- Financials -Developing a budget and other cost indicators
- Operations- Preparing audit and review schedules. Listing out policies, procedures and manuals to be prepared and reviewed.
- Resources- Formulating a hiring and a training plan
- Knowledge – Developing knowledge bases, writing research papers and upgrading risk management tools and software.
Risk management has become complex and critical in the present economic environment. Without sophisticated and skilled risk management departments the organizations may face multiple disaster scenarios. Globalization, technology, economic environment, regulators, competitors, and speed of change, all have contributed in making business operations more complex. Risk management departments need to gear up and develop annual strategy considering these aspects in mind.
Five suggestions for preparing a comprehensive annual strategy are given below:
1. Break the Silo Approach
Depending on the size of the organization, the organization may have a number of departments focusing on risk management. To name some, in respect to the department heads mentioned in the first paragraph, we have Internal Audit, Fraud Prevention & Investigation, Risk Management, Compliance, Information Security and Business Ethics. These departments generally have some overlapping functions and turf wars. Silos are formed and the senior management has difficulty in making sense of various risk dashboards and reports presented by the department heads.
Prepare individual plans for the departments and roll them upwards to have a combined one of all risk management departments. Prepare one single risk management strategy and plan for the organization as a whole to present the same to senior management. Present a plan to the management which emphasis on the top risks to the organization, with a plan to mitigate and control them. The management will have higher respect and provide greater support to the integrated approach. Various risk management departments will also be able to save cost and time on monitoring various risks by reducing duplication of work, leveraging synergies and sharing tools and information.
2. Determine Risk Philosophy and Appetite of the Organization
In some cases, the risk management departments present a risk dashboard to the senior management of the organization. If the CEO of the organization asks “Can I hold you on this? Are you sure that if these top 10 risks are mitigated, the organization will sail through the year?”; the head of the department generally cannot a say a definitive “yes”. The answer is given with a maybe, but, if etc. but not a “yes”. So the question is how should a risk manager address this concern.
Risk management department need to determine the risk philosophy and appetite of the organization. To assess the risk philosophy, understand the organization culture and environment. The way business operations are conducted daily and the organization’s strategy are good indicators to find the risk philosophy. Assess whether business has an aggressive or conservative attitude towards risks for achieving business goals.
Risk appetite is the amount of risk which the organization is willing to take to undertake business activities. A simple question to ask the board of members would be -“What amount is going to make you uncomfortable if it appears in the business newspapers?” Consolidate the risk exposures from the various risks identified by the risk departments and present it to the board. Finally, assess whether the company’s internal outlook on risk philosophy and appetite are consistent with the viewpoints of the board and other stakeholders. Realign the two where required to prepare the annual strategy.
3. Understand and Integrate with Business Strategy
In a few companies, the annual strategies and plans of business and risk management are drawn up in parallel, with neither having information of what the other is planning. The risk management strategy cannot be internally department focused. The risk management heads need to obtain information on the business strategy of the organization to understand strategic risks.
For example, obtain information on new products and services which the organization is introducing in the coming year. Identify the territories, branches, and countries which the organization is planning to expand its business operations. Determine what will be the risks of expansion and innovation. Let us say, a USA company is planning to introduce its products in India. Now India has different laws, regulations and taxes. Also, the operational risks are different. Understand these risks and integrate them in the annual strategy and plan. This way, neither the risk management departments nor the business operation departments will be surprised. The budgets and plans would be incorporated and approved before the year commences, hence there will be limited fire fighting.
4. Focus on Building Relationships
One of the grouses which risk management departments have is that they are not on CXO’s radar, do not have direct reporting to the top or representation at the board and are sidelined from the critical business operations due to negative perceptions.
Plan for the coming year and prepare a wish list. Include in it time required from CEO and other CXO’s, formation and membership of risk oversight committee, a new organization structure with the head directly reporting to CEO and a nomination at the board. Discuss these aspects with the CEO and senior management during plan preparation. This will ensure that the senior management schedules the requirements in their plans. Insist that the CEO puts risk management as one of the points in his/her personal balance score card. This will make sure he/she is dedicated and committed to risk management throughout the year.
Discuss the composition of the risk oversight committee and audit committee. Identify the members you wish to nominate who support risk management initiatives. Define the process of reporting to the board and the audit committee. Get their commitment for board nomination and new organization structure for risk management departments. Start the groundwork for building relationships at the planning stage itself.
5. Assess Competitors Strategies
The risk management departments are generally happy with what they are doing and discover information about tools and methodologies from various institutes periodicals, magazines and conferences. In a few cases there is some focus on the operations of risk management departments of competing businesses and organizations.
Determine which organizations are competition to the business in respect to products and services in various territories. Focus on finding information of the risk management department operations of these organizations. Find out which risks the organizations faced, how they were mitigated, what kind of tools and knowledge bases they are using, what are the staff strength and the skill set and the organization structure. Will some of the practices result in cost savings and better synergies within business? Determine the similarities and differences, and assess what can be incorporated in your organization effectively. There are some lessons which can be learned from competitors success and failures. Leverage on competition knowledge to learn these lessons.
The above mentioned five points are those which can be easily incorporated to prepare a comprehensive annual strategy. There are a few other things which the risk management departments can look into. Some of them are, introducing ERM, building risk management department’s brand, applying collective intelligence etc.
A single line of advice would be to look at the bigger picture and question the status quo. Put on your thinking hats and prepare a new strategy. Wishing you all the best for preparing the annual strategy
If you wish to read more visit Sonia Jaspal's RiskBoard at http://soniajaspal.wordpress.com/
Comments
Good point you have raised. Acutally an organization should have a 3-5 yr risk management strategy plan. The number of years the plan should normally be the number of years of the business plan and strategy. Ideally, if an organization has a five year plan, it should have a five yr risk management strategy/ plan also.
This then should be broken down into yearly strategies for the purpose of operational success. For example, with the financial crises, most plans would have to be revised. Hence, the risk management strategies also should be adapted according to the plan.
Sonia
Is Risk Management Strategy something you would do annually?
In my school book (even old and dusty it is) a year is an operational period. Shouldn´t the strategic view be longer than 12 months? This particularly when major system implementation projects can take a year.
I would suggest that the strategic period would be min 2-3 years. So that it could include at least few operational periods. I do recognize that the environment has changed very rapidly, specially with in the last 3 years. And when bearing in mind that risk management is a way of thinking and a way of working then some melting time is needed.