If you haven’t seen it, this ACCA paper from last year has some excellent content, observations, and advice on the balancing of risk and reward, the role of business ethics, and more.
Here are some of my favorite bits, with special emphasis added for the best parts:
- It is clear that risk has not been addressed with sufficient respect or understanding by institutions.The link between risk and the rewards earned by individuals was not given sufficient consideration, and the risk function itself was undervalued, and too far down the corporate pecking order to be effective.
- Risk can never be eliminated from business, and it would be wrong for regulators or governments to think they can do so. Risk creates opportunities and should be managed, not removed.
- During the banking crisis, organisations failed which were previously thought to have had leading-edge risk management functions. This means that we need to re-evaluate the whole area of risk management. Its quantitative methods imply more accuracy than may be reasonable; conventional approaches to it are flawed. The usual approach to risks is to address them one-by-one, whereas in practice they tend to constellate. Risks are often considered in isolation from other aspects of the business, whereas they should be balanced against the potential rewards. And risks are usually thought of as particular events, rather than as potential causes which could give rise to a variety of unwanted effects. As in medicine, it makes sense to treat the causes not just the symptoms.
- Risk management appears to have risen up the corporate agenda, but this is not always reflected by increased budgets. And while there are reported improvements in risk, governance and controls, much remains to be done.
- There is also a widespread view in the financial and other sectors that risk will be ‘put back in its box’ once the crisis passes and normality can resume.
- In any analysis of the risks that bring organisations down, or come close to it, the root cause is usually identified as something to do with corporate culture.
- Risk management is sometimes seen as a hindrance rather than a help to business success. Sometimes this will be because risk management is not practised properly.
- Effective risk management comprises the following:
* Understanding the control environment, including the competence of the board and staff, the culture, key motivators and the ethical climate.
* Understanding the company’s strategy and purpose and the associated risks.
* Understanding of the business model, the value drivers, the systems and their associated risks.
* Balancing risk against reward.
* Efficient business processes, including management and financial reporting systems.
* Compliance with relevant requirements.
* An appreciation that risk management is not about managing individual risks, but about understanding patterns of risk and how they are interrelated.
* Understanding all the significant risks threatening, or potentially threatening the company, including those which might kill it.
* The board and the company’s attitude to risk and their willingness to accept it.
* The ability to manage risks so they are within limits of acceptability.
* A process of feedback involving monitoring and learning, so that strategic and other key decisions are taken only where the risks are understood and acceptable.
* In any complex large organisation, an independent assurance function that gives objective assurance, to the board or the non-executive directors, on each of the above elements.
* The board having ownership of, and strong commitment to, risk management, including a clear understanding of the above elements.
- A holistic understanding of risk is essential. If we liken a company to a 50-floor building, it is important that risk is considered at each floor. The best view of risk will probably be gained from the top floor or the roof, but problems could also exist below ground. Other risks can arise from activities on each of the floors. It is important to know who and what you let into the building. It follows that risk should considered across the whole organisation and taking into account its place in the environment.
What are your favorite bits? Perhaps you like the discussion of business ethics and the relationship between ethics and performance.