Risk management - critical success factors in its implementation

It is not by chance that several regulatory bodies from various sectors of the economy are directing the organizations, whether public or private, to have a structured and effective risk management process.

An integrated and structured risk management is fundamental to the effectiveness of corporate governance, which allows the company to achieve its strategic objectives, optimizing the applied capital in the organizational structure, creating value for the related parties.

Very well, if we understand that risk management is important to the business, what is the reason for the existence of such resistance by management to implement it?

In my opinion the answer is centered on the lack of knowledge of managers about what is risk and how to manage it. This is natural since this subject is not worked, at least in here in Brazil, with due importance in our university education system. Moreover, within organizations, risk management is seen it as a "bureaucracy" that engenders processes.

Some organizations create resistance because of the past negative experience they had with the process as a consequence of the inability to implement and / or manage the risk management process.

Some professionals believe that risk management boils down to having only a few spreadsheets to fill it in. Others make the process too complex that they turn what should be natural into a big managerial nightmare.
How many processes of implantation of the risk management begin and do not finish, by sheer ineptitude of the corporation, wasting time and money. Worse, with this, even more the situation, because unsuccessful processes create greater future resistance.

Managing risks should be part of the organization's culture, decision-making should be based on a judicious process of identifying and assessing the inherent risks. In order for this culture and awareness of risk to exist, it is essential that managers and / or decision makers have proficiency in the process of identifying, evaluating and handle risks.

Needless to say, the implementation of risk management has a strong impact on company culture, requiring changes in behavior and management model and, as a usual, any change generates resistance, which, if not well managed, jeopardizes the success of its implementation.

In order to increase the possibility of success, we recommend that the institution has in its staff a team of professionals specialized in internal controls, which have the responsibility to support  managers to carry out their activities in this process.

It is also fundamental to prepare a project where the main points that must be observed and considered in the implementation process will be defined, thus reducing the chances of failure.

Let's look at some points that I consider as success factors for the design of the project:

  1. Define the team responsible for building and conducting the various deployment phases. My suggestion is to be a multifunctional team, led by the experts in internal controls,
  2. Determine who the sponsors will be. It is imperative that top management is committed to process, and they should be the main sponsors,
  3. Work the language. Try to use the existing language in the corporation, and create a glossary for the new words that will be inserted. This reduces resistance by ignorance,
  4. Construct the risk measurement legend. The risk must be measured in a matrix way considering the probability and the impact, which should be as objective as possible, so that everyone inside the company reads the risk in the same way. Reduce the subjectivity saves precious time in the process,
  5. Plan the organization's awareness raising process. The more knowledge the people get, more will be the commitment with the risk management. My suggestion is to work through "workshops", discussing the concepts and their applicability with the various managers,
  6. Identify and determine the best methodology, tools and work format for the process of identification, assessment and treatment of risks (inherent, IT and fraud). The simpler it is, the better it will be for the process of acculturation.
  7. Define a structure as a paradigm; the most used are the ERM structure of COSO and the structure of ISO 31.000. I particularly prefer the COSO ERM, which is under a review by COSO at this point, but still a good practice. In the end both talk about the same thing,
  8. Have a timeline with the start and end date, plan and follow the planning. If it is not possible to do everything at once, work in stages,
  9. Define who and to what level will join the process. The more the process can be done through people, it is better. It may take longer, however, my experience shows that in the end the result is more effective. Remembering that those who manage risks are the managers and the more they are committed, better will be for risk culture,
  10. Determine which risks will be identified first: strategic, operational, or both. Remember that it will depend on available resources. It is a good idea to carry out the process in phases, ending each phase before starting the other. Most of the time, we start with operational risks, which helps to create solid fundamentals.

On average, the preparation of a project, considering our experience, takes from 3 to 6 months depending on the time available that the team has to work on the subject.

To finalize, do not neglect this stage of drafting the project. It may make the difference, once it is precisely the stage where you will manage the risks of this process does not happen.

Share this:

Comentários

0 comentários:

Postar um comentário