Do you manage risk or do you perform risk management?
Are successful business people born with the risk management skills that others have to learn through education and professional experience? Philip Tillman, honorary treasurer for the Institute of Risk Management South Africa (IRMSA) executive committee, offers some insight.
Firmly in the YES camp are those who consider risk management a subconscious exercise of commercial awareness that enables business leaders to balance the countless contrasting aspects of a business, in order to stay on track and achieve success. These include: revenue versus cash flow, discounting versus branding, contractors versus employees, commitment versus flexibility, market share versus profitability – and many more.
Positioned in the NO camp are those whose role includes the phrase “risk”. These individuals would argue that risk management requires a set of skills and attributes, which can only be learned through a combination of education, experience and consultation.
They also believe that risk management requires the embedding of processes into an organisation, which systematically identify and manage risk, and that an individual cannot do this by intuition, or without investment.
Which perspective is correct? Is it possible that both camps could be right, and that good risk management is in the eye of the beholder? Or is there a single truth … the holy grail of risk management?
The Australian/New Zealand perspective on risk management might lean towards the YES camp. Their standards perceive risk as the effect of uncertainty on an organisation’s objectives. They lean heavily towards the importance of knowing your risks and the context in which they exist, with a relatively low emphasis on the analysis of the risk itself.
By contrast, the long-standing view of the Committee of Sponsoring Organisations of the Treadway Commission (COSO) implies that good risk management requires a systematic approach, and that the absence of a structured approach might impede the entire process from being effective.
Structured or flexible, insight or foresight, analytical or intuition, collaborative or siloed; every organisation has an appetite for the importance of risk management in its particular context, and this normally depends on who has the most to lose.
Where all the standards tend to agree is that risk management is a sub-process of governance, which means its objective is to protect the interest of stakeholders. The maturity of an organisation’s risk can often be “guesstimated” by analysing its controlling stakeholders – he who holds the power.
A business that is still under family control (whether listed or otherwise), rarely commits significant dedicated resources to the process of risk management. While the company’s annual report often has pages dedicated to company governance (for the unselfish purpose of maintaining share price), a glimpse below the surface will expose this as lip service being paid to a different regulatory requirement. Often these organisations can be identified by large common shareholding and simultaneous boardroom control.
A business that is majority-owned by a large number of shareholders – such as a listed entity or public entity – frequently takes a different view of the importance of risk management.
While the governance section of its annual report is indistinguishable from that of the family controlled business, a more in-depth look will provide a very different view. Such an organisation will have strong board and subcommittee structures, which include a separate risk management and audit committee, and management will report to this committee as part of the performance plans. Risk management is considerably more systematic and embedded into the culture … the benefit of which is still unquantifiable and subject to debate.