Many companies have poor risk management structures and worse, they do not have a meaningful plan to improve, even though there are almost daily examples of poor risk management resulting in significant financial loss and a blow to brand reputation.
Over the past five years, several high profile risk management cases reflect the high cost of shoddy risk management. Boeing’s 737 system failure have cost the airline upwards of $20 billion, according to a BBC report, and costs to the company is still growing. Profits more than halved in Q3 2019, due to the grounding of the airplanes, and losses are now exacerbated by the global pandemic. In another case, $81 million was stolen from the Bank of Bangladesh when hackers commandeered the credentials of bank employees. And, Wells Fargo has paid at least $3 billion in fines related to a multi-year customer bank account fraud. Crucially, in addition to the bank, some executives at Wells Fargo were fined as well.
While the financial blow in each case is significant it is possible that the brand reputation impact could be more devastating to the entities’ long-term prospects.
The effects of poor risk management is obviously not always as catastrophic as those cited above, but still pose substantial harm to a company’s financial health and/or brand strength. For example, check fraud is a problem for many firms, especially here in the US. Also, the global growth and pervasive use of the internet exponentially increases the risk of cyber fraud. So is the lack of attention to contract details, which opens up a firm to the possibility of costly obligations or breaches. Another costly example includes inadequate employment policies and practices, which could lead to discrimination claims.
Risk should not be an afterthought
Too many companies ignore risk factors or dismiss them as low probability. As a result, they do not invest the time or money to establish a proper risk function or culture. However, companies can and should develop an effective risk culture to mitigate risk even without a large budget or a dedicated risk team.
A key aspect of good risk management is to be aware of the risks in your industry and to your business. While there is no risk free structure, a useful framework would include the following at a minimum:
Functional Risks: What are the likely risks in Finance, HR, IT, Legal, Supply Chain, etc.?
Firm strategy: What could go wrong with the firm’s product or service offerings, its M&A strategy, the geographic footprint, its alliances/partnerships, its climate change and social impact posture?
Macro Trends: What is happening in the national and global economy to affect the firm such as tax law changes, trade developments, recessions?
Being aware and asking the right questions cangreatly reduce risk if companies then follow some key steps.
Identify and Practice Risk Mitigation Steps
Tone at the Top - an important starting point is leadership sponsorship and advocacy, where the owner(s) and senior leadership articulate and live out a support for the stated risk policies and objectives of the firm.
Written Policies - Another critical plank is the development and dissemination of written policies. This is the best way to formalize policies and enshrine a unified set of expectations that are accessible to all employees. It is critical that policies are updated to reflect the firm’s changing
“Mock Investigations”- this is necessary to ensure compliance, and is done via periodic self-audits. These audits are not limited to the classic finance audits but could include things like IT systems testing through simulated
hacking, internal phishing attempts, and HR safety compliance reviews.t
Risk transfer – another great strategy, utilized through contract negotiation, is another valuable element of risk management. Always read the contracts! Endeavor to limit liability levels, ideally to fees earned. Review default language and breach remedies. Leadership should develop a sense of its risk tolerance for liability and indemnification caps, and seek legal help as much as possible.
Insurance - Despite a firm’s best risk management efforts, there will always be some residual risks, and insurance is a vital safety net in this regard. Note, insurance is not to be used as an excuse or replacement for good
risk management, but only as a foil for unknown or uncontrollable risks. Of course, a firm may decide to self-insure certain risks, were the probability and likely impact are reasonably low to allow for the firm to comfortably cover the eventual costs out of its own cash reserves.
Risk culture – involves a willingness to follow policies (compliance culture), commendable incident response (quick, best practice based), trained employees who know how to do their jobs, are quick to escalate issues for resolutions, and the risk trajectory is positive.
Risk management is optimized when the organization has a robust risk culture; when risk management is championed by leadership; there is a firm-wide willingness to follow policies; employees are qualified and trained in their relevant sphere of risk management; there is quick and effective incident response and escalation, where necessary, and the firm’s risk trajectory is on a positive path, where it is consistently improving in its risk management practices.