Let's make enterprise risk management simple!
Today I want to bring to our reflection a fundamental theme for the consolidation of corporate governance.
Let's talk about enterprise risk management.
I was preparing the course, and I came across a slide that I use to
explain, the structure applied to risk management, and I felt motivated to
bring this topic to our discussion.
Anyone who follows me on social media knows that I always try to bring a
simple view to important topics related to management and governance,
facilitating understanding and their application in corporate activities.
Simplicity is currently a competitive advantage for the organization,
but understand that being simple does not mean being superficial.
Well, let's get back to our topic, which is risk management.
In a simple way, I can say that:
“Managing risks is a proactive activity, looking to the future, understanding the events, external and/or internal, that may materialize and adversely impact the company's or process's ability to achieve its objectives; evaluates them for their magnitude, and treats them based on the acceptable levels of risk defined by the corporation.”
The primary objective of risk management is to allow the corporation, in
the pursuit of fulfilling its mission, to conduct, direct and maintain its
activities, actions and decisions, within its acceptable level of risk, defined
by risk appetite.
The starting point for risk management is the correct understanding of
objectives, whether strategic, corporate and/or operational. If we do not know
the objectives clearly, it is difficult to know the risks in a comprehensive
way.
Not using objectives as a basis for identifying risks is the most common
mistake I find in corporations, causing time and resources to be spent in a
wrong and ineffective way.
Remember that the risk event directly impacts the ability to achieve the
objectives.
Regarding the operational objectives, those that relate to the various
existing processes for the operationalization of the organization's activities,
I recommend the definition of the objectives inherent to each of the processes,
as well as the objectives related to legal compliance, objectives related to
moral values of the organization, and objectives related to the consistency,
integrity, confidentiality and recoverability of the processed data.
The better the definition of objectives, the more effective the
identification of risks tends to be.
Well, since we have already determined the objectives, we now begin the
process of identifying the events, external and/or internal, that may impact
the corporation.
Then, in a simple way, we begin to identify the risks that, if
materialized, will adversely impact the organization's ability to achieve its
objectives. We can see risk as the negative view of the objective, for example:
If one of the inherent objectives of a purchase process is to buy only products
and/or services necessary for the operation of the corporation, the risk may be
the purchase of products and/or or services not necessary for the operation.
Based on the understanding of the objectives, try to identify all risk
events that relate to it. This is a brainstorming activity. There is no
Cartesian way of doing this.
Once all the perceived risks are related, the next step is to know their
causes, that is, the events that could materialize the risk.
It is the risk factors (causes) that we assess the magnitude of and that
we treat, so it is important to be judicious in identifying them.
To illustrate, let's go back to the example of the purchasing process,
why can the corporation buy products and/or services not necessary for the
operation? The answers to this question will allow us to identify the risk
factors. Example: a. A wrong purchase requisition, b. Lack of inventory
planning, c. A fraud.
This procedure must be performed for all identified risks, without
exception.
Very well, at this point, our risk matrix already has three basic
columns: Column of objectives, column of risks related to each of the
objectives and column of risk factors related to each of the identified risks.
The next step is the analysis and assessment of risk factors through the
matrix reading of probability (frequency) and impact (in several dimensions,
such as financial, image, market-share and others).
At this point, it is important that the corporation has metrics,
approved by senior management, to assess the magnitude (probability and impact)
of risk factors.
It is also important that the company already has a risk appetite
defined by top management. As a suggestion, to facilitate the risk management
process, guide senior management to define the risk appetite based on the heat
map resulting from the metrics, indicating the quadrant that should be
considered as the accepted level risk.
I like to use metrics with five levels of probability and five levels of
impact, so that the heat map has quadrants from 01 to 25. In this case, risk
appetite can be defined as being one of the existing quadrants, for example the
high management can direct your risk appetite to quadrant six, so anything
above will need to be addressed.
One of the problems that I come across, in this evaluation stage, is in
relation to the use of complex metrics, with the inclusion of weights, weighted
average and other calculations that only bring complexity and delay to the
process.
Note that, more important than the accuracy of the risk factor
measurement, is the action that management takes to address it. It doesn't
matter if the risk is 15,234 or 15, what really matters is the action that
management takes to mitigate the risk factor.
The calculation is simple: probability x impact = gross risk
Another important point at this stage of the evaluation is the
definition of impact, that is, if the event materializes, what impact will it
bring to the organization. Some corporations seek to assess impact through a
weighted average across the various dimensions. The suggestion is to work with
the dimension that receives the primary impact, and not with a weighted average
of the impact in the different dimensions, because, note that this is not how
it happens in reality. Example: if the event materializes and impacts the
image, it will not necessarily impact, simultaneously, the other dimensions
measured, so it is best to focus on treating the effect on the image, ensuring
that it does not affect secondarily the other dimensions.
Okay, now that we know the magnitude (gross risk) for all risk factors,
whether inherent, compliance, fraud, or IT, the next step is to compare the
magnitude obtained with the risk appetite, and based on in this, determine the
best treatment to align the raw risk with the risk appetite determined by the
organization.
Keep in mind that the primary objective of risk management is to enable
the corporation to act within its acceptable level of risk, formalized through
the definition of risk appetite.
Risk factor treatment can be: Accept, Share, Avoid and Mitigate.
We can accept the risk, when the gross risk is already aligned or below
the risk appetite, however accepting the risk does not mean doing nothing, but
monitoring the risk factors, because today it is low, tomorrow it may change
and with this change our treatment.
Another important point is in relation to who can accept the risk, and
my suggestion is that it need to be accepted by the statutory managers, since
legally they are the ones who take the risk for the company, including their private
assets.
Sharing risk is a process where another corporation, be it a financial
institution or an insurance company, accepts to take part of the risk for the
company. Example: Insurance policies, or foreign exchange hedge. Note that this
is an answer on impact and not probability.
Another form of treatment for risk factors is risk avoidance. It is one
of the most difficult answers to work with, because in order to avoid risks,
the organization can no longer be exposed to risk, which means, in most cases,
strategic decision-making, such as the company's exit from a market, or closing
a unit, or not carrying out an operation, etc.
Finally, we have the possibility of mitigating the risk factor, which
operationally speaking, requires the implementation of an internal control to
mitigate the probability of the risk event materializing.
Just remembering that internal controls are:
“Actions, formalized in policies and procedures, aimed at mitigating the probability of materialization of the risk event. These are actions of review, checking, certification, validation, authorization, approval, etc.”
Depending on the materiality and nature of the risk, in addition to the
probability response, it will be necessary to prepare a contingency plan, which
aims to minimize the effect of the impact, when the risk event materializes.
Once the responses have been determined and implemented, the next step
is to calculate the residual risk, which is the effect remaining after the
treatment action, and make sure it aligns with the risk appetite defined by the
corporation.
Remember that simplicity is currently a competitive advantage! Bring
simplicity to operation, not superficiality!
Be happy!