8/4/2019 Embedding Risk Management p

1/8

11

EMBEDDING RISK MANAGEMENTPRACTICES FOR IMPROVED

ORGANISATIONAL PERFORMANCE

Improving business results require risk management practices to be simplified and embedded seamlessly into normal business operations, planning and budgeting processes, and

organisational culture. It is no longer an add-on or a management fad. Private and public sector organisations alike have struggled to understand risk management implementation steps and

techniques. For those who have overcome it, they are reapingthe fruits of their labour

By: Patrick Ow

High performing organisations, havingdeveloped strategies through a sound strategicplanning process, must ruthlessly implementstrategies by removing performance barriersor risk through enterprise-wide risk management practices.

Organisations can implement their strategyand perform well if:

Everyone understands strategic, unit anddepartmental objectives, measures and

targets and key priorities (clarity).Everyone is connected emotionally andengaged to strategic themes, keyobjectives and organisational priorities(commitment).

There is clear line -of- sight for eachindividual, department, and unit so thatthey are closely aligned to theorganisations key priorities(translation).

Structure, system and cultural barriersare removed through embeddedenterprise- wide risk managementprocess (enabling).

Everyone works together to arrive atbetter ways to achieve objectives andtargets, removing its not my jobthinking (synergy).

Individuals are responsible for achievingtargets (accountability).

Everyone is a de facto risk manager(responsibility).

Risk is the likelihood of somethinghappening (either positive or negative) thatwill have a consequence or impact (arisingfrom the event) upon the achievement of objectives. Risk management standardAS/NZ 4360:2004 defines risk as the chance of something happening that willhave an impact on objectives.

Like the risk management process itself, anenterprise-wide approach (or commonlyknown as enterprise risk management,ERM) to manage risks arose from thebusiness sector and it is being adopted bypublic and not for-profit organisationsaround the world.

The Committee of Sponsoring Organisationsof the Treadway Commission (COSO) has

broadly defined ERM as a process, affected by an entitys board of directors, managementand other personnel, applied in strategy settingand across the enterprise, designed to identifypotential events that may affect the entity, and

Risk = Likelihood X Consequence

8/4/2019 Embedding Risk Management p

2/8

ARTICLES OF MERIT

12

manage risk to be within its risk appetite, toprovide reasonable assurance regarding theachievement of entity objectives.

The enterprise-wide approach to risk management does not necessarily negate orreplace the traditional risk managementprocess and mitigating risk controls, which

is summarised in Table 1. Controls arepolicies, procedures, practices andorganisational structures designed to providereasonable assurance that operations areeffective and efficient, organisational

reporting is complete, reliable, accurate andtimely, and that all applicable laws andregulations are complied with.

Effective risk management calls for acollaborative approach involving all parts of the organisation. Taking an enterprise-wideapproach to risk management is vital as risk in different units may be within the risk appetite of that individual unit. Takentogether, that units risk might exceed therisk appetite of the organisation as a whole

in which case, different risks responses may be required to bring the individual units risk in line with the organisation s risk appetite.

The starting point is the organisations objectives, encapsulated by their vision andstrategy.

From objectives, SMART (specific,measurable, achievable, realistic, and timed)performance measures and quantifiable targetsare developed. Measures and targets areimportant as what gets measured getsmanaged and done.

From the highest level, guided by

organisational structure, organisational visionand strategies are cascaded down and formsthe strategic objectives, and performancemeasures and targets, which in turn cascadesdown, is weighted and forms each businessand supporting units objectives, andperformance measures and targets. Then it

8/4/2019 Embedding Risk Management p

3/8

EMBEDDING RISK MANAGEMENT PRACTICES FOR IMPROVEDORGANISATIONAL PERFORMANCE

13

cascades down further as departmental andproject objectives where applicable.Ultimately, all objectives must be cascaded

into everyones individual performance objectives, as measured by their annualperformance plan. (See Diagram 1).

Prioritise objectives throughout each level of the organisation. For prioritisation, developstrategic themes (or value drivers) that alignto the organisational vision and strategy.

Examples of strategic themes includerevenue growth, sustainable outcomes andefficiency. Eliminate organisationalactivities or initiatives that do not supportstrategy implementation. The prioritisationprocess ensures clear focus or line-of-sightperformance for everyone within theorganisation.

Use management tools like the balancedscorecard to cascade down top-levelobjectives, and performance measures andtargets systematically throughout the

organisation, right down to each individual,which is based on four perspectives(financial, customer, processes, andpeople). 1 (See Diagram 2)

1 Beyond Measurement Alone OptimisingCorporate Performance, Accountants Today,November 2005, page 48.

8/4/2019 Embedding Risk Management p

4/8

ARTICLES OF MERIT

14

Map and allocate each strategic objectiveinto business and support units objectives as shown in Diagram 3. Not all strategicobjectives are applicable to all units.Weight the achievement of each unit for

clarity so that individuals managing theirown unit are clear about their unitperformance, avoiding any finger pointing.Eliminate joint responsibilities.

