SO WHY THE HESITANCY TO INVEST IN EFFECTIVE RISK MANAGEMENT (RM)? TYPICAL OBJECTIONS TO INVESTING IN RM AND POSSIBLE RESPONSES
Despite evidence that mature RM programs add significant value, many organisations remain hesitant when it comes to adopting RM and embedding their RM processes. Below, are some of the typical queries / objections when it comes to investing in RM.
“We are not convinced of the value of GRC. It’s a nice to have and not a necessity. As long as we can tick the box to say that we comply.”
Clem Sunter states in the IRMSA Risk report 2016: “Risk evaluation and management skills are now central to the long-term viability of any organisation”. Clem further adds: “Moreover, risk management now constitutes a premier discipline that no organisation can do without. You only have to look at the high-profile and costly examples of companies that recently were devastated by some expensive flaw in their business model being exposed to public scrutiny. What they would have given to have perceived the full extent of the problem in advance and acted on it” You can download the full IRMSA 2016 risk report at http://www.barnowl.co.za/wp-content/uploads/2016/02/IRMSA_2016_Risk_IRMSA-Risk-Report-2016-Launch.pdf as well as see some examples of recent corporate failures at http://www.barnowl.co.za/insights/6373/
The RIMS report ‘Why a Mature RM Effort is Worth the Investment,’ cites an independent study conducted by Queen’s University Management School and University of Edinburgh Business School in an effort to answer the question many executives ask – “is improving our RM program worth the investment?” The answer?
Yes. Or as they wrote, there is “a highly significant premium of 25% for firms that had been classified as having ‘mature RM’ according to the RIMS Risk Maturity Model.” This fact – that an organization’s value can increase 25% through improving its RM program – is one that should catch the attention of executives, board members, and risk As Steven Minsky (Steven is a recognized thought leader in RM, and co-author of the RIMS Risk Maturity Model) says “A mature RM program is a safety net. It protects boards and senior leadership from accusations of negligence by demonstrating a clear dedication to uncovering risk. It also provides transparency and assurance of on-time and on-budget achievement of corporate performance objectives.”
“We’ve been in business for a long time and know what our risks are. Why do we need a system to tell us what our risks are? We keep track of our risks in Excel.”
In a medium to large scale organisation, management may know what the top 10 strategic or top 10 operational risks are but with the best intentions in the world won’t always be aware of what is going on ‘below the surface’ and the knock-on effects that exist between interconnected risks, controls, loss events, near misses, regulatory requirements, KPIs and resources which become serious risks to the organisation if not identified, managed and monitored.
It’s impossible to see the warning lights or keep track of all risk related activities, and their inter-connectedness without a systematic approach supported by specialised RM software. See http://www.barnowl.co.za/insights/still-using-excel-for-risk-management-and-or-audit/as to why Excel just won’t cut it!
It’s a mistake to base your decision making on the financial results (after the fact) and forecasts only and to ignore / minimise the importance a changing risk profile (be it internal or external). Ignoring or not being aware of the risks is a threat to the sustainability of your organisation and is considered negligent and is punishable by law.
“We have a business to run here and don’t have time for RM. It would add work to our day-to-day operations and our resources are already spread thin.”
You may not have a business to run unless you find the time to identify and monitor your risks and make the relevant resources accountable for managing the risks within each of their areas of business.
In reality, everyone is performing risk management activities all the time in their daily lives be it at work or privately (e.g. crossing a street involves risk assessment and decision making). In a team environment however, if there is no formal risk management program, everyone does their own thing which is often counterproductive and creates duplicate effort and re-work.
A systematic approach to risk management supported by GRC software provides a centralised platform for all the risk activities you’re already doing. It acts as the centralised hub for your entire enterprise risk program. The risk assessments you send out, the mitigation activities you carry out and document, and the reports you’re creating are all housed in a single centralised database. GRC software isn’t simply a database where you document processes and store your data; it serves as a tool for you to make risk management processes easier, more efficient and enables you to gain insight into the data you’ve been collecting.