinctly independent from the management. The core purpose of this requirement is to ensure that the risk management function reports independently to the executive management and the board about the entity’s risk health and conflicts of interest are avoided. The reason for this requirement stems from the fact that financial services sector has substantial inherent risk by design.

In my opinion, a board that has desired competencies and a constitutional mix comprising of adequate non-executive and independent directors governing management’s performance, which prioritizes financial risk management and operational KPIs over financial results especially in areas like investments, derivatives, non-performing loans, etc. and is further aided by independent assurance providers and regulators, need not be concerned about conflicts of interest, since very little is then left that could breed a trust deficit.

And this brings us to an important last point, the independent assurance providers. There’s one function that’s heavily invested in not just providing assurance but also advisory in improving the performance of risk management.

This one function is uniquely and most diligently positioned within the entity, because of its comprehensive coverage of the business risk universe, to independently review the derivation of objectives, risks identification completeness, assessment and rating objectivity and accuracies, controls (mitigants) testing to assess design and compliance issues and recommending improvements besides providing assurance in an independent report.

 

For this function, the business risk universe is its audit universe. So, it’s imperative that when entities think of investing in dedicated risk management resources, they should instead think about this function that provides independent value addition to their existing risk management system.

That function is Internal Audit, and it is mandated by a number of regulatory guidelines and it isn’t a fanciful investment and it wasn’t a hard guess!