Firms advised to embed risk into decision making with early warning system
By Deloitte
Risk has never been a hotter topic than it is today. In an age of extraordinary uncertainty and turbulence, when scandals and disasters are daily front-page news, no one — and no enterprise — is immune to the potential impact of unexpected events.
Executives and boards are expressing extremely high interest in ways to manage risk more effectively and many are searching for ways to address key questions about risk that have lately come into the forefront of their consciousness. “How prepared is our enterprise for the opportunities and risks that lie ahead? How can we find the unexpected before it finds us? How do we effectively link strategy and risk management?”
We believe that executives and boards can find answers to such questions by practicing risk intelligent enterprise management, an approach that considers risk as a key input into leadership decisions versus as an outcome to be managed after the fact. Perhaps the best way to describe the concept is to contrast it with the way many companies are approaching enterprise risk management (ERM) today.
“Risk intelligent enterprise management,” unlike many companies’ approach to ERM, treats risk management as an integral part of managing the enterprise’s strategy and operations, not as a separate process.
In such management, executives understand that every action that could create value also carries the potential for risk. They recognize that the discussion of risk and value cannot be separated, and, they therefore view risk as a decision driver rather than as a consequence of decisions that have already been made.
Knowing this, they endeavor to make risk intelligent choices that expose the enterprise to just the “right” amount of risk needed to pursue value creation. They consider risk on the front end of every decision they make, both to identify potential threats and to strategically select the risks they choose to take in order to pursue value.
By “building it in” rather than “bolting it on,” risk intelligent enterprise management allows an organization to be both more resilient in dealing with adversity, and more agile in pursuing opportunity.
Who should be responsible for what?
We conceive of the risk intelligent enterprise as having three levels of responsibility with respect to risk management, as depicted in Figure 2. At the apex lies the responsibility for risk governance, including strategic guidance and risk oversight, which rests with the board of directors.
In the middle lies the responsibility for risk infrastructure and management, including designing, implementing, and maintaining an effective risk program, led by executive management. And at the base lies the responsibility for risk ownership, including identifying, measuring, monitoring, and reporting on specific risks, led by the business units and functions.
In the management, activities across all these levels are integrated into a systematic, enterprise-wide program that embeds a strategic view of risk into all aspects of business management, and that gives leaders a clear view into the challenges and opportunities that risk can create.
We think that it’s essential for a member of the C-suite to take a leadership role with respect to risk management — regardless of whether he or she is formally known as the Chief Risk Officer. This executive should chair the enterprise risk group and serve as liaison with the organization’s risk management specialist groups. He or she should receive risk updates from the business units and functions, and escalate significant risks to the enterprise risk group and/or the board of directors as necessary.
Six building blocks
Management and the board should develop a risk philosophy statement that describes, in broad terms, the degree to which the enterprise will seek out, tolerate, and/or avoid risk in the pursuit of the organization’s goals.
One of the core elements of the risk intelligent enterprise management is to set a Risk Intelligent strategy: a strategy that is appropriately informed by the risks associated with both the strategy’s selection (the risks of the strategy) and its execution (the risks to the strategy).
No risk intelligence program can get very far without an in-depth understanding of the specific risks that face an enterprise. That’s why risk identification and assessment is important. Once key risks have been identified, selected individuals, such as business-unit leaders, process owners, and others who may have more in-depth knowledge about particular risks, may assess each risk for its impact, the organization’s vulnerability to the risk, and the risk’s expected speed of onset.
Risk response plans are the organization’s action plans for responding to risks and opportunities that have been determined to be significant. In developing action plans, it is important to understand the contributing factors to each risk and what, if any, can be done about them.
Risk identification and assessment at the business-unit and functional level can generate mountains of data that do not necessarily give senior executives the insights they need to make risk-informed decisions on an enterprise level. Companies should also identify higher level risks that may arise outside any of the business units and functions.
A “master list” of risks needs to be developed and examined by the executive management team as a whole, and the top several risks — say, the top 10 — that have the greatest potential consequences for the enterprise should be identified.
Risk monitoring and reporting activities supply the entire risk management system with the information which leaders need to practice Risk intelligent enterprise management. It’s essential for an organization to develop effective signal detection and interpretation capabilities that can alert leaders that the status of a risk has changed. Such “early warning” processes should track circumstances external to the organization as well as internal performance indicators.
