Blog Post

Basic ERM: Practical solutions for Asia – Part 2

Practical risk management implementation in the organization depends on how the corporate structure is arranged. It is always best to align with existing hierarchies and information flows in order to be effective with as a little disruption as possible to existing systems. Here are some pointers as to how to think this through for your organization.

Risk Sub-systems

For companies it is usually a good idea to produce a prioritized list of the biggest risks facing the organization. Risk management techniques are also used for other corporate activities. These might be considered as subsets of the overall company risks. For example, a subsidiary company may have quite different (but related) risks to those in the holding company. Others areas that may have to be addressed specifically include:

Project Risk

The risks encountered in a specific project can also be very different to those faced by an organization.

Companies: From a management perspective a company is all about longevity and growth. Sometimes it feels as though a company has existed forever and will continue to exist forever. The focus is on change during a period. Team members tend to work in fairly stable business units and make incremental improvements over time. Habitually you don’t annoy the guy next to you as you will be working with him perhaps every day for the rest of your career.

Projects: The whole function of a project is to get finished. From a management and financial perspective it’s about price effective deliverables. Normally, how to get the thing done as quickly and as cheaply as possible for a given level of quality. There is a clear start and stop. Team members are by their nature used to the quick build up and subsequent break up of teams and have little personal investment in building a long-lasting relationship with the rest of the team – unless they work together on multiple projects.

The objectives of project risk management can be therefore quite different and the risk manager thinks more in terms of threats to time, cost and quality rather than the more usual business management risks.

Mergers and Acquisition Risk

M&A’s from a risk perspective tend also to be run as projects. There are other key factors affecting risk on an M&A. Perhaps the most significant is confidentiality and security. During key stages information risk – particularly the chance of a target or competitor finding out what’s going on – is critical. Other issues that arise partly as a result of this is that whilst the legal team and the financial team are involved from the outset the risk team might only get involved towards the end. This can require high speed, effective, due diligence.

Risk management as a decision-making tool

Quantitative Risk – Priority by price: There is a wide diversity of data management software available to help manage risks. Some of these packages are very sophisticated and genuinely mathematically based. Market and credit risk management are two good examples where modeling has already reached an advanced level of sophistication. Medical case risk management which we touched on above and many engineering failure risk processes can be considered in a similar way. For systems of this type – which are essentially ‘closed’ to use systems thinking methodology – it is possible to attain a high degree of accuracy within certain specific parameters.

Qualitative Risk – Priority by value: Most other risk systems consider internal and external dynamics along with the broader business environment and things can get much more complex. The number of variables is so varied it can be almost impossible to model outcomes with any level of confidence. As technological improvements accelerate there is a genuine opportunity to harness big data, management of data by algorithmic solutions or even artificial intelligence for the benefit of large corporations. But at the time of writing, we have not reached this point as yet.

Operational risk and enterprise risk management both fall into this qualitative category. These are called ‘open’ systems to use system methodology. It is much more challenging to get meaningful financial variables that will provide a pure comparison by cost alone. For example an organization can spend a lot of time and energy on succession planning. But assigning the associated risks a financial value may not be helpful or appropriate. Honest assessment of risk at the highest levels in an organisation usually becomes more qualitative to allow additional dynamics to be introduced. Other good examples include issues around reputation, ethics, safety and employee quality or morale.

Strategic Risk

For long term strategic risk management the output will become almost entirely qualitative unless multiple assumptions have been made for appropriate variables. The role of the risk manager becomes more like that of an economist – with perhaps an equal chance of being right as in the dismal science of economics. It is a brave risk manager who attaches financial values in this area and makes strong commitments to the CEO without carefully crafted caveats.

Risk Assessment for specific topics

It’s often helpful to run discrete risk assessment exercises for a specific project topic or even a particular issue. Running through all the possible outcomes enables the company keep some corporate history of why certain decisions are made. This can be helpful in communications and for learning if something goes wrong or further improvement is required.

Next time, 6 steps for implementation.