Managing risk: beyond
audit compliance
 |
explains how management systems standards are just one element in effective risk management |
The management of risk is both a structured discipline with standardized procedures and a collection of skills and aptitudes. This hybrid nature is its main strength but it means that risk management audits need to go beyond simple compliance.
There are several recognized standards covering the risk management process, most recently ISO 31000 and BS 31100. In the UK, the Institute of Risk Management, the Association of Insurance and Risk Managers and Alarm, the public risk management association, have also developed their own simple guide for non-experts to risk management. Available online, it has received wide acceptance and been translated into several languages.
Standards on their own, however, do not make risk management. They have to be implemented and coordinated across the organization, or, to use the risk management term, ‘embedded’. Today, many businesses are sprawling, multi-national and multi-operation organizations that are constantly evolving. To be effective, the risk manager must be able to break down barriers to communication across the organization and respond to changing circumstances.
In principle, risk management is a process of identifying, measuring, assessing and treating risk. Traditionally, this meant dealing with clearly identifiable operational threats – primarily fires, thefts, fraud, employee injuries and motor accidents – that could cost the business money. Treatment involved physical measures to reduce the exposure and insurance to mitigate the financial impact.
Gradually the approach has become more sophisticated so that risks are now looked at in terms of measurable uncertainties that may have positive or negative results. Risk management encompasses a much broader spectrum of exposures such as supply-chain risks and consequences, including damage to corporate reputation.
As a discipline, risk management has developed various methods for identifying and measuring risks, often drawing on techniques used in highly structured disciplines like engineering. They may categorize risks by their probable frequency and likely severity of impact or identify barriers to sequences of events.
The management of treasury risks and risks related to financial services, such as investments and insurance underwriting, largely remains a separate, more quantitative discipline, often subject to specific regulation.
Enterprise risk management
At the same time, the underlying principles of treasury, operational and even entrepreneurial or voluntary risk management are the same and business owners want them all to be well managed. This includes the identification of any correlations between them.
As a result, the theory of enterprise risk management was developed and codified under rules such as the US COSO system and the UK’s Combined Code. These codes require companies to implement procedures to control internal risks. Compliance with a recognized risk management standard, for example BS 31100 or ISO 31000, is likely to form part of this process, together with the required public disclosure.
Confirming compliance with a standard alone will not be assurance that the organization manages its risks effectively. As there is inherent uncertainty in any process, line managers are in the front line of identifying, assessing and treating risk, and treatment may mean escalating to a more senior manager for further consideration.
The corporate risk manager often resides in a small, central function and cannot know everything that comes up in subsidiaries and operating units thousands of miles away. He or she has to work with line managers and act as a conduit to senior management. This is where soft skills are so important. Leadership, tact, negotiation and communication skills all make the difference between a risk management professional who really adds value to the organization and one who is good at dealing with known threats but may not be aware of developing issues or opportunities.
Processes are important in risk management but what matters most is the way they are put into effect. The best risk managers are good with people and have training and experience in risk management. Standards have a useful role to play, but auditors should take note of the context in which they appear to see if risk management is truly effective.
About the author
Steve Fowler is CEO of the The Institute of Risk Management, a professional education body that offers a post-graduate International Diploma in Risk Management.
E: steve.fowler@theirm.org
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
