NoveMber 2008 47161 About the Author risk Management: so Critical, yet so elusive Chris rAzook is part of the PeP-MeNA Corporate Governance Every good organization around the globe firmly espouses the program based in Cairo. As part of that program, he has benefits of sound risk management. Certainly, the recent financial worked with many companies and boards of directors crisis has underscored this imperative. Yet it is remarkable how around the region to help elusive an effective risk management function can be for many improve their corporate governance practices. organizations.Thisisdefinitelythecaseformanyofthecompanies APProviNG MANAGer wehaveworkedwithaspartofthecorporategovernanceprogram Michael higgins, senior in the Middle East and North Africa (MENA) region. This operations ManagerFinancial Markets, PeP-MeNA. he joined SmartLesson is based on our recent work with an investee iFC in April 1998 as Principal banking specialist, and has company to help put in place a simple but effective enterprise risk also served as the Country Manager for thailand; prior to management process. This was part of a wider corporate that he was based in iFC's bangkok office, overseeing its governance improvement effort for the company. It also draws on banking investments in east experiences we've had with other companies and provides lessons Asia. for any organization trying to figure out how to actually make risk management work (see Box 1). box 1: how the term is used Background Risk management means different this particular client, a mid-size, private thingstodifferentcompanies.Some manufacturing sector company in mena, companies point to a detailed risk still operated as a small, closely held assessment report, conducted an- company. It had essentially outgrown its nually, as their form of risk manage- current infrastructure, including many of ment. others point to dedicated its management control functions. as with risk management staff that focus many companies of this nature, there was on monitoring risks for the organi- no formal risk management framework in zation, sometimes using sophisti- place. the client noted that managers cated risk models. Here, we are considered risks implicitly as part of their talking about overall enterprise risk day-to-day operations and addressed management, relating to the pro- issues reactively as they occurred. It also cesses in place throughout a com- mentioned that a risk assessment had pany to continually assess potential been conducted in the past year by an risks and take actions accordingly to outside advisor and delivered in a written helpmanagethoserisksandachieve report to the company. the challenge for defined business objectives. the this client was to help design an effective scope includes any type of risk--in- risk management function that addressed ternal and external--facing the the following critical success factors: company at all levels of the organi- zation. this is the bedrock of any · Embedded throughout the company's management control organization; not just at senior levels, environment and, hence, its corpo- and not just in the financial processes rate governance framework. (e.g., also in project operations, where much of the risk lies). IFC SmartLeSSonS -- noVemBer 2008 1 · Routine and used as a real management tool, not just ongoing unit-level status meetings (see Box 2 for process as a check-the-box reporting exercise. highlights). · Promotes ongoing, timely dialogue regarding risks facing the organization. box 2: highlights of the recommended risk Management Process for the Client Lessons Learned · Given the defined strategic initiatives from the It should be noted that the client is still in the process of company's business plans, define the corresponding fully implementing the recommendations described risks for each by considering: What can go wrong?; below. this is to be expected, given the enterprise-wide · The risks should include all types of risks, both internal scope of the effort. nevertheless, several immediate and and external; important lessons can be drawn from this experience. · For each risk, rate (on a scale of 1 to 10) the likely impact and probability of each. Then use those 1) Focus on the process and keep it simple. combined ratings to assign an overall priority rating (e.g., the higher the impact and probability, the higher the primary focus should be on the process. While it's the priority); important to have a firm understanding of risk · Identify mitigation action(s) for each risk, and assign management concepts, tools, and techniques, the key responsibility. This will depend on the "risk appetite." consideration should be: How does a company actually For example, low-priority risks may not require much, put in place a working process for discussing risk on an if any, mitigation; ongoing basis? For this client, we considered the · ProvideupdatesbiweeklytotheExecutiveCommittee following: alongside other performance reports. The risks and mitigating actions are no different than other · What risk-related information is being collected? strategic initiatives that should be constantly monitored. Consider a scorecard approach that · What is the flow of that information in the organiza- assigns qualitative progress indicators (e.g., red, tion? yellow, green); and · A risk matrix such as this should be completed for each · What dialogue is the information supporting? business unit and also at the overall enterprise level. This matrix can be cascaded down into the business · How frequent is the dialogue? units and integrated with their monitoring and reporting activities. · Who in the organization is having the dialogue? · What actions and decisions is the dialogue informing? 