risk services 

 

The Risk of Ignoring Risk – An Introduction

Enterprise Risk Management (ERM) and Business Continuity are areas where Perl can support you.  Risk is a key consideration for any business or organisation.  It allows you to get the most out of opportunities such as new products or starting up in new locations.  It also encourages improvements in all parts of the business that reduce negative risks and uncertainties.  This helps builds resilience, which is essential for long term survival.

Whilst risks can be managed individually, the preferred way of managing them is through Enterprise Risk Management (ERM).  Apart from allowing a structure to be put in place, it helps in considering the complete risk universe, and identifying downside risks that might not be apparent or thought of as likely, as well as management of those risks that have upsides.  In addition, there is the question of Business Continuity when critical adverse events happen.

All businesses face risks and opportunities.  Identifying and managing them is essential, but is often pushed to the back of the queue by more pressing day to day events.  Below are some reasons as to why Enterprise Risk Management should benefit your business and an outline of what it involves.

Enterprise Risk Management (ERM) - Overview

ERM has evolved from a compartmentalised activity to one that should be present in all parts of an organisation, as this has been shown to be the most effective way to manage risks, both the good and the bad ones.

Putting in an appropriate system for managing risks (see below) will inevitably take up the time of key people in the organisation.  This should be more than compensated for by a reduction in the frequency and severity of negative risks and better management of those activities that should benefit the business (see “Types of Risks” below).

An additional benefit of ERM relates to one of the most precious resources in a business.  This is the time of key people who have particular experience and skills.  When things go wrong, they are often the people who have to fix them.  So instead of doing more of what they do to move the business forward, their time is diverted to resolving problems.  Not only do they lose productive time and become worn down by working longer hours, they are also likely to get increasingly stressed, reducing their efficiency, productivity and job satisfaction.  An appropriate level of ERM, apart from reducing the impact of negative risks and optimising the risks you want to take, also helps your key people contribute more to the business in a healthy way.

Types of Risk

Hazard risks:  Risk Management started as something that principally looked at negative risk events that impacted the business such as a fire, IT failure due to power outages, death of a key individual etc.  These risks are termed “hazard risks” and today can often be covered by insurance.

Control risks: these are sometimes called Uncertainty Risks and are the most difficult to identify and define, but are often associated with projects.  Normally these cannot be covered by insurance, hence the need for the organisation to have its own controls in place.

Compliance risks: these focus on complying with legislation and regulations; if you import electrical goods, they need to comply with required standards/legislation; then there is health and safety for employees, professional standards and more.

Opportunity risks are risks that have an upside (hence not often thought of as risks), but can also have a downside. Examples of this are acquisitions, opening new offices and installing new computer systems.

With the pace of change increasing, driven by globalisation and technology, risks that an organisation faces and their possible frequency and severity are growing, making ERM even more essential.

Elements of ERM

There are three key elements to ERM which are:

  1. The Risk Management Framework
  2. The Risk Management Principles
  3. The Risk Management Process

For any ERM system to work properly, apart from support at board level, it needs acceptance by all those in the business.  To do this it must be proportionate and not too time consuming or complicated or detract from entrepreneurship and creativity.

Risk Aware Culture

Proper implementation of ERM leads to a “Risk Aware Culture” which has the following attributes:

  • Strong Leadership
  • Involvement of all stakeholders
  • Learning – Training in risk management procedures and learning from events
  • Accountability – appropriate accountability for actions, but with an absence of an automatic blame culture
  • Communication and openness on all risk management issues and the lessons learnt

If you look at “Knowing” which is part of identifying and evaluating risks, there is:

  1. What we know we know
  2. What we know we don’t know
  3. What we don’t know we don’t know
  4. What we think we know, but don’t! (possibly the worst)

The reason for mentioning this, is that ERM helps in particular with points 3 and 4 above.  As an example, if unbeknown to the directors, a subsidiary of which they are a director employs illegal immigrants, in some countries they could personally be subject to criminal charges.  Directors are also not always aware of circumstances where they can be held personally liable.  They might think that they are safe because they are not officially a director.  In certain jurisdictions, like the UK, if you behave like a director, you can be deemed a “shadow director” and therefore treated as if you were a real director.  Naturally the likelihood of such risks increases as you start doing business outside your home country as knowledge of other governing laws could well be less.

The other part of a risk management system is awareness.  This is helped by an ERM structure, so that a breach of key protocols or standards can be properly escalated rather than suppressed, as is sometimes the case.  This firstly allows a judgement to be made as to whether there was a breach; secondly it allows the issue itself to be dealt and reviewed to see whether changes can be made to minimise a recurrence and its impact.

ERM systems by their nature often improve the quality of communication and information in a business, as a result of identifying/acknowledging, assessing, monitoring and reviewing the risks.  This is part of a continual feedback loop that helps the organisation learn and change where necessary.

Risk Impact

Because of how risk management developed, it tends to quantify risk in financial terms, irrespective of the ultimate effect of things going wrong or right.  Normally looking at an organisation the impact of risks can best be assigned as follows:

  1. Financial
  2. Infrastructure
  3. Reputation
  4. Marketplace

Financial quantification always seems more objective and that is one of the reasons it is preferred even when it is not the best or even an appropriate measurement.  The death or serious injury of someone in an organisation might have a monetary value due the laws or accepted practice, but for the person or their family it can rarely truly compensate for the event.  The last two, Reputation and Marketplace, are particularly difficult to quantify when considering generic risks in that area.  The damage to the business normally starts with the financial cost, but depending on the incident that can be the smallest part with the organisation’s reputation and image suffering, in some cases, irreversible damage.

Summary

We can help you assess the risks in your business and look at the ways they can best be managed.  This will naturally depend on both your organisation’s tolerance for risk and the level of risk you are happy to accept.  Better management of the internal and external risks your business faces should not only benefit the business, but those in it and those with whom it interacts.

 

 

 

Location

 

Perl Advisory LLC is based in Zurich, but also operates out of London.

 

Mobile

+41 76 529 58 55

Get in touch

Use the form below to send us an email:

12 + 10 =