Breaking the industry mould
“It is time to stop minding our “P’s” and “Q’s” when it comes to Risk Management and start managing risk,” says Gareth Beaver, CEO of Centriq Insurance.
Intuitively we all know that managing risk within a business is what doing business is all about. Therefore, as a small business turns into a very large enterprise the practice of managing risks will need to evolve. This needs to happen in order to ensure that the complexity of the business, as well as the vast amount of potential exposures a large organisation faces, are understood and effectively managed within acceptable limits.
These days risk management can be seen as an industry on its own. Financial services companies have built massive departments around the risk management function, whilst boards and specific risk management committees sacrifice thousands of trees every year to successfully convey, address and debate the subject matter in detail.
All of this, and yet the financial system of the world nearly came to a grinding halt back in 2008 with massive ramifications and the near possibility of throwing our world into absolute turmoil and anarchy.
Tied down in debates
More recently, French bank and financial insurer BNP Parabis, notified its stakeholders of a 10-billion dollar fine over certain regulatory breaches, and a further possible sanction which would ban the organisation from trading US dollar currency. This could result in lost revenue that is equal to an amount which is multiples of the actual fine imposed. There are many more examples of similar situations doing the rounds.
We need to engineer the practice of risk management appropriately. We are so tied down in debates as to what we should label our risks, and we spend a tremendous amount of man hours and consulting costs trying to calculate the overall financial impact of an event in order to finally rate it as a high, medium or low risk.
My team and I were recently challenged by a non-conformist risk management practitioner about how we go about managing risk in the business. He made us take a step back and look at how we had expressed, classified, and managed our risks relevant to our risk appetite and so on. It dawned on me that we had fallen into a trap as we were ticking text boxes and responding to the templates that had been drawn up by risk practitioners and regulators, however our risk registers and risk mitigation activities did not tie back to our risk appetite statements at all.
Taking pro-active steps
Following this “aha” moment, we sat around the table with our business heads, tossed out the existing templates and formats that would normally govern our thinking, and discussed and talked about the real risks that should concern our stakeholders.
We described the risks in layman’s terms and worried less about what to label it as. We focussed on the reality and implications of determining our risk appetite for such risks, and then spent quality time on determining what we need to be doing more pro-actively in terms of mitigating those risks within our stated risk appetite. Needless to say, this fresh approach to risk management generated great practical results.
It will serve every business executive in this country well to ask themselves whether they have gotten too comfortable outsourcing the management of risks to the risk management department. Templates and tick box exercises imposed onto business executives keep us out of the real business of managing risks, which is in fact our real business responsibility.
So let us get risk management back to where it should be, which is at the heart of the business, owned by business executives and not stifled by all the stuff that comforts risk management committees and the likes whilst real business failures continue to happen on an all too regular basis these days.
