It is not by chance that several regulatory
bodies from various sectors of the economy are directing the organizations,
whether public or private, to have a structured and effective risk management
process.
An integrated and structured risk management is
fundamental to the effectiveness of corporate governance, which allows the
company to achieve its strategic objectives, optimizing the applied capital in
the organizational structure, creating value for the related parties.
Very well, if we understand that risk
management is important to the business, what is the reason for the existence
of such resistance by management to implement it?
In my opinion the answer is centered on the
lack of knowledge of managers about what is risk and how to manage it. This is
natural since this subject is not worked, at least in here in Brazil, with due
importance in our university education system. Moreover, within organizations,
risk management is seen it as a "bureaucracy" that engenders
processes.
Some organizations create resistance because of
the past negative experience they had with the process as a consequence of the
inability to implement and / or manage the risk management process.
Some professionals believe that risk management
boils down to having only a few spreadsheets to fill it in. Others make the
process too complex that they turn what should be natural into a big managerial
nightmare.
How many processes of implantation of the risk
management begin and do not finish, by sheer ineptitude of the corporation,
wasting time and money. Worse, with this, even more the situation, because
unsuccessful processes create greater future resistance.
Managing risks should be part of the
organization's culture, decision-making should be based on a judicious process
of identifying and assessing the inherent risks. In order for this culture and
awareness of risk to exist, it is essential that managers and / or decision
makers have proficiency in the process of identifying, evaluating and handle
risks.
Needless to say, the implementation of risk
management has a strong impact on company culture, requiring changes in
behavior and management model and, as a usual, any change generates resistance,
which, if not well managed, jeopardizes the success of its implementation.
In order to increase the possibility of
success, we recommend that the institution has in its staff a team of
professionals specialized in internal controls, which have the responsibility
to support managers to carry out their
activities in this process.
It is also fundamental to prepare a project
where the main points that must be observed and considered in the
implementation process will be defined, thus reducing the chances of failure.
Let's look at some points that I consider as
success factors for the design of the project:
- Define the team responsible for building and
conducting the various deployment phases. My suggestion is to be a
multifunctional team, led by the experts in internal controls,
- Determine who the sponsors will be. It is
imperative that top management is committed to process, and they should be the
main sponsors,
- Work the language. Try to use the existing
language in the corporation, and create a glossary for the new words that will
be inserted. This reduces resistance by ignorance,
- Construct the risk measurement legend. The
risk must be measured in a matrix way considering the probability and the
impact, which should be as objective as possible, so that everyone inside the
company reads the risk in the same way. Reduce the subjectivity saves precious
time in the process,
- Plan the organization's awareness raising
process. The more knowledge the people get, more will be the commitment with
the risk management. My suggestion is to work through "workshops",
discussing the concepts and their applicability with the various managers,
- Identify and determine the best methodology,
tools and work format for the process of identification, assessment and
treatment of risks (inherent, IT and fraud). The simpler it is, the better it
will be for the process of acculturation.
- Define a structure as a paradigm; the most
used are the ERM structure of COSO and the structure of ISO 31.000. I
particularly prefer the COSO ERM, which is under a review by COSO at this
point, but still a good practice. In the end both talk about the same thing,
- Have a timeline with the start and end date,
plan and follow the planning. If it is not possible to do everything at once,
work in stages,
- Define who and to what level will join the
process. The more the process can be done through people, it is better. It may
take longer, however, my experience shows that in the end the result is more
effective. Remembering that those who manage risks are the managers and the
more they are committed, better will be for risk culture,
- Determine which risks will be identified
first: strategic, operational, or both. Remember that it will depend on
available resources. It is a good idea to carry out the process in phases,
ending each phase before starting the other. Most of the time, we start with
operational risks, which helps to create solid fundamentals.
On average, the preparation of a project,
considering our experience, takes from 3 to 6 months depending on the time
available that the team has to work on the subject.
To finalize, do not neglect this stage of
drafting the project. It may make the difference, once it is precisely the
stage where you will manage the risks of this process does not happen.