The practice of risk management is immature in many organisations, and executives need to lead the charge in changing this trend
A lack of executive commitment to risk management is a primary contributor to the relative immaturity of risk management in most organisations, a recent report from Oracle has suggested.
While the involvement of senior management is arguably critical to the success of any initiative, the report said it is absolutely essential for risk management.
“The reason is simple – certain aspects of risk management run counter to human nature,” said the report Risk Management: Protect and Maximise Stakeholder Value.
“While people are eager to talk about favorable results and success, they are generally less enthusiastic when it comes to discussing actual or potential losses that affect their business.”
Without a demonstrated commitment to the risk management process from the highest echelons of an organisation, the report suggested that a culture for success and managerial invincibility will prevail where past achievements provide protection from future risks and good management is enough to prevent troubles from arising.
“Problems are considered managerial failures to which risk management draws unwanted attention,” said the report.
Fragmented risk management activities are also a significant contributor to immature risk management practices within many organisations.
“Most organisations will tell you ‘we already do risk management’,” the report stated.
“While this may be true, many operate in silos with narrowly focused, functionally driven, and disjointed risk management activities. Systems are patched together. Human and information resources are duplicated. With so many disconnects, the company cannot achieve a timely and enterprise-wide view of risk.”
Such organisations are left in a state of risk ignorance where interdependent risks are not anticipated, controlled or managed. The report also found that threats to the business are exacerbated by aggregate risk exposure.
In contrast, in a “risk-intelligent company” with a proactive and comprehensive approach, the management of risks supports every project across every function. “Risk management becomes an integral aspect of organisational life.”
Two other reasons that risk management is still immature in many companies are that all too often, risk management is historical and not predictive, and a lack of alignment among corporate strategy, strategic planning and risk management.
“When a company attains the highest level of maturity, it typically requires that dedicated resources for risk management be integrated into business processes through a formalised procedure … However, many organisations have grown an internal maze of assessments as individual responses to various risks while omitting or misaligning the strategic risk.”
The report suggested a number of key considerations in implementing a risk management program, including setting goals (three common goals being protecting against downside risks, managing volatility around business and financial results and optimising risk and return) as well as defining risk tolerance (management needs to define what the acceptable level of risk is in the interest of achieving the company’s goals).
Other considerations included assessing risks continuously (through more targeted internal audit plans, greater operational visibility and performance, better decision making and improved strategy execution) and reporting risk information (when critical risks are properly flagged, an organisation can respond, if not anticipate, risk with timely insight into its cause, impact and options for resolution).
“Recent economic volatility has given risk management a new focus and eminence,” the report said.
“The strongest companies are the ones that are able and willing to adapt, who actively integrate risk management as a critical factor at all levels of management process from strategy to success.”
News