Today I want to bring to our reflection a fundamental theme for the consolidation of corporate governance.

Let's talk about enterprise risk management.

I was preparing the course, and I came across a slide that I use to explain, the structure applied to risk management, and I felt motivated to bring this topic to our discussion.

Anyone who follows me on social media knows that I always try to bring a simple view to important topics related to management and governance, facilitating understanding and their application in corporate activities.

Simplicity is currently a competitive advantage for the organization, but understand that being simple does not mean being superficial.

Well, let's get back to our topic, which is risk management.

In a simple way, I can say that:

“Managing risks is a proactive activity, looking to the future, understanding the events, external and/or internal, that may materialize and adversely impact the company's or process's ability to achieve its objectives; evaluates them for their magnitude, and treats them based on the acceptable levels of risk defined by the corporation.”

The primary objective of risk management is to allow the corporation, in the pursuit of fulfilling its mission, to conduct, direct and maintain its activities, actions and decisions, within its acceptable level of risk, defined by risk appetite.

The starting point for risk management is the correct understanding of objectives, whether strategic, corporate and/or operational. If we do not know the objectives clearly, it is difficult to know the risks in a comprehensive way.

Not using objectives as a basis for identifying risks is the most common mistake I find in corporations, causing time and resources to be spent in a wrong and ineffective way.

Remember that the risk event directly impacts the ability to achieve the objectives.

Regarding the operational objectives, those that relate to the various existing processes for the operationalization of the organization's activities, I recommend the definition of the objectives inherent to each of the processes, as well as the objectives related to legal compliance, objectives related to moral values of the organization, and objectives related to the consistency, integrity, confidentiality and recoverability of the processed data.

The better the definition of objectives, the more effective the identification of risks tends to be.

Well, since we have already determined the objectives, we now begin the process of identifying the events, external and/or internal, that may impact the corporation.

Then, in a simple way, we begin to identify the risks that, if materialized, will adversely impact the organization's ability to achieve its objectives. We can see risk as the negative view of the objective, for example: If one of the inherent objectives of a purchase process is to buy only products and/or services necessary for the operation of the corporation, the risk may be the purchase of products and/or or services not necessary for the operation.

Based on the understanding of the objectives, try to identify all risk events that relate to it. This is a brainstorming activity. There is no Cartesian way of doing this.

Once all the perceived risks are related, the next step is to know their causes, that is, the events that could materialize the risk.

It is the risk factors (causes) that we assess the magnitude of and that we treat, so it is important to be judicious in identifying them.

To illustrate, let's go back to the example of the purchasing process, why can the corporation buy products and/or services not necessary for the operation? The answers to this question will allow us to identify the risk factors. Example: a. A wrong purchase requisition, b. Lack of inventory planning, c. A fraud.

This procedure must be performed for all identified risks, without exception.

Very well, at this point, our risk matrix already has three basic columns: Column of objectives, column of risks related to each of the objectives and column of risk factors related to each of the identified risks.

The next step is the analysis and assessment of risk factors through the matrix reading of probability (frequency) and impact (in several dimensions, such as financial, image, market-share and others).

At this point, it is important that the corporation has metrics, approved by senior management, to assess the magnitude (probability and impact) of risk factors.

It is also important that the company already has a risk appetite defined by top management. As a suggestion, to facilitate the risk management process, guide senior management to define the risk appetite based on the heat map resulting from the metrics, indicating the quadrant that should be considered as the accepted level risk.

I like to use metrics with five levels of probability and five levels of impact, so that the heat map has quadrants from 01 to 25. In this case, risk appetite can be defined as being one of the existing quadrants, for example the high management can direct your risk appetite to quadrant six, so anything above will need to be addressed.

One of the problems that I come across, in this evaluation stage, is in relation to the use of complex metrics, with the inclusion of weights, weighted average and other calculations that only bring complexity and delay to the process.

Note that, more important than the accuracy of the risk factor measurement, is the action that management takes to address it. It doesn't matter if the risk is 15,234 or 15, what really matters is the action that management takes to mitigate the risk factor.

The calculation is simple: probability x impact = gross risk

Another important point at this stage of the evaluation is the definition of impact, that is, if the event materializes, what impact will it bring to the organization. Some corporations seek to assess impact through a weighted average across the various dimensions. The suggestion is to work with the dimension that receives the primary impact, and not with a weighted average of the impact in the different dimensions, because, note that this is not how it happens in reality. Example: if the event materializes and impacts the image, it will not necessarily impact, simultaneously, the other dimensions measured, so it is best to focus on treating the effect on the image, ensuring that it does not affect secondarily the other dimensions.

Okay, now that we know the magnitude (gross risk) for all risk factors, whether inherent, compliance, fraud, or IT, the next step is to compare the magnitude obtained with the risk appetite, and based on in this, determine the best treatment to align the raw risk with the risk appetite determined by the organization.

Keep in mind that the primary objective of risk management is to enable the corporation to act within its acceptable level of risk, formalized through the definition of risk appetite.

Risk factor treatment can be: Accept, Share, Avoid and Mitigate.

We can accept the risk, when the gross risk is already aligned or below the risk appetite, however accepting the risk does not mean doing nothing, but monitoring the risk factors, because today it is low, tomorrow it may change and with this change our treatment.

Another important point is in relation to who can accept the risk, and my suggestion is that it need to be accepted by the statutory managers, since legally they are the ones who take the risk for the company, including their private assets.

Sharing risk is a process where another corporation, be it a financial institution or an insurance company, accepts to take part of the risk for the company. Example: Insurance policies, or foreign exchange hedge. Note that this is an answer on impact and not probability.

Another form of treatment for risk factors is risk avoidance. It is one of the most difficult answers to work with, because in order to avoid risks, the organization can no longer be exposed to risk, which means, in most cases, strategic decision-making, such as the company's exit from a market, or closing a unit, or not carrying out an operation, etc.

Finally, we have the possibility of mitigating the risk factor, which operationally speaking, requires the implementation of an internal control to mitigate the probability of the risk event materializing.

Just remembering that internal controls are:

“Actions, formalized in policies and procedures, aimed at mitigating the probability of materialization of the risk event. These are actions of review, checking, certification, validation, authorization, approval, etc.”

Depending on the materiality and nature of the risk, in addition to the probability response, it will be necessary to prepare a contingency plan, which aims to minimize the effect of the impact, when the risk event materializes.

Once the responses have been determined and implemented, the next step is to calculate the residual risk, which is the effect remaining after the treatment action, and make sure it aligns with the risk appetite defined by the corporation.

Remember that simplicity is currently a competitive advantage! Bring simplicity to operation, not superficiality!

Be happy!