Key Risks: Are They Really Known?

Understanding an organization’s risk management process helps evaluate whether key risks – those currently existing and those that may impact the organization in the future - are known and are effectively monitored.

330x160-key-risk.jpg

Someone once said that “the art of business is making decisions with incomplete information.” A big part of decision making is assessing risk. While this concept appears obvious, some successful executives have stated, “We’re a successful business and we already know our risks, so we don’t need to formalize a risk identification process.”

For the most part, this may be true. These individuals inherently know their risks. However, the things that keep people up at night seem to get lost in translation and not communicated to those responsible for overseeing the risk management process. This dynamic, in itself, creates significant risk.

Can an organization know all its key risks? They may have identified what they consider the risk universe but there is no “silver bullet” to ensure the right risks have been identified or that these risks are being monitored. British Petroleum (BP) and its contractors may have been well aware of the risks associated with the possibility of an oil rig exploding in the Gulf of Mexico. Rigs in the Gulf have exploded many times before, but not to this magnitude.

Understanding an organization’s risk management process helps evaluate whether key risks – those currently existing and those that may impact the organization in the future - are known and are effectively monitored.

Risk Identification

Both investors and internal management, as stakeholders, must understand the risk identification and risk management processes. Risk identification begins with information gathering. Typical methods used to gather information include questionnaires, meetings, risk modeling or risk software - each of which supports the risk identification.

No matter the methods used, without transparency it is likely key risks will either not be identified or downplayed by the communicator. Evaluating effectiveness of the risk identification process can be quite tricky, especially when one’s corporate culture seeks to quickly criticize rather than seek solutions. Egos must be left at the door for risk identification to be effective. Senior management must accept and deal with reality. Though this can be a humbling exercise, putting the organization before oneself is absolutely essential. It takes courage for leaders to accept the truth and take appropriate corrective action.

Risk Management and Communication

An often asked question during consulting projects is “What’s the one thing you’d like to see improved in your organization?” Without fail, one of the top three responses includes communication. Whether the company employs 10 or 10,000, lack of information and communication significantly increases risk to an organization. One approach to assessing whether a strong risk culture exists is to understand how exceptions are communicated and addressed by management.

Sharing information is powerful, especially with those who have responsibility for executing operational strategies. These individuals possess first-hand knowledge of what works, what does not work and current threats that exist.

Emergence of the Chief Risk Officer

A new C-level position has emerged in recent years known as Chief Risk Officer (CRO). With this position has come the perception that risk is now the responsibility of the CRO. Not so fast. The CRO may help identify and monitor exposure, but risk is owned by the directors, executive management and key operating personnel. Also, though risk may reside with these groups, everyone in the organization plays a role in risk identification and risk management. Ongoing communication and training of this expectation plays a critical role in effective risk management.

So, can all the key risks of an organization be known? For large, complex organizations the answer is probably not. However, to meet this challenge, an organization must emphasize a culture of transparency where information flows freely. With awareness and effective communication, there is less chance critical information will be overlooked and fail to reach those responsible for risk management.

Bruce Zaret, CPA is an Advisory Services partner in the Dallas office of Weaver, a regional independent certified public accounting firm located in the Southwest with offices throughout Texas. Zaret can be reached at (972) 448-9232 or bruce.zaret@weaverllp.com. www.weaverllp.com

Related