Risk management continues to gain in popularity. More organisations are implementing enterprise-wide risk management and those with more advanced risk management processes, are now pushing the boundaries of best practice. This has been done by introducing integrated risk, compliance and audit technology, aligning risk and audit processes and ensuring strategic risk management is an integral part of strategic planning. With all the good work being undertaken by risk managers, there are still a number of myths in risk management that they will need to overcome. Tony Harb and Mitchell Morley, risk management and governance specialists from InConsult, look at strategies that can help risk and governance managers BUST these myths.
Like many disciplines, risk management suffers from a number of myths. These myths influence behaviour and present significant barriers when introducing and maintaining an effective risk management framework.
Myth 1: We have insurance; why manage risk?
Many people still believe that insurance is the answer to managing all risks and insurance is risk management. Nothing can be further from the truth. Insurance is just one form of addressing risk.
Research by leading insurance broker AON in 2005 concluded that only around 30-40% of risks were insurable. Risks covering investment losses, fraud, reputation, service delivery, operations, budget blow outs are not insurable. Other research by the University of Sheffield concluded that only 25% of risks are insurable.
Let’s be hypothetical for a moment. Let’s assume that the vast majority of organisational risks were insurable and that all adverse events that eventuate can be insured. Now, if we keep making insurance claims, what will happen to your premium the following year? Overtime, insurance premiums will increase and higher deductibles, tighter policy wordings and more exclusion clauses introduced.
How reliable is insurance? Talk to victims of the recent Queensland floods who thought they were insured and those HIH Insurance creditors and policyholders who will not be paid their entitlements under their policies.
Bottom line, the majority of risks are not insurable. Insurance is not risk management.
Myth 2: We already have controls in place; why manage risk?
Every organisation has internal control processes, policies and procedures in place, and many people think this is good enough…“she’ll be right mate”!
In reality, organisations like HIH, Enron, Lehman Brothers, OneTel, Ansett and Societe Generale had internal controls and still suffered major losses. Similarly, organisations that lost money in CDO investments or councils investigated by ICAC or sacked had internal controls in place.
Internal controls are an integral part of managing risk, but are no guarantee. Through good risk management, risk owners will continually evaluate, challenge and refine their internal controls to keep them current.
A well-designed control has the following attributes:
- It addresses the risk – reducing the likelihood of the risk and/or the consequence
- It is clearly documented in a policy or procedure
- The responsibility for its execution is clear
- People responsible are trained to adequately execute the control
- It is reliable – no history of failure
In addition, risk owners will need to also identify new and emerging risks and reassess recent incidents as these incidents are early warning signs of potential risks.
Internal Audit will also play a role in validating the existence and adequacy of internal controls to provide a higher, independent level of assurance.
Myth 3: We have enough capital/money to absorb risks; why manage risk?
Some organisations believe they are so large and have so much capital that they can absorb risks. Remember Barings Bank and Lehman Brothers?
Barings Bank had a 233 year history of success and an impeccable reputation with over US$900M in capital. In fact, it was the bank to the Queen of England. The combination of ineffective management oversight of one ‘rogue trader’ and an unforeseen catastrophic event (Kobe earthquake) bankrupted the bank.
Whilst many organisations can boast healthy balance sheets and strong borrowing capacity, a large unmitigated or uninsurable risk could be disastrous..
Understanding your risk appetite and tolerance is critical to overcoming this myth.
Myth 4: We are not risk management experts; why should we have to manage risk?
Managers can often fall into the trap of thinking that risk management is something only performed by the Risk Manager or the Insurance Officer and that they are not risk experts.
Managers, and in particular risk owners, need to appreciate that risk management thinking is not a technical and theoretical discipline but an integral part of good management, just like good communication, good financial acumen and good report writing skills.
The most important message to get across to risk owners is that they are in the best position to identify and evaluate risks and controls. Why? Because the risk owner is at the coal face of activities, they are closest to customers, contractors, suppliers, staff, processes and procedures.
Myth 5: There are no financial benefits in risk management, only ‘soft’ benefits.
Not managing risks will expose organisations to many possible consequences; either immediate or long term, either direct or indirect; some financial, others moral.
However, some managers may see the process of identifying and evaluating risks as mundane, adding little value and providing little financial benefit – except for maybe reassurance for the risk and audit committee (soft benefit). Some managers perceive risk management as a function that stops things happening, because controls are seen as a burden, an extra cost or a waste of time.
A fundamental issue in risk management is how do you measure the direct benefits of implementing strategies that ‘prevent’ things from happening (controls) and at the same time ‘enable’ organisations to seek opportunities and achieve objectives?
Our view is, at the end of the day, if you identify your objectives, implement processes, manage the risks and you achieve your objectives and exploit opportunities successfully, then that is the benefit! So ultimately, the value or the financial benefits of risk management is in the financial value of the organisational-wide goals, objectives and strategies that are achieved.
In addition, risk management can deliver the following direct financial benefits:
- Reduce or eliminate inefficient and/or ineffective business processes and procedures;
- Assist in better prioritisation of tasks and allocation of resources; and
- Reduce insurance premiums – One NSW council recently received a $0.5 million rebate from their insurer after putting processes and procedures in place to manage risks.
Guided by the Risk Manager/ Chief Risk Officer, it is up to the leadership team to dispel these myths. This should be done through on-going communication about risk and control, demonstration of commitment to risk management processes, regular risk reporting and monitoring and recognising and promoting the benefits of risk management when a project/ objective has been successfully achieved.