8/4/2019 Embedding Risk Management p

5/8

EMBEDDING RISK MANAGEMENT PRACTICES FOR IMPROVEDORGANISATIONAL PERFORMANCE

15

Thereafter, develop risk management plansfor each level of objectives (whetherstrategic, business, functional, operationaland project) as an integral part of

organisational culture, planning andbudgeting processes, and performancemanagement practices. (Shown in Diagram4)

All risk management plans interact witheach other constantly, passing risk items up and down through differentorganisational levels based on itsimplementation capability over the risk items. Criteria for passing risk arecategorisation, materiality and/or impact

upon the organisation similar to perhapsthe criteria for passing information to theBoard.

For example, if a unit cannot address risk solely by itself because they do not havecontrol, influence and/or authority over theimplementation of the risk control, thatunits risk must be passed up as a risk item

into the organisational risk profile forcorporate action.

Alternatively, if the risk control wasoperational in nature within that unit, theUnit Head would pass down that risk iteminto the departments risk management planfor the Department Heads attention. The

Department Head would then be responsiblefor that risk. This interaction process ensuresthat someone will act upon risk identifiedfrom any part of the organisation.

Integrate the risk management process intothe strategic management process if organisational culture and processes permitsas shown in Diagram 5.

8/4/2019 Embedding Risk Management p

6/8

ARTICLES OF MERIT

16

For example, accompany business proposalswith a sub-section on risk management. Therisk management sub-section clearly sets outall key risks affecting the achievement of thebusiness proposal, clearly identifyingresponsibility and accountability for risk control, what funding is allocated fromexisting (or future) budgets to address theserisks and whether the business proposalclearly promotes the achievement of organisational strategy through clearmeasurable output and/ or outcomes.

As part of a managers monthly performancereport, include a section on risk management,identifying issues or risk potentially affecting

the managers performance for their unit or department. This way, risk management is notabout box ticking but becomes an integral partof performance reporting and management.

Therefore, risk management must NOT bean add-on or separated as an independentactivity. Risk management must be part of organisational culture, embedded as part of everyday organisational life as shown in

Diagram 6. The risk management plan istherefore a living document embed ded asa sub-set of performance reporting andbudget reviews, where risk andachievements are constantly monitored andevaluated against strategy and objectives.

8/4/2019 Embedding Risk Management p

7/8

EMBEDDING RISK MANAGEMENT PRACTICES FOR IMPROVEDORGANISATIONAL PERFORMANCE

17

Take note of the following:

1. Avoid silo-based risk managementpractices as changes to one part of anysystem or organisation will affect otherparts since the whole can exceed thesum of its parts.

2. Supporting units objectives mustsupport the achievement of businessunits objectives.

3. Adequately resource risk controlsactivities from budgets but prioritiseagainst strategic themes. Otherwise,risk management plans becomemeaningless.

4. Monitor and report on risk activitiesthrough performance reports, rather thanspecific risk reports. Integrate risk reporting into performance ormonthlyreports as it aids the achievement of business results, providing managementwith assurance that a responsible person

is continuously monitoring orimplementing risk controls.

5. Rename your Risk and Audit Department to Business Assurance Department .

6. Avoid risk manager job titles since risk ownership is a collective matter.

Using one of the many approaches shown inTable 2 , inputs , activities , outputs , andoutcomes are chain of events that describeorganisational, unit and departmentalperformance. Inputs (e.g. qualified trainersrecruited) lead to activities (e.g. trainingactivities), which lead short-term out puts

(e.g. number of training sessions conducted).At some point, the customer or beneficiariesserved by organisational activities will eitherachieve or not achieve the long-termoutcomes (e.g. improvement in staff competencies and behaviours as the long-term result of the training).

8/4/2019 Embedding Risk Management p

8/8

ARTICLES OF MERIT

18

Inputs and activities answer the questionAre we doing things right?" whereasoutputs and outcomes answer the questionAre we doing the right things? Bymeasuring/ quantifying the chain of events,

we are able to determine the performancebarriers or risk, which would feed into risk management plans. Knowing the measureshelp in the risk identification process.

Subsequently, risk management plans (Diagram7) can be developed from the inputs, activities,outputs, and outcomes chain of events. The risk management plan sets out cost-effective risk controls required to achieve objectives,

evaluation of risk likelihood and consequences,and determine inherent risks the organisation isprepared to accept in line with the Board-approved risk appetite as encapsulated it itsEnterprise-wide Risk Strategy.

The organisation can either be a risk-averse orrisk-taking organisation. By shifting the risk

control fulcrum as shown in Diagram 8,organisations can strategically position and settheir risk tone for managing risk. However,

there is always a cost to implementing risk controls. Weak currency may for example

become an inherent risk that the organisationhas to accept, with little it could do directly.

In summary, performance is all aboutachieving the corporate objectives andexecuting organisational strategy.Performance barriers or risks must beidentified and mitigated as part of managing

organisational performance. Enterprise-widerisk management practices must therefore bean integral management tool that forms part of any corporate performance managementsystem.

The writer can be contacted at: patrickow@gmail.com

http://patrickow@gmail.com/http://patrickow@gmail.com/http://patrickow@gmail.com/http://patrickow@gmail.com/