have been managing risk every day in our business, don't tell me about Risk
Management" is the response many executives utter when approached on the
topic of Enterprise Risk Management. Are they right? In a word, yes…. and no.
definitions of entrepreneurship will list managing risks as a common trait for
successful business people, does this mean that they have been born with the
skills that others have to learn through education and professional experience?
the YES camp are those who consider risk management a subconscious exercise of
commercial awareness that enables business leaders to balance the countless contrasting
aspects of a business to stay on track and achieve success. Revenue vs cash
flow, discounting vs branding, contractors vs employees, commitment vs
flexibility, market share vs profitability… And many more besides.
in the NO camp are those whose role includes the phrase "Risk", eg.
Risk Manager; Head: Enterprise Risk Management; Group Risk Executive. These
individuals would argue risk management requires a set of skills and attributes
that can only be learned through a combination of education, experience and
consultation. They furthermore believe that Risk Management requires the
embedding of processes in an organisation that systematically identify and
manage risk and that an individual cannot do this by intuition, or without
perspective is correct? Is it possible that both camps could be right and
that good risk management is in the eye of the beholder. Or is there a single
truth… the holy grail of Risk Management!
Australian/New Zealand perspective on risk management might lean towards the
YES camp, their standards perceive risk as the effect of uncertainty on an
organisation's objectives. They lean heavily towards the importance of knowing
your risks and the context in which they exist, with a relatively low emphasis
on the analysis of the risk itself.
the long standing view of COSO implies that good Risk Management requires a
systematic approach and that the absence of a structured approach might impede
the entire process from being effective.
or flexible, insight or foresight, analytical or intuition, collaborative or
siloed, every organisation has an appetite for the importance of Risk
Management in the context of their organisation, and this normally depends on
who has the most to lose… Inevitably the
organisation or individual with the most at stake. So is it easy to correlate
the appetite of an organisation with any other attribute such as turnover,
profitability, industry or geography?
the standards tend to agree is that Risk Management is a sub process of
Governance, which means its objective is to protect the interest of
stakeholders. Such stakeholders are increasingly you and I, the general
population, in that we are normally the final consumer, the neighbour, the
earthly co-inhabitant and the shareholder (through stocks/shares held by
pension funds) of the organisation managing risk. The maturity of an
organisation's risk can be frequently 'guesstimated' by analysing its
controlling stakeholders - he who holds the power.
that is still under family control, whether listed or otherwise, rarely commits
significant dedicated resources to the process of risk management. While their
annual report often has pages dedicated to how well governed they are (for the
unselfish purpose of maintaining share price), a glimpse below the surface will
expose this as lip service being paid to another regulatory requirement. Often
these organisations can be identified by large common shareholding and
simultaneous Boardroom control. A business
that is majority owned by a large number of shareholders, such as a listed
entity or public entity, frequently takes a different view of the importance of
Risk Management. While their annual report section of governance is
indistinguishable from the family controlled business, a glimpse underneath
will provide a very different view. Such an organisation will have strong board
and subcommittee structures which include a separate Risk Management and Audit
committee, and management will report to these committee as part of the
performance plans. Risk Management is considerably more systematic and embedded
into the culture . . . The benefit of which is still unquantifiable and in
By Philip Tillman, Honorary Treasurer, IRMSA Executive Committee