Irrespective of the size of your organisation, you are exposed to risks that would prevent you from achieving your business objectives or could lead to significant financial losses. Some companies, particularly SMEs, consider risk management is unnecessary as if they can be immune from risk exposure or unexpected events that could cause financial losses to their company. They also think that it is not economical to put resources in risk management but should just focus on company’s revenue, profitability and growth. Contrary to what they perceive, the fear of incurring risk or trying to ignore managing risk will eventually inhibit business growth. Also, SMEs with smaller capital base and risk capacity are generally more vulnerable to the adverse impact of unexpected events and hence are more imminent to be better equipped for managing business risks. Large corporations may have a risk management process in place and generally a bigger risk capacity, but they may be less flexible or agile.
This article describes how to build an agile, risk aware organisation with strong control culture by implementing Enterprise Risk Management (ERM) process that deploys a Plan-Do-Check-Act (PDCA) method. The process involves planning -> risk identification and analysis -> controls and mitigations implementation -> checking and monitoring the effectiveness of controls and risk mitigation measures -> revising the plan of actions where necessary; then repeats the above steps for continuous improvement, fine-tuning and monitoring.
Implementing ERM involves a change management exercise to upskill the organisation’s capability for managing risks, increase the organisation’s understanding of its own strengths and areas of improvement required, and cultivate a stronger control culture / discipline for implementing risk mitigation actions and monitoring of business performance. For more information on ERM implementation, please refer to How to setup Enterprise Risk Management (ERM) process in your organisation.
Key elements of organisation agility
- Agility means adaptable, flexible, change quickly and succeed in the rapidly changing and turbulent environment. Speed, responsiveness and dynamic are the key elements for agility.
- Agility is not incompatible with a structured, well-controlled environment. Quite the contrary, agility requires good control discipline to ensure planned actions are efficiently and effectively executed, with deviations from plans promptly identified or flagged for rectification.
- Adopting a PDCA method that continuously monitors and improves the efficiency and effectiveness of business processes, strengthens the planning process with the ability to quickly / dynamically reallocate resources and re-prioritised actions, is also an important element for organisation agility.
How to promote a risk aware culture in your organisation
A risk aware culture can be cultivated under the following areas:
1. Tone from the top
Establish a risk management governance structure with senior management and the Board setting the tone for the importance of risk management, with risk management be seen as an important element of corporate governance and forms an integral part of all of the organisation’s business processes.
2. People / Mindset
- Risk Management should be recognised as the responsibility of every employee in the organisation.
- Employee’s attitude should change from being reactive to unexpected events to being responsive and proactive, seizing opportunities as well as managing risks.
- Recognise important interrelationships among risks, break down organisational silos, increase collaboration between departments to assess and manage risk interactions.
- Establish an ERM process with policy and procedures, system and tools that facilitates the discussion and communication of risks and treatment of these risks; promotes the identification of emerging risks, and integrates risk management into business planning, strategy development, project implementation, investment decision and daily operations.
- Create a risk management function or center of excellence for risk management in the organisation that manages the implementation of all aspects of the ERM process; provides guidance and advice on the identification, assessment and treatment of risks; and performs risk management training to upskill the knowledge and capability of risk management in the organisation.
- Establish a risk management structure with clear roles and responsibilities and assign ownership for identified risk items.
- Appoint risk managers or coordinators, one for each business unit or function, to support their respective risk owners who are head of business units or functions, to identify risks, determine and coordinate the implementation of risk treatments for their respective business unit or function.
ERM process with Plan-Do-Check-Act (PDCA) – How it all works together
PDCA approach helps to improve the agility of the organisation, enhances the organisation’s problem solving capability, promotes collaboration amongst operational and functional teams for prompt discussion and feedback, and requires the organisation to adjust its plans swiftly in response to the changing business environment. Combining this approach with the ERM process mean that risks can be promptly identified and effectively treated. This is how planning, internal control and risk management working together with PDCA approach to build an agile, risk aware and control focused organisation, as follows:
- Have a robust planning process that set business goals and objectives.
- Establish and communicate clearly the targets and accountability for the achievement of business objectives.
- Incorporate risk management into the business planning and strategy development process.
- Develop control and mitigation plan to bring risks to acceptable levels.
- Execute planned actions and business activities in accordance with established company policies and control procedures.
- Implement the additional controls and mitigation actions which are identified during the risk management process.
- Monitor the effectiveness of business execution and controls such that deviations from the set objectives and targets are promptly spotted and rectified.
- Perform regular review on the effectiveness of internal controls and risk management process, pinpoint areas and develop plan for improvement.
- Determine the causes for the deviations and identify solutions to rectify the deviations.
- Adjust the plans, reallocate resources, re-prioritise actions, revise the control procedures and/or risk responses where appropriate. For example: If the cause of deviation is due to poor execution and controls, enhance the process and revise the control procedure to rectify the control deficiency. If it is due to over aggressive or optimistic targets, then revise the plans, milestones, targets and budgets.
- Work on continuous improvement of internal control and risk management process.