In recent years, events such as COVID-19, the resulting disruption of supply chains, the Russian invasion of Ukraine, and social unrest have made risk management a topic of discussion for companies of all sizes. If we also consider the dangers of money laundering, the financing of terrorism, and data protection issues, risk management is an obligatory part of any manager’s agenda.
Every person or organization manages risks to some extent, in a rational or intuitive way. However, experience demonstrates that when we have the opportunity to analyze a past event or see an audit of a process or system, it is usually evident that better risk management could have mitigated the fallout. This article seeks to generate four reflections on this process that can help us to perform this essential task better.
1) Risk management is a continuous cycle and not a simple process.
The ISO 31000: 2018 standard, which deals with risk management, provides us with an implementation guide for a structured process. It is common for risk management to focus too much on the risk itself, and to neglect two other fundamental parts of the cycle.
First is communication and consultation, which helps different stakeholders the understand whatever risks they are facing and establishes the basis and justifications on which decisions are made, while helping to generate a risk-aware management culture.
Second is monitoring and review, which allows companies to ensure and improve the quality and effectiveness of their policies, their implementation, and their results. Continuous monitoring and periodic review of the risk management process and its results should be an integral part of the process with clearly defined responsibilities and deliverables.
These two elements are often forgotten in the risk management implementation process, although they are the engine that allows for a live, continuous process to be carried out and for its results to be aligned with reality. This ensures that risk management is not limited to a dusty document in a desk drawer or filing system.
2) Alignment of different actors.
In the world of insurance, risk management is focused on operational risk and prevention through equipment and systems. The auditing world, however, has a different approach to risk management, where different schemes new ways of analyzing risk management have been developed. Fortunately, these two visions are growing closer every day, which is reflected in the latest 2020 version of the risk management model. The three lines of the Institute of Internal Auditors (IAA) shown that all areas of the company (called lines) must contribute to the generation of value, working in a coordinated and harmonious manner for risk prevention and management. Each one has a specific role, but is supported by continuous communication and collaboration, giving particular emphasis on the area of internal audit, which must not only ensure compliance with the processes, but also underlines its duty to advise the company about the fulfillment of its objectives.
On many occasions we find that companies’ risk management models (such as operational, environmental, legal, health and safety, financial, etc.) are elaborated following different methodologies and definitions, which makes their integration is very complex and thus difficult to optimize, making it difficult for managers and auditors to review and operate. If it is possible to align the entire organization according to risk management and the capacity and appetite for risk, clearly defined by the governing body, it will be much easier to discuss mitigation and implementation of controls to reduce vulnerability to identified threats, achieving greater coherence in administration, lower costs, and better benefits for the company.
3) Risk and opportunity management.
The definition that the ISO 31000: 2018 standard applies to risk can be problematic. This is, “The effect of uncertainty on the objectives.” Its clause 1 clarifies that, “An effect is a deviation from what was expected. It can be positive, negative, or both, and can address, create, or result in opportunities and threats.” In other words, every company is permanently engaged in the risk management process in the search for opportunities, as was mentioned at the beginning of this article. But perhaps risk management is conducted subconsciously and consistently. Or maybe it does not conform to any methodology or is applied differently in the management of negative deviations (also called risk). It is important to be able to bring both concepts closer together so that the application of risk-based thinking is a constant of the company and manages to better capture the opportunities offered by the environment, while minimizing risk.
4) Insurance is a part of risk management strategy.
Companies will always face residual risk, even if they have a permanent risk-management cycle and culture that instills risk-based thinking throughout its departments. This is where contracting insurance comes in to bring in the insurance professionals. Thanks volume and the risk dispersion across many relatively homogeneous policyholders, insurance companies can respond to possible accidents. It is important to recognize insurance as an essential element for risk management, which, although it does not mitigate all risk, it does represent a valuable tool that complements a risk-aware management proactively.
We invite any organization to make a self-assessment of the risk it is facing using these four simple points, which are constant across different companies consulted and ensure that risk management is part of a company’s DNA, and not just part of another industry trend or tiresome legal compliance.
*Written by Carlos Mauricio Moreno Cruz, Risk Management Consultant, Nacional de Seguros.