The well-publicised consequences of inadequate risk management include the likelihood of a significant financial impact on operational costs and earnings, and the intangibles of brand value, reputation and trust, as well as personal ramifications to senior members of staff. Boards of all sizes have responded by investing significant time to ensure the dynamic nature of their unique risk profile is understood, that robust controls are in place and, most importantly, they are instigated to ensure risk remains tolerable within the organisation’s risk appetite.
In executing its strategic objectives, every organisation faces a diverse range of threats and opportunities. Regardless of whether they emanate from internal or external sources, both threat and opportunity creates the need for efficient and robust risk management to ensure it is understood, quantified and prioritised, and that risk management supports the organisation’s decision making processes.
Treasury professionals are central to the effective management of risk within their organisations through liquidity management and investment decision making, and are also increasingly involved in the strategic decision making. While compliance with regulations, corporate governance requirements, and lending conditions are central to effective risk management, there is an ever- increasing need to consider risk across the organisation, rather than solely through functional lenses.
Furthermore, due to the complex nature of risk, market volatility, the changing global risk landscape, and the speed at which risks can now materialise, organisations need to think beyond risk compliance and towards enterprise risk management (ERM). The effective application of an ERM framework across an organisation ensures a holistic approach is adopted in which the interfaces and correlations between risks are understood and effectively controlled, regardless of the source or ownership of risk.
Boards and treasury professionals are increasingly using ERM practices to better understand the risks they face, the consequences should they arise, and the capability of the control framework – be it financial or operational. Applying an ERM approach increases confidence on business outturn and flags any gaps for improvement measures.
Ingredients of success
Successful ERM programmes are tailored to the unique requirements of the organisation and go beyond purely considering the traditional “three lines of defence”: describing the relationship between management assurance (first line); internal assurance (second line); and external assurance (third line). Best practice ERM incorporates activities under the broad headings of process, people and information systems.
Taking the first element – process – risk should be embedded into management activities rather than merely an add-on, disbursed, and infrequent activity. ERM should not be bureaucratic; it should enable better decision making. The ERM process should be articulated within a procedure document, often referred to as a framework, to ensure all colleagues understand the process and conduct their activities consistently.
It is particularly important that the interfaces between management processes are identified and that ERM spans all areas, as many organisations tend to conduct business and functional activities in isolation. Purely focusing on updating a risk register alone on a periodic basis may result in “long tail” risks (low probability and high impact) being missed, to the detriment of organisational success. The risk analysis should consider both qualitative and quantitative techniques while recognising the advantages and disadvantages of each, such as data availability and biases.
Furthermore, complex risk is not linear: where risk exists, it will commonly have causes and implications across internal boundaries, thus necessitating a joined-up approach to optimise resources and effort for effective resolution.
The second element – people – recognises the responsibilities and accountabilities of all parties in the risk management cycle to identify, assess, manage, review, and report risk. A firm mandate for risk management and the reasons for conducting ERM activities should be provided by senior executives to secure organisation-wide buy-in. While risk accountability ultimately sits with the board, all members of staff within the organisation have responsibilities within the risk management cycle. It is essential that responsibilities and accountabilities are clearly articulated and followed through.
While treasury professionals take risk-based decisions and manage capital volatility as a matter of course, they are also increasingly being allocated ownership for the implementation of ERM within the organisation. With this widening remit and when planning risk control activities, treasury professionals should ensure that resources are allocated towards the most significant risks and that risk management activities are consistently embedded and integrated across the organisation.
Under the heading of people, of fundamental importance in the achievement of leading ERM practices is organisational culture; both within the organisation and within the supplier organisations responsible for providing its services. Treasury professionals with ERM responsibilities should understand their current culture and the actions required to close the gap with desired future culture. Only when the right culture is in place will leading ERM practices be achieved.
Finally, information systems should be designed and deployed to record, report and monitor the organisation’s risk performance. Systems should be designed to suit the requirements of management – not vice versa – and should interface in to other operational risk systems such as financial management and audit. The right risk management information systems improve management insight, accelerate speed of response and enable knowledge-based decision making, leading to improved business performance, customer service, and business growth.
An effective ERM framework helps to create a closed feedback loop between risk management practices and assurance activities, ensuring that risks are fully identified and appropriately analysed, that decisions are made over their tolerability, controls are developed, deployed, and their effectiveness evaluated and reported.
Embedding ERM practices will enable organisations and treasury professionals to increase their business-wide understanding of the sources of threats and opportunities, and the processes, people, and systems required to manage risk. Furthermore, successful ERM implementation will lead to increased certainty over business performance, improved shareholder value and greater public confidence.
David is the leader of Marsh Risk Consulting’s London based Enterprise Risk and Resilience Practice. David and his team have a strong track record in providing strategic and operational risk advice and implementing solutions on business critical risk management programmes to a wide range of organisations globally.