"Utter the words `risk management` and most people immediately think about problems or what could go wrong - they don`t necessarily see any positives in a terminology that has the word `risk` in it," says Marius Schoeman, group executive: commercial services at Business Connexion.
This is a very narrow view of risk management that arises chiefly out of a lack of understanding of the concept. Understanding the risk that a business is exposed to and subsequently introducing instruments to mitigate that risk can present opportunities that an organisation would otherwise have been unaware of.
"Take outsourcing in the IT industry, as an example. Most companies claim to outsource because it is more cost-effective and allows them to keep up to date with technology while focusing on their own key competences. However, they also transfer a certain amount of risk to the supplier in the process. Having a clear understanding of the risks involved could lead to business opportunities or bring additional risks, which should be managed as part of a coherent risk management strategy, to the attention of management.
"As it is, the IT industry may in fact unknowingly accept risk when agreeing to an outsource transaction, thereby exposing both the outsource supplier and the client.
"A crucial step in managing risk to the benefit of the business is understanding the types of risk that an organisation is exposed to. There are three types (sometimes referred to as the `3 Ts`): risk that can be terminated, risk that can be transferred and risk that can be tolerated," says Schoeman.
Terminated risk is exposure that can be stopped whenever a company feels that it no longer wants that threat in its business. A transferred risk is one that can be passed onto an insurance company, client or supplier. Tolerated risk is exposure that can either not effectively be transferred or terminated and the company accepts such risk as inherent (and acceptable). This risk, which will be the subject of this discussion, needs to be identified and managed.
The first step in assessing the risk inherent in an organisation and deciding on which of the "3-Ts" is applicable is to clearly identify the business risks that the company is exposed to. This can include a quantitative or a qualitative measure.
A quantitative measure is easy as a number is attached to the risk. However, it is much more difficult to evaluate the level of risk on "softer issues" where it is not possible to merely put a number to the issue.
"Once risk has been defined, the next step is to assess and measure it. The thinking here is simple - if you do not identify the risk, then it can not be adequately managed," says Schoeman. Companies should, however, agree on a measurement, ie probability and impact scorecard, thus ensuring a common understanding of the quantified measurement of risk.
Some industries are more advanced than others when it comes to risk management. The banking sector is one such industry with the Basel II Accord defining in strict terms what is meant by risk.
For other sectors, risk management is not quite as prescriptive with the board bearing the responsibility for it on its own. For such companies, a simple methodology can be applied, which aims to analyse the risk, measure it, monitor it and report on it. Regular risk assessment workshops ensure staff members are risk aware.
"There is plenty of software out there to manage risk," says Schoeman, "the big four audit firms, KPMG, Deloitte and Touch'e, PriceWaterhouseCoopers and Ernst & Young, and other specialised application development companies have all developed software to manage risk."
Software developed by these institutions tends to look at risk management from a generic business approach and covers all areas of risk. There is other software available, but this tends to address one particular element of risk, like pure risk or financial risk, and not address the issue from a holistic business point of view.
Always important to note is that circumstances change, therefore risk management needs to be a continuous process. "The environment changes, people change and technologies change. Given this, continuous assessment spearheaded by some sort of risk committee that fits in with a business` culture is essential to the success of a risk management policy," he concludes.
Share
Editorial contacts