Back to Blog

Critical Steps to a Robust Risk Management Program

Image of Shahad Alfarraj
Shahad Alfarraj

Our market climate is continually changing, technologies are advancing, regulations are updated, competition is increasing, and demand is evolving. Effective risk management enables business and individuals to adapt to these changes and respond to new market conditions. 

Recent headline events include the Volkswagen emissions deception, Wells Fargo fraudulent sales practices, and Dwolla's penalty from the Consumer Financial Protection Bureau (CFPB), illuminating powerful motivators for vital risk management programs. Key to a robust plan is reducing stressful and catastrophic surprises and having effective mitigations measures in place. 

For example, when Plains All American Pipeline failed to detect corrosion in its pipeline, the result was a 3,000-barrel oil spill and millions of dollars in fines. Deterioration remained under the radar when the company did not assign adequate inspection resources and did not maintain appropriate processes and systems to avoid problems from progressing to emergencies.  

However, best practices for risk management should have supported standard procedures in the company, and regular assurance would have helped prevent the disaster from occurring. 

Complying with regulators like the SEC and CFPB 

The Securities and Exchange Commission (SEC) is a U.S. government agency that oversees securities transactions, activities of financial professionals and mutual fund trading to prevent fraud and intentional deception. The SEC consists of five commissioners who serve staggered five-year terms. And the Consumer Financial Protection Bureau (CFPB) is a regulatory agency charged with overseeing financial products and services that are offered to consumers. The CFPB is divided into several units: research, community affairs, consumer complaints, the Office of Fair Lending, and the Office of Financial Opportunity. 

Dwollasmall private e-commerce and online payment company, was found by the CFPB to be guilty of risk management negligence for inadequate data security practices. The catch is that Dwolla did not suffer a data breach, and none of its customers was compromised. The CFPB fined Dwolla $100,000 as part of its increased focus on companies' existing prevention strategies. 

Regulators are no longer merely targeting companies that have encountered risk management incidents but are looking at the risk management framework and its implementation.  The approach is likely to have been adopted to build greater resilience in a companies business model and ideally ensure fewer incidents occur.  Companies need to pursue strategic approaches rather than expect to get through.   

An independent peer-reviewed report, "The Valuation Implications of Enterprise Risk Management (ERM) Maturity" published in the Journal of Risk and Insurance, has found that companies with mature ERM systems (as described in the RIMS Risk Maturity Model) will obtain a 25% corporate valuation premium over those without.  

Risk management does not have to be a burdensome addition to day-to-day responsibilities.  It can support controlled simplification, increase operational transparency and reduce the impact of adverse events.  A simpler and more resilient business model allows more resources to be spent on value-added activities, such as product development and client relations. 

 Checklist for evaluating your risk management efforts 

 A better question than "Does my organisation perform risk management?" is "How effectively does my organisation identify and mitigate risks?" The following checklist outlines characteristics common to effective risk management programs. Your organisation should prioritise development in these areas. 

1. Efficient governance of risk management 

In their position of risk oversight, boards are responsible for the material impact of the risk, whether the cause is at the executive level or on the front lines. The SEC considers negligence, which holds the same penalty as fraud, to be not knowing about a material risk. 

  • The Board must monitor the efficacy of the company's risk management process to verify that it complies all levels and business areas.  
  • Internal auditors must independently ensure that the Board is aware of any material risks. 
  • All material risks must be reported to shareholders, along with evidence that they are successfully mitigated. 

2. Performance management and goal management
  • Divide corporate objectives through business-to-business contributions.  
  • Identify the business processes that lead to the target within each business unit.  
  • Cascade targets for all front-line administrators in the sense of contributing processes. 
  • Aggregate assessments and establish links between contributing business processes. 
3. Consistent risk identification and prioritisation 

Risk assessments tend to answer more than high-level questions. Efficient reviews drill into risk events, discover the root cause, or challenge and "drive" risk mangementPeriodic and repeatable risk assessments should be aligned to the inherent risk in the operating environment and  

4. Actionable risk tolerances

Risk appetite is a high-level statement that acts as a reference to strategic decisions. It should be followed by its quantitative cousin, risk tolerance, to be actionable. Risk tolerance is a vital monitoring technique for crucial performance targets and risk metrics. 

5. Centralisedrisk monitoring and control activities 

Risk managers need to do better than design systems to identify risks and respond appropriately. A crucial third component—monitoring—is the verification of the effectiveness of risk management. There are a few essential points to bear in mind to make surveillance effective: 

  • Adapt risk assessment over time (spend less time on risks with decreasing indexes).  
  • Reduce testing by defining places where controls can be exchanged (increase organisational efficiency).  
  •  Link risks and activities to determine the processes that need to be monitored (primary concern/initiatives).  
  • Create and monitor appropriate metrics (discover concerning trends before they affect the organisation). 
6. Forward-looking risk and goal reporting and communication 

To continue financing the companies' risk management programs, boards need evidence that these programs are successful. Before reporting to the Board, risk managers can ask two fundamental questions: 

  • How might the identified risks affect the Board's strategic objectives and critical concerns?  
  • Which metrics or trends validate the program's effectiveness?  

These items are just a starting point for an analysis of your organisation's program. 


Related Posts

Fraud Risk Management in the Current Age with Prem Kumar

Image of Arwa Al-alshaikh
Arwa Al-alshaikh

The Psion Insights' internship programme builds students capabilities through key experiences and...

Read more

Project Management Overview with Sid Khan

Image of Arwa Al-alshaikh
Arwa Al-alshaikh

Can you run a project without project management? it was unnecessary a few decades ago. However, in...

Read more