Risk management. This is defined by the identification of events, both internal and external, that can affect the organisation’s ability to achieve specific objectives and to remain compliant within specific regulations. Risk management is carefully outlined in King IV as being inseparable from the company’s strategy and sustainability. King IV also points out that the board has to reveal how it has satisfied itself that its risk assessments, responses and interventions are effective. In short, risk management is not a box ticking exercise, it’s a critical component of an organisation’s foundation that has to underpin every action and reaction.
When defining a risk management strategy, the organisation should consider four core elements: risk appetite or tolerance, risk culture, risk capacity and risk strategy. Risk appetite or tolerance indicates how much risk the organisation is prepared to accept; the risk culture defines the overall approach to risk; risk capacity is the maximum amount of risk the organisation can accept; and risk strategy defines how the organisation manages its risk processes. Into this complex calculation enters the chief risk officer (CRO), or whichever title is given to the individual responsible for risk management in the organisation. Their role is all about putting the risk into its place and perspective.
The CRO, or equivalent, is expected to align risk appetite with business strategy alongside growth, return, decision making, optimisation of operation efficiencies, employee support, opportunity management, cost management and continuous risk process. And that’s just the start of the job check list. It’s not an easy position to step into, but it is one that allows for the organisation to gain a more confident grasp on its risk profile and potential for growth.
The CRO provides the expertise, abilities and responsibility required to manage the company’s overall governance, risk management and compliance with regulations. If a company appoints a CRO, then it’s pretty clear that its serious about governance, risk and compliance (GRC), and about creating an internal culture that’s capable of maintaining it. Considering how rapidly the regulatory environment changes, the CRO is the wheel that guides the organisation around the potholes of compliance and ensures that it is protected by a broad range of GRC policies and procedures.
The value of having a CRO is that this highly qualified management professional is on constant alert for risk. Their entire role circles GRC, wrapping it in modules and procedures designed to reduce risk, while always remaining alert for any risks that may arise or new trends in this arena. As the CRO manages and mitigates these risks, they can guide the enterprise towards optimal performance in a rapidly changing digital era. The CRO ensures that the right people get the right information at the right time within the right objectives. They ensure the right actions and controls are in place to address uncertainty and act with integrity, and their consistent vigilance can potentially reduce costs and the duplication of activities. This reach and engagement throughout the organisation can also improve the quality of information and how well it is managed and shared.
However, there is a flip side. When a company doesn’t invest into a CRO or equivalent, it can potentially introduce risk. The processes that govern GRC become uncoordinated and duplicated and risk management procedures end up being planned and managed in silos. This can potentially increase risk, introduce the duplication of efforts, and cause costs to spiral out of control.
Alongside the CRO, the use of standardised approaches to risk management such as that outlined by the Institute of Risk Management (IRM), and the application of standardised processes, there is the technology that can support risk management within the organisation. The solution best suited for the organisation will depend on its size, market exposure and industry, for example, and will need to align with the overall business strategy and its objectives. An IT GRC solution enables companies to form a standardised framework for the GRC strategy, supports the CRO in the implementation of their role, and can help with the control of risk throughout the organisation’s lifecycle.
However, technology is not the cure to all risk ills. It is another part of a robust framework that requires a shift in corporate culture, commitment from the executive, a solid GRC strategy, and a solid CRO to lead. That way, any organisation can build intelligent solutions and systems designed to minimise risk while supporting growth.