There’s a well-known multi-national proverb that is based upon a truth that there are many paths to the top of the mountain, but the view will remain similar, so it is regarding the management of risk.
The concept of risk appetite is well-established however the diversity of the extent to which a Board or an individual manager is prepared to tolerate the risk is variable. Investment management experience is littered with examples of those risk takers who went too far, and the aftermath of the financial crisis evidenced by High Street brands who are no longer with us.
Traditional risk management processes reflect a five-step approach to effective risk management based upon models reflected within the COSO, Enterprise Risk Management Framework.
This provides for identification, analysis, evaluation, treatment and monitoring or review of risks to which an organisation is or may become exposed.
Whilst four of the steps often stimulate little disagreement that relating to treatment relates directly to risk appetite and as how far to cut or how much further control to implement becomes a matter for judgement and upon which individuals will have different views.
Clearly this is critical in risk management terms as if too harsh a view is taken this may stifle progress, whilst too little action may result in catastrophic consequences.
Recognition should therefore be given to the options that are available – the four T’s, Tolerate, Treat, transfer or Terminate (or in other speak – the four M’s, Monitor, Mitigate, Move, Manoeuvre).
In selecting each of these strategies we might bear in mind:
1 – Tolerate
If the assessed magnitude of the risk is low and within the organisation’s risk appetite, you might just accept and live with it with no mitigation at all.
However, small but frequent losses can negatively affect financial performance so it may be advisable to maintain a watch on perceived small residual risks to ensure that control is not lost.
2 – Treat
If the risk is above the organisations stated risk appetite, management should first explore avenues to mitigate the risk by putting in measures as a first line of defence to reduce of the likelihood of the risk occurring.
The appropriate action must also take account of the law of diminishing returns whereby the benefits arising from the response should not normally be outweighed by the resource invested in taking the action.
3 – Transfer
This is where an organisation is able to reduce the possible financial burden of a risk occurring to another party. It represents a tried and tested mechanism of risk transfer where an organisation pays an amount to an insurance company in the form of a premium and in return insurance company takes on board the financial risk of an event occurring.
The insurance industry can cite numerous examples of where such action is regularly taken relating to employees, assets, investments or litigation.
Outsourcing is often mistakenly placed in this category; however, this is better placed within treatment as action merely engages a specialist to deliver a non-core activity probably with less risk vulnerability however the organisation in this case still retains the underlying risk.
Indeed, it is a risk in itself to rely too heavily on third parties.
4 – Terminate
Probably the last resort of the organisation’s risk management strategies as this is where the high magnitude of the identified risks outweighs the strategic importance of continuing an activity or project and no options to mitigate or transfer the risk are available.
This course of action is often related to technology projects where due to emerging circumstances the advantages to be gaining from continuing the development are overshadowed by the emerging resource implications.
The most effective risk management strategy is likely therefore to comprise aspects of each of the four approaches outlined above although clearly a decision to terminate an activity will appear to most as the more drastic course of action.
Nevertheless, there will be occasions where the risk opportunity or downside is so great that this course of action is the most appropriate in the interests of the majority of the organisations’ stakeholders.
Regardless of industry however by developing a successful approach to risk management and ensuring that is effectively embedded within the culture of the organisation will demonstrate strong governance, allowing on-going consideration and mitigation of identified risks and where risks emerge of a critical nature, determination of remedies that will support recover and rebuild where necessary.
In an ever more volatile risk environment, the ability to respond quickly by developing appropriate risk management strategies is likely to lead to continued success.
Developing an appropriate risk management strategy represents a structured approach to responding to inherent risk that exists simply because of the activities which an organisation chooses.
Through embedding a continuous commitment to robust risk management throughout the organisation it is likely that such a mature approach will provide confidence to all stakeholders and demonstrate a commitment to protect the organisation, its employees, and its assets.