This article was provided by Deloitte Korea
By Deloitte
Risk has never been a hotter topic than it is today. In an age of extraordinary uncertainty and turbulence, when scandals and disasters are daily front-page news, no one — and no enterprise — is immune to the potential impact of unexpected events.
Executives and boards are expressing extremely high interest in ways to manage risk more effectively and many are searching for ways to address key questions about risk that have lately come into the forefront of their consciousness. “How prepared is our enterprise for the opportunities and risks that lie ahead? How can we find the unexpected before it finds us? How do we effectively link strategy and risk management?”
We believe that executives and boards can find answers to such questions by practicing risk intelligent enterprise management, an approach that considers risk as a key input into leadership decisions versus as an outcome to be managed after the fact. Perhaps the best way to describe the concept is to contrast it with the way many companies are approaching enterprise risk management (ERM) today.
“Risk intelligent enterprise management,” unlike many companies’ approach to ERM, treats risk management as an integral part of managing the enterprise’s strategy and operations, not as a separate process.
In such management, executives understand that every action that could create value also carries the potential for risk. They recognize that the discussion of risk and value cannot be separated, and, they therefore view risk as a decision driver rather than as a consequence of decisions that have already been made.
Knowing this, they endeavor to make risk intelligent choices that expose the enterprise to just the “right” amount of risk needed to pursue value creation. They consider risk on the front end of every decision they make, both to identify potential threats and to strategically select the risks they choose to take in order to pursue value.
By “building it in” rather than “bolting it on,” risk intelligent enterprise management allows an organization to be both more resilient in dealing with adversity, and more agile in pursuing opportunity.
Who should be responsible for what?
We conceive of the risk intelligent enterprise as having three levels of responsibility with respect to risk management, as depicted in Figure 2. At the apex lies the responsibility for risk governance, including strategic guidance and risk oversight, which rests with the board of directors.
In the middle lies the responsibility for risk infrastructure and management, including designing, implementing, and maintaining an effective risk program, led by executive management. And at the base lies the responsibility for risk ownership, including identifying, measuring, monitoring, and reporting on specific risks, led by the business units and functions.
In the management, activities across all these levels are integrated into a systematic, enterprise-wide program that embeds a strategic view of risk into all aspects of business management, and that gives leaders a clear view into the challenges and opportunities that risk can create.
We think that it’s essential for a member of the C-suite to take a leadership role with respect to risk management — regardless of whether he or she is formally known as the Chief Risk Officer. This executive should chair the enterprise risk group and serve as liaison with the organization’s risk management specialist groups. He or she should receive risk updates from the business units and functions, and escalate significant risks to the enterprise risk group and/or the board of directors as necessary.
Six building blocks
Management and the board should develop a risk philosophy statement that describes, in broad terms, the degree to which the enterprise will seek out, tolerate, and/or avoid risk in the pursuit of the organization’s goals.
One of the core elements of the risk intelligent enterprise management is to set a Risk Intelligent strategy: a strategy that is appropriately informed by the risks associated with both the strategy’s selection (the risks of the strategy) and its execution (the risks to the strategy).
No risk intelligence program can get very far without an in-depth understanding of the specific risks that face an enterprise. That’s why risk identification and assessment is important. Once key risks have been identified, selected individuals, such as business-unit leaders, process owners, and others who may have more in-depth knowledge about particular risks, may assess each risk for its impact, the organization’s vulnerability to the risk, and the risk’s expected speed of onset.
Risk response plans are the organization’s action plans for responding to risks and opportunities that have been determined to be significant. In developing action plans, it is important to understand the contributing factors to each risk and what, if any, can be done about them.
Risk identification and assessment at the business-unit and functional level can generate mountains of data that do not necessarily give senior executives the insights they need to make risk-informed decisions on an enterprise level. Companies should also identify higher level risks that may arise outside any of the business units and functions.
A “master list” of risks needs to be developed and examined by the executive management team as a whole, and the top several risks — say, the top 10 — that have the greatest potential consequences for the enterprise should be identified.
Risk monitoring and reporting activities supply the entire risk management system with the information which leaders need to practice Risk intelligent enterprise management. It’s essential for an organization to develop effective signal detection and interpretation capabilities that can alert leaders that the status of a risk has changed. Such “early warning” processes should track circumstances external to the organization as well as internal performance indicators.
This article was provided by Deloitte Korea
No comments:
Post a Comment