Unlocking the routes to risk mitigation through best practice and intelligent process
By Simone de Freitas, Group Accountant at CRS Technologiesย
Risk management.ย This is defined by the identification of events, both internal and external, that can affect the organisationโs ability to achieve specific objectives and to remain compliant within specific regulations.ย Risk management is carefully outlined in King IVย as being inseparable from the companyโs strategy and sustainability. King IV also points out that the board has to reveal how it has satisfied itself that itsย risk assessments, responses and interventions are effective. In short, risk management is not a box ticking exercise, itโs a critical component of an organisationโs foundation that has to underpin every action and reaction.
When defining a risk management strategy, the organisation should consider four core elements:ย risk appetite or tolerance,ย risk culture,ย risk capacityย andย risk strategy. Risk appetite or tolerance indicatesย how much risk the organisation is prepared to accept; theย risk culture defines the overall approach to risk;ย risk capacityย is the maximum amount of risk the organisation can accept; andย risk strategyย defines how the organisation manages itsย risk processes. Into this complex calculation enters theย chief risk officer (CRO), or whichever title is given to the individual responsible for risk management in the organisation. Their role is all about putting the risk into its place and perspective.
Theย Chief Risk Officer (CRO), or equivalent, is expected to align risk appetite with business strategy alongside growth, return, decision making, optimisation of operation efficiencies, employee support, opportunity management, cost management and continuous risk process. And thatโs just the start of the job check list. Itโs not an easy position to step into, but it is one that allows for the organisation to gain a more confident grasp on its risk profile and potential for growth.
Theย CRO (Chief Risk Officer)ย provides the expertise, abilities and responsibility required to manage the companyโs overall governance, risk management and compliance with regulations. If a company appoints a Chief Risk Officer, then itโs pretty clear that its serious about governance, risk and compliance (GRC), and about creating an internal culture thatโs capable of maintaining it. Considering how rapidly the regulatory environment changes, theย CROย is the wheel that guides the organisation around the potholes of compliance and ensures that it is protected by a broad range of GRC policies and procedures.
CRO manages and mitigates risks
The value of having aย Chief Risk Officer (CRO)ย is that this highly qualified management professional is on constant alert for risk. Their entire role circles GRC, wrapping it in modules and procedures designed to reduce risk, while always remaining alert for any risks that may arise or new trends in this arena. As theย CROย manages and mitigates these risks, they can guide the enterprise towards optimal performance in a rapidly changing digital era. Theย Chief Risk Officer (CRO)ย ensures that the right people get the right information at the right time within the right objectives. They ensure the right actions and controls are in place to address uncertainty and act with integrity, and their consistent vigilance can potentially reduce costs and the duplication of activities. This reach and engagement throughout the organisation can also improve the quality of information and how well it is managed and shared.
However, there is a flip side. When a company doesnโt invest into aย CRO (Chief Risk Officer)ย or equivalent, it can potentially introduce risk. The processes that govern GRC become uncoordinated and duplicated and risk management procedures end up being planned and managed in silos. This can potentially increase risk, introduce the duplication of efforts, and cause costs to spiral out of control.
Alongside theย CRO, the use of standardised approaches to risk management such as that outlined by the Institute of Risk Management (IRM), and the application of standardised processes, there is the technology that can support risk management within the organisation. The solution best suited for the organisation will depend on its size, market exposure and industry, for example, and will need to align with the overall business strategy and its objectives. An IT GRC solution enables companies to form a standardised framework for the GRC strategy, supports theย CROย in the implementation of their role, and can help with the control of risk throughout the organisationโs lifecycle.
However, technology is not the cure to all risk ills. It is another part of a robust framework that requires a shift in corporate culture, commitment from the executive, a solid GRC strategy, and a solidย CRO (Chief Risk Officer)ย to lead. That way, any organisation can build intelligent solutions and systems designed to minimise risk while supporting growth.