2) Integrate risk management with other key these considerations helped shape the design of the risk management control processes. management processes for this client. the further lesson is to keep the process simple enough that managers use it In the past, this client had treated risk management as a and take it seriously--that is, make it stick. this was separate, periodic process conducted by particular especially important for this client, since it had previously individuals (and an outside advisor). We illustrated how tried different approaches, none of which were sustained. risk management can be linked to other key management Unnecessarilycomplexprocessescanbecounterproductive. functions to create a seamless, continual process for For example, we've observed processes in other clients controlling the organization (Figure 1). We highlighted that require managers to complete a long series of reports the following: and forms that go into excruciating detail about their risks and mitigation strategies. they require so much effort, · Integration with Business Planning: Risks should be managers do not use them as an effective management identified for all strategic initiatives based on the tool--rather, they are just a burdensome reporting company's business plans (which, fortunately, were exercise for senior management. We were careful to avoid well-developed for this client) and, ultimately, made that for this client. part of the plans themselves. Ultimately, the process we recommended for this client · Integration with Performance Monitoring: Risks and did not employ any new concepts. rather, we distilled the mitigation actions should be reported and common risk management concepts down to a simple monitored as part of the company's routine form to create an easy-to-use process. one of the main performance-monitoring processes, just as with other tricks was to figure out how we could integrate the "risk types of performance information (e.g., financial dialogue" into the client's existing planning and performance, project performance). These reviews performance-monitoring processes. So, rather than create should be continual and should feed back into the a completely separate risk management process, we planning cycle on an ongoing basis. simply tied it to the client's existing management activities, such as biweekly executive Committee meetings and · Integration with Internal Control: Control activities for 2 IFC SmartLeSSonS -- noVemBer 2008 the organization should be linked to the specific risks · Consider all types of risks. The dialogue should not identified. The same matrices used to identify and focus only on financial risk, as is common. It should assess risks then can be used to identify the control consideralltypesofrisk,bothinternal(e.g.,operational, activity (or mitigating action, depending on the nature financial) and external (e.g., market, political), that of the risk), to ensure that the internal control may inhibit achievement of the company's strategic framework is "risk-based." objectives. · Integration with Internal Audit: The internal audit · Challenge assumptions. Discussions should challenge function (which did not exist prior to the corporate underlying assumptions, such as those about the governance review) should be assessing the entire risk probability or impact of particular risks. Every strategic management and control framework to ensure that it initiative has a potential downside that needs to be is working effectively. The assigned risk priorities can discussed. be used to help ensure that the internal audit program is "risk-based," focusing on the highest priority risks · Have measured responses. Not every risk identified and controls. will require a corresponding mitigating action. There is a cost and benefit to be considered for each. The Figure 1: Integrating Risk Management with Other Key Management Control Functions "risk appetite" should drive the appropriate mitigation strategies. · Be proactive. Do not let discussions focus solely on reacting to recent is- sues; rather, push manag- ers to be forward-looking and to try to anticipate risks that may occur in the short term and even lon- ger term on a continuing basis. · Demand stress-test- ing. Consider extreme or worst-case scenarios and the likely impact. Consider a variety of scenarios and not just business as usual (especially critical in today's environment). · Become second na- ture. Reinforce the notion that any performance or strategic discussions should 3) It's all about the dialogue. automatically include risk dialogue, so that it becomes second nature for staff to constantly consider: What Simply put, if the right risk dialogue is not happening, the can go wrong? process is broken. Whatever form the risk management process ultimately takes in an organization, it must be 4) The board has a key role. facilitating a routine, useful dialogue about risk throughout the enterprise. For this client, most of the risk- From a governance perspective, the board of directors related dialogue was reactive, addressing particular issues should have an effective challenge function in risk after they surfaced. Further, it was mostly bilateral discussions. one of the major benefits of having a well- between only the Ceo and the relevant manager and not functioning, diverse board (as we promote for good considered in a structured way. We suggested the corporate governance) is its ability to offer different following to help improve the dialogue: perspectives on discussions about strategy and risk and to effectively challenge management. therefore, the process · Encourage transparency. The dialogue should should be designed to ensure that the board is receiving encourage candid reporting by staff so as to promote the right information and having the right dialogue about organizational transparency and useful management the risks facing the company. We emphasized this point to actions. the client and included it as one of the key responsibilities for the board audit committee. IFC SmartLeSSonS -- noVemBer 2008 3 Final Word risk management concepts will continue to evolve, especially in response to the current financial crisis gripping companies around the world. Yet in our experience, the most value-added advice we can offer to our clients is not only to help them understand risk management concepts as they evolve, but also to offer practical lessons on how to actually make them work. DisClAiMer iFC smartlessons is an awards program to share lessons learned in development-oriented advisory services and investment operations. the findings, interpretations, and conclusions expressed in this paper are those of the author(s) and do not necessarily reflect the views of iFC or its partner organizations, the executive Directors of the World bank or the governments they represent. iFC does not assume any responsibility for the completeness or accuracy of the information contained in this document. Please see the terms and conditions at www.ifc.org/ smartlessons or contact the program at smartlessons@ifc.org. IFC SmartLeSSonS -- noVemBer 2008 4