CEO at Cardinus risk management, Andy Hawkes looks at how good safety management systems work.
Business owners have long relied on instruments and the people around them to overcome risks successfully. But new areas of risk are constantly being added and new ‘tools’ constantly have to be developed to provide information protection, compliance and sustainability development.
The bigger the company, the wider responsibility has to be spread. It typically affects a controller, auditor, actuary, safety officer, accountant and lawyer. Today, however, risk management has to play the key role in dealing with risks in small and medium companies too. The significance of this task is frequently underestimated.
Identifying and assessing risks reliably is a difficult skill that every person and every company has to master for themselves. There is no list and assessment of risks that can be transferred 100 per cent from one company to another. To make their task easier, many companies rely on a standardised risk management system installed by specialist risk management service providers.
These systems can be manual or computer aided, such as Risk Management Plus from Cardinus. Sometimes companies focus primarily on external risks, such as market risks, credit risks, exchange rate risks, interest rate risks or regulatory risks. These are seen as the big risks. And for these externally-focused organisations, the risk management system itself is a new risk.
Generally, only a few internal risks are listed and are given lower priority. These might include IT outages, compliance violations, industrial accidents, safety and fire. If high importance is not placed on self-criticism in a company of this nature, selective risk awareness can lead to the worst-case loss.
Every risk needs to be evaluated quantitatively at a particular point in time and a measure budgeted for it according to a ranking scale.
The quantitative evaluation needs to consider the probability of occurrence and the extent of loss. Unfortunately, in this process two errors are made repeatedly.
a) No follow-up is made to assess whether the evaluation and thus the ranking have changed over time; and
b) No analysis is made to check whether the various measures taken generated new risks.
Depending on the level of risk assessed, risks need to be classified into categories with different action requirements, for example, not tolerable, must be reduced and acceptable.
Such classification does not allow for a number of acceptable risks combining to become a risk that is not tolerable. This is often linked to a risk appetite assessment – what is the board’s and shareholders’ appetite for acceptance of risk in the business?
Significant qualitative factors have to be identified that cannot be assessed using quantitative evaluation methods. These will include things like loss of expertise and resources. Care should be taken when choosing IT solutions to aid risk management systems as some focus on numbers only and miss these qualitative requirements.
It is vital that risk identification is not a silo activity as some risks have contagion exposure – all parts of the business need to be involved in the process. Boards, senior management and subject matter experts need to collaborate when reviewing risk registers and to ask questions around the consequences of the risk item. Only then can the business really build risk controls that mitigate or remove risks to the agreed appetite levels.
Instead of long-term orientation. Many executives’ performance is only rewarded subject to achieving short-term goals. No examination is carried out to determine possible negative effects of this performance in a subsequent period. This is something that needs to be examined.
Above all, and no matter whether you use software or manual spreadsheets, the risk management approach must start at the CEO and chairperson and run all the way through the business. Too many boards delegate risk to the group risk officer or compliance manager in the belief that this is risk management.
Unless you can instil risk management into the culture of the organisation you will never get it right. Every member of staff must be encouraged to report failures and breaches of process and procedure without fear of reprisal. Indeed, best practice is to have employees rewarded to find errors and breaches so the business solves problems before they become problems