Sunday, 18 October 2009

Why box-ticking approach will not work in managing enterprise risk

The global financial crisis did not only turn many companies in the US and Europe belly up but raised questions about the effectiveness of modern risk management practices.


Since the demise of Enron and the like, enterprise risk management (ERM) had taken centre stage and was adopted by many companies. The collapse of large global companies, including financial institutions that were deemed too big to fall, triggers the interest for us to understand why they were not saved by their risk management mechanisms?

A recent research by the University of North Carolina on behalf of the American Institute of Certified Public Accountants provides some insight into the present state of play of the enterprise risk management practices in the United States. Among the discoveries made by the research are:

• Over 60% of respondents believe that the volume and complexity of risks have changed “extensively” or “a great deal” in the last five years.

• 44% of respondents have no enterprise-wide risk management process in place and have no plans to implement one. An additional 18% without ERM processes in place indicate that they are currently investigating the concept, but have made no decisions about implementing ERM.

• Some 43% do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Over 75% indicate that key risks are being communicated merely on an ad hoc basis at management meetings.

• Expectations for improvements in risk oversight may be on the rise. For almost half (45%) of the organisations represented, the board of directors is asking senior executives to increase their involvement in risk oversight.

• For those audit committees formally monitoring risks for the board, 19% only monitor financial risks, 63% monitor operational and compliance risks in addition to financial risks. Only 18% monitor all entity risks, including strategic risks.

It is quite apparent from the research findings that there is a spectrum of risk management practices out there. Also, quite a significant number of entities surveyed either do not have a formal and structured risk management process or risks are still being managed on a “silo” basis.

Such findings should alert directors in Malaysia to understand better the position of the risk management practices within the companies under their care. Given that the world we are living in now is complex and inter-connected, risk drivers could change frequently and the impacts and consequences they bring may differ from last occurrences as well.

The challenge is how to ensure risk management is applied full heartedly and not just by ensuring whatever check list could be ticked to satisfy instructions from the board or regulators?

The pressure of producing short-term results to satisfy shareholders and other stakeholders who are also living on short-term performance expectations would also exert pressure on management to look the other way and neglect putting in place effective ERM.

Boards and managements should also appreciate the limitations of ERM and not expect things that cannot be delivered by ERM.

For example, the last crisis had certainly demonstrated that extreme risks may not have past patterns. Perhaps, the collapse of the financial market in the US was the result of greed, complex financial products, easy credit regime and me too attitude, all happening at the same time.

This accumulation of incidences may have not been experienced by executives and decision makers who were calling the shots leading to the built-up of risks that eventually exploded. The rest was history.

Another misconception about risk is that it could be reduced to mathematical models by smart people with strings of academic qualifications. Many mathematical experts were hired to develop mathematical models to predict market behaviours by investment banks and financial institutions. The global financial crisis has taught us that in extreme situations, human behaviour is often influenced by feelings and emotions which may not be captured by mathematical formulae.

The number of companies which do not consider strategic risks as discovered by the US study should also remind us here that such risks should not be ignored. Markets, be it local, regional or global are shaped by many factors.

These include political developments, economics events, technological changes and environmental issues which occur frequently and influence the competitive dynamics in the market served by enterprises. While enterprises need to be operationally effective and comply with regulations and standards, the risk of not spotting strategic changes could be more disastrous in extreme cases.

In short, directors and leadership of enterprises have to focus more effort in ensuring the risk management practices in their organisations are embraced in hearts and minds of all people in organisations. Having structures and processes are not adequate as effective risk management requires continuing attention. Integrating risk management mindset into the culture of organisation is the sustainable way of ensuring business remains viable when major surprises occur.

This article was also published at the Edge Malaysia website:
Post a Comment