Risk management is not just about “threat reduction” but can play an important role in exploiting new opportunities, according to new research, which also highlights the need for companies to see risk as an “evolving” process in which managers need to be experts in relationship building.
The conclusions come in a report from the Association of Chartered Certified Accountants (ACCA) called Risk and Performance: Embedding Risk Management, which undertook four deep-dive case studies to uncover the challenges and best practice involved in successful risk management.
The report concludes there are “no quick fixes” and risk management must be aiming for much more than using formal tools such as risk registers, control assessments and risk appetite frameworks.
The four case studies involved in-depth interviews with key figures including heads of risk management, audit managers, data protection officers and finance directors.
The report resulted in three recommendations.
First, managers should come to understand not only the “formal” risk management mechanisms in their organisations but also the “informal” processes too.
Second, risk governance should be re-thought as “integrated accountability” in which there is greater cooperation between individuals in the roles of risk taker/controller, risk oversight and risk assurance.
And lastly, managers should tackle the “time and attention puzzle” to ensure that not all risk management resource is spent confronting threats but is also used to maximise opportunities; ignoring opportunities may reflect the “risk manager’s failure to step away from the spreadsheet and get their hands dirty within the business” the report’s authors warned.
No quick fixes
ACCA’s interim director of professional insight, Jamie Lyon, said risk management would not be effective if it was “not embedded”.
“There are no easy answers or quick fixes when embedding risk management. Given the variety of means available, organisations must allow risk management practices to evolve to their needs,” he said.
According to Dr Simon Ashby from Vlerick Business School, lead researcher on the project, risk management should go beyond the technical “tools” and allow staff to believe they can “add value”.
“To achieve this, risk managers must be experts in social networking and relationship building,” he said.
The importance of communication between functions was echoed by Dr Patrick Ring, of Glasgow Caledonian University, one of the research partners. “Importantly, we found that informal modes of communication are integral in underpinning the more formal organisational structures that support risk management,” he said.
Meanwhile, Dr Cormac Bryce of Cass Business School stressed the need for risk managers to balance the needs of threats and opportunities. “All too often the risk management function of organisations has been seen to concentrate on threat reduction.
“This current report highlights the important value-added that risk management can provide as organisations attempt to seize opportunities and maximise their success,” he added.
In conclusion, the report questioned the usefulness of the popular “three lines of defence” model of risk management. It said that “the fact that none of the cases had a pure ‘three-lines’ approach illustrates the challenges associated with it and the potential value of integrated accountability as an alternative means of approaching risk governance”.