Risk Management should not be Like Pouring Cement into the Gearbox of an enterprise. Yet I am continually frustrated by fellow Certified Systems Auditors and Risk Management consultants who err on the side of controls in an unduly cautious attitude to what risk and business is really about.
A parallel demonstrating how governance reflects the culture of an organisation was brought home very succinctly to me when reflecting on a recent weekend with a family with deep roots in The 1ST Paratrooper Regiment and Special Forces. The rich military culture of the regiments, the separation and clarity of responsibilities and unquestioning acceptance of accountability for ones scope of responsibility allows them to negotiate the most hostile of operational environments. Delivering time again even in the face of political mismanagement and interference, if any corporate environment could demonstrate a fraction of this they would dominate their market sector.
Ever ask yourself why the recent Iraq ad Afghan conflicts have seen the growth of high shareholder value security companies? No not because of some mythical grave train, other sectors have enjoyed just such a rich vein; just reflect on the Internet and Financial Bubbles, it’s because if the military discipline and culture of accountability and commitment if not the ultimate commitment. And in business no one is asking anyone to step into the line of fire!
Inherent in the very success of business is the ability to get the tolerances right between risk and reward. Risk is by no means the sole parameter in divining profit from business operations, but a significant one as its applicable in depth and breadth as a key component in the Corporate Governance processes by which management is instructed to ensure its Board’s strategies are fulfilled.
As such the purpose of these internal controls is to help manage and control, NOT to eliminate risk. Consequently a well-balanced set of internal controls will only ever provide reasonable, and not absolute, assurance against an exposure.
As we have seen with the onerously levels of Health and Safety across many areas of our lives and the political correctness that has distorted society, the same contagion seems to be permeating Risk Management as organisations seem to be attempting to eliminate risk. A gravy train for the Risk Management consultants and bureaucratic friction for operations that instead of gearing for profit seems to foster fixed overheads.
The Golden rules I learnt early on are:
· Business achieves returns and success by TAKING risks
· Organisations public and private need to ensure that opportunities for value creation are not missed by trying to eliminate ALL risk.
· Risk and value are two sides of the same coin and the interest of shareholders are very focused on VALUE which management should not forget.
In response to which Risk Management should always:
1. Be tailored to business objectives – Supporting an objectives delivery, working around risks and maintaining risk controls strictly in context.
2. Balance the cost and benefits of managing risk – Too many organisations find the costs outweigh the benefits, if so then the risk management is out of tune where it should be removing risk control friction proportional to value return principles wherever possible.
My conclusion to-date is that there is a lot of fat that has been engineered out of corporate profit and value that can be returned to shareholders. Reflect on how the dial may have been cranked up over the last five years in your own Risk Management and ask why? Has your business environment or your strategy and objectives changed proportionally?