Print Page   |   Contact Us   |   Sign In   |   Apply online
Community Search

2016/10/24 » 2016/10/25
Risk Management for Risk Champions Training - 24 & 25 October 2016

Managing Risk Management Training - 2 November 2016

2016/11/03 » 2016/11/04
Project Risk Assessment Training - 3 & 4 November 2016

Risk Reporting Training - 7 November 2016

IRMSA Insight
Blog Home All Blogs
Search all posts for:   


View all (38) posts »

Do you manage Risk or do you perform Risk Management

Posted By IRMSA Insight, 18 February 2014
Updated: 17 February 2014

"We have been managing risk every day in our business, don't tell me about Risk Management" is the response many executives utter when approached on the topic of Enterprise Risk Management. Are they right? In a word, yes…. and no. 

Countless definitions of entrepreneurship will list managing risks as a common trait for successful business people, does this mean that they have been born with the skills that others have to learn through education and professional experience? 

Firmly in the YES camp are those who consider risk management a subconscious exercise of commercial awareness that enables business leaders to balance the countless contrasting aspects of a business to stay on track and achieve success. Revenue vs cash flow, discounting vs branding, contractors vs employees, commitment vs flexibility, market share vs profitability… And many more besides. 

Positioned in the NO camp are those whose role includes the phrase "Risk", eg. Risk Manager; Head: Enterprise Risk Management; Group Risk Executive. These individuals would argue risk management requires a set of skills and attributes that can only be learned through a combination of education, experience and consultation.  They furthermore believe that Risk Management requires the embedding of processes in an organisation that systematically identify and manage risk and that an individual cannot do this by intuition, or without investment. 

Which perspective is correct?  Is it possible that both camps could be right and that good risk management is in the eye of the beholder. Or is there a single truth… the holy grail of Risk Management! 

The Australian/New Zealand perspective on risk management might lean towards the YES camp, their standards perceive risk as the effect of uncertainty on an organisation's objectives. They lean heavily towards the importance of knowing your risks and the context in which they exist, with a relatively low emphasis on the analysis of the risk itself. 

By contrast the long standing view of COSO implies that good Risk Management requires a systematic approach and that the absence of a structured approach might impede the entire process from being effective. 

Structured or flexible, insight or foresight, analytical or intuition, collaborative or siloed, every organisation has an appetite for the importance of Risk Management in the context of their organisation, and this normally depends on who has the most to lose…  Inevitably the organisation or individual with the most at stake. So is it easy to correlate the appetite of an organisation with any other attribute such as turnover, profitability, industry or geography? 

Where all the standards tend to agree is that Risk Management is a sub process of Governance, which means its objective is to protect the interest of stakeholders. Such stakeholders are increasingly you and I, the general population, in that we are normally the final consumer, the neighbour, the earthly co-inhabitant and the shareholder (through stocks/shares held by pension funds) of the organisation managing risk. The maturity of an organisation's risk can be frequently 'guesstimated' by analysing its controlling stakeholders - he who holds the power. 

A business that is still under family control, whether listed or otherwise, rarely commits significant dedicated resources to the process of risk management. While their annual report often has pages dedicated to how well governed they are (for the unselfish purpose of maintaining share price), a glimpse below the surface will expose this as lip service being paid to another regulatory requirement. Often these organisations can be identified by large common shareholding and simultaneous Boardroom control. A business that is majority owned by a large number of shareholders, such as a listed entity or public entity, frequently takes a different view of the importance of Risk Management. While their annual report section of governance is indistinguishable from the family controlled business, a glimpse underneath will provide a very different view. Such an organisation will have strong board and subcommittee structures which include a separate Risk Management and Audit committee, and management will report to these committee as part of the performance plans. Risk Management is considerably more systematic and embedded into the culture . . . The benefit of which is still unquantifiable and in debate. 

By Philip Tillman, Honorary Treasurer, IRMSA Executive Committee 

This post has not been tagged.

Share |
Permalink | Comments (0)
Sign In

Forgot your password?

Click here to join IRMSA