Real risk management

COMMERCIAL PROFILE:One thing recent events have taught us is that risk hasn't been managed - now is the time to manage every facet of your company the right way

PRICEWATERHOUSECOOPERS: ASK BOB Semple, partner with PricewaterhouseCoopers (PwC), about risk management, and he'll say the term contains one too many words - the first one. Beneath all the corporate-speak connotations, the discipline boils down to good management, and should be an intrinsic part of all companies.

But if the kernel of the idea is so simple, why has risk management fallen so far short of its brief? If one thing is clear from the fallout of the credit crunch, it is that corporate risks have most certainly not been managed.

A practitioner and passionate advocate of risk management for many years, Semple has now come to the conclusion that the model is broken.

"You stop and ask yourself, if corporate governance and risk management was working better, would we have sustained the losses, would we have seen the value destroyed?

"So you'd have to conclude that, notwithstanding all the effort that's been put into corporate governance over the years, and risk management and internal audit and external audit and all the different elements of assurance coming from different sources, somehow or other it just hasn't delivered," he says.

Over the years he has advised clients to formalise risk management processes within their businesses, but is now torn on this issue. "I feel a little bit conflicted about this - having felt very enthusiastic about formalising risk management," he says. "One of the things that's happened in a lot of businesses is that it has separated the activity of risk management from management."

By formalising and separating the activity, for example assigning a risk manager, the danger is that everyone else washes their hands of responsibility when in fact, according to Semple, risk management should be everybody's job. He has seen many organisations putting huge effort into creating an elaborate risk register (a detailed log of potential risks, and actions that can be taken to mitigate those risks).

"And guess what? Once produced, it sits on a shelf until typically nine or 10 months later, when somebody either in management or the board says: 'Better get out that old risk management thing because we're supposed to have it updated'."

This is actually the worst outcome that a company could have, he says, because it creates a false sense of security. "Real risk management, effective risk management, is the sort of management that is very, very dynamic," he explains.

"It keeps up to date with all of the changing circumstances, it holds people to account to make sure that actions are taken in relation to the biggest risks and it's actually making a huge difference to the way business is conducted."

Semple carried out research last year that found that, although there were "pockets of good practice", lots of Irish organisations just aren't getting value from risk management.

"I surveyed quite a range of Irish companies to get their assessment of where they stood, how mature were their processes. . . and the very clear message that came back was that we are very immature in our risk management processes."

So what can organisations do to get a greater return on their investments in risk management? "I think that what we need to do in relation to risk management is we need to ask much tougher questions about what are the big issues facing our organisation - have we got somebody who's accountable?" he suggests.

"I've a very, very strong view that we should put much greater emphasis on single points of accountability."

Organisations need to take "a very harsh look" at how mature or otherwise their business processes for risk management actually are, he continues. Secondly, they need to make sure that the highest-priority risks are addressed by the top table. "If senior management get together every week, every fortnight, the top risks should be on the list," he says.

Semple also sheds some light as to why things have gone so badly wrong in the global economy. He refers to The Black Swan, Nassim Nicholas Taleb's book on uncertainty, and agrees with its theory that there is too much reliance on models (which are simplified versions of reality based on certain assumptions) "because from time to time, you get something that is outside your assumptions, and that completely wrecks the model".

These are the 'black swan' events that result in stock market collapses and value destruction, he says. Research has shown that no fewer than 17 black swans (admittedly not all of the same scale) have come along since Black Monday in 1987.

"That undue reliance on models has caused a problem," he says.

So what can companies do to protect themselves from these seemingly freak events? Semple advises clients to spend more time on scenario planning, which involves - unsurprisingly - working through a variety of unlikely scenarios and examining how the company would be affected, should they occur.

"It forces you out of your normal set of circumstances, outside your existing expectations, outside the model, and helps you to see a potential black swan coming in," he explains. "If you look at enough scenarios, what will begin to emerge are issues that may not have been immediately apparent in the short to medium term."

He also stresses the importance of having what he describes as a "collective determination" among top and middle management, because if management has a unity of purpose, the organisation stands a much better chance of protecting itself from risks and achieving its objectives.

Codes of ethics and conduct in a company also come back to the "tone at the top", he adds. "One of the times where you see 'group think' most often is where you have a very strong, dominant chief executive, for example somebody who might have been responsible for forming the company, developed it very aggressively, poured all his energy into it, has been absolutely charismatic, is the hero in terms of the value creation of the company," he explains.

The danger of having such a dominant character heading up the company is that everyone falls into line too easily, and no one challenges the group consensus.

So where does risk management go from here? "Now, more than ever before, a new approach to risk management is needed - one that is not afraid to challenge previous practices, one that insists on personal accountability at all levels in the organisation," Semple says.

"In this new environment, internal audit will have a vital role to play in ensuring that management improves its treatment of risks in a tangible, pragmatic way."

In addition to ensuring compliance with laws and regulations, and monitoring the reliability of financial reporting, one of the purposes of the internal audit function is to evaluate the effectiveness of the company's risk management processes. However, a new PwC US State of the Internal Audit Professionstudy indicates that internal audit professionals are now faced with the challenge of doing more for less - new risks are emerging, but budgets are being slashed.

"These survey findings are equally relevant in Ireland as internal audit leaders struggle to maintain services with reduced resources, at a time when risks have increased significantly," Semple says.