Our Top Ten Steps To Establishing Risk Management Procedures

The Wall Street Journal recently reported that Senator Charles Schumer (D, NY) is introducing a bill on Corporate Governance.  “One provision would require the boards of public companies to appoint special committees to oversee risk management, according to a draft of the proposed legislation reviewed by The Wall Street Journal.  The Securities and Exchange Commission is considering a rule that would require boards to disclose their role in managing risk.”[i]

While you might think that will not apply to private companies, think again.  Just like with Sarbanes-Oxley, private companies that have public company investors or lenders, as well as investment advisors and fiduciaries may well have to demonstrate their risk management procedures and show their documentation to auditors and their financial stakeholders.  In addition, risk management does not apply only to financial institutions.  While much has happened in the financial markets in this past year to evidence that many financial institutions ignored risk management, it applies equally to Real Estate companies, Manufacturing companies, Consumer Products companies, etc.
We have had significant and recent experience assisting clients to design, implement and document risk management processes. Here are our top-ten steps to establishing risk management.
1.      Ensure Senior-Level Commitment to Risk Management.  With all that has happened in this current economy, it should be obvious that many companies now on the ropes simply did not have their eye on risk management.  Many Board members increasingly concerned with director liability issues will be pushing hard for strengthening their risk management processes.  Ensuring senior-level commitment for risk management should be a given; however, it is a fundamental necessity for anyone involved in establishing or maintaining risk management procedures.
2.      Determine the Board’s “Strategic Appetite” For Risk.  Consider the Lehman Brothers or AIG Boards of, say, several years ago.  Their strategies were to get into derivative instruments, taking on huge amounts of risk with what they thought were reasonable rewards.  At the end of the day, it seems that they were not paid for the risks they took on given the ultimate consequences.  Fast forward and ask yourself, if you were a member of either of those Boards today, would you have the same appetite for the risks they took given the same rewards?  Probably not.  That is a simple example of what we mean by determining the Board’s strategic appetite for risk.  It’s OK to take on risk, as long as you know what the risks are and are fairly compensated.  Boards in the past did not. Boards in the future will need to be more mindful of their strategic appetite for risk.
3.      Identify the Risks To Be Managed.  There are several methods for identifying risk, including: interviewing key involved department heads; sending out questionnaires; etc.  The method we have found most efficient and complete is to get a cross-functional group of key executives all in a room at the same time and focus on one aspect of the overall business in a facilitated brainstorming workshop environment.  Then repeat that workshop for another overall aspect of the business until all processes have been completed.  We find that the interchange of discussion among the key players provides a more fertile process for identifying risk that sitting with one key person one-on-one in their office.
One important aspect to facilitating a risk identification meeting is that everyone’s ideas are important no matter how “out there”, especially when identifying potential risks.  I once attended a risk management seminar and one of the speakers was going on about the importance of planning for pandemic risks such as what we are witnessing with the Swine Flu.  Many people I know would probably have considered discussing such a risk to be a waste of time.  No longer.  The lesson to be learned from that is to be receptive to identifying a wide range new ideas concerning potential risks, not just the obvious ones.
4.      Prioritize the Risks Identified.  Once the risks for an area have been identified, and in the same meeting, prioritize those risks into categories of High, Medium and Low with respect to Probability of Occurrence.  In addition, create categories of financial impacts should the risk actually occur.  In that way, the higher and more costly risks can be prioritized for process redesign and presented in a color-coded format similar to the table that follows.
Risks Identified
Probability of Occurring
Impact if it Occurs
Weighted Priority
Various risks identified
High
High
High
High
Medium
Medium
High
Low
Low
Medium
High
High
Medium
Medium
Medium
Medium
Low
Low
Low
High
High
Low
Medium
Medium
Low
Low
Low
5.      Design the Baseline Risk Management Processes.  Once the risks are identified and prioritized, baseline business processes can be designed to mitigate those risks.  By “baseline” processes, we mean the processes for the core or largest components of the business with an emphasis at “normalizing” or standardizing the processes across as many of the core business units as possible.  This is especially important in a business that has grown through acquisition or where there are many offices or business units all “doing their own thing”.  In contrast, sound risk management processes require as high a level of procedural standardization as possible.
6.      Adjust the Baseline Processes For Business-Unit Operating Differences.  Once the baseline risk management processes are designed, they may need to be adjusted for legitimate business-unit operating differences.  By that we mean differences resulting from, say, operating in different countries with different laws and business practices or unavoidable differences between dissimilar business units that preclude strict standardization.  We call those “hard differences” because they are hard to overcome through standardization as compared with “soft differences” which are simply internal differences such as nomenclature or internal processes that vary from country to country or office to office that could more easily be standardized.
7.      Document All Risk Management Processes.  Process documentation will be necessary for training, to ensure ongoing compliance and to demonstrate to outside auditors and possibly even investors the procedural framework for the risk management processes that have been implemented.  We have developed our own very efficient approach for documenting risk management processes.  For more information on that, please visit our web site page, “Process Documentation” at FTG Approach to Process Documentation.  There you can follow a link to our white paper, “The Fast Track Approach to Process Documentation”.
8.      Implement IT Toolsets To Support Risk Management Processes.  If risk management processes are to be durable and efficient, they need to automated and supported by IT toolsets that make their compliance routine and mandatory.  For example, in a transactional compliance monitoring area, one would expect to see automated e-mail ticklers and automated reporting to highlight procedural compliance issues prior to actually funding a new transaction.  Any procedural non-compliance would automatically prevent funding.
9.      Conduct Training.  I have seen more issues of non-compliance excused because of a lack of proper training.  Moreover, I have heard something similar to the following many times over, “We didn’t train our people in these new procedures so it’s not really their fault that they are not in compliance.”  If there is going to be a serious effort at implementing risk management procedures, there needs to be an equally serious effort at training.  That should include some measure of testing to ensure that people demonstrate that they know what is expected of them and that the training was successful in communicating compliance expectations.
10. Monitor Compliance.  Compliance monitoring starts early-on after implementation with a walk through to ensure that the risk management procedures are functioning as they were documented and as expected.  That should be performed by someone or a group independent from the business unit being reviewed and by someone or a group competent at doing walkthroughs and transactional testing and preparing written deficiency reports.  Typically an internal audit group that has done internal controls or Sarbanes-Oxley walkthroughs would have the skills to perform such risk management walkthroughs and to write-up deficiencies.  Those deficiency write-ups should be reported to the Board – and that step alone really gets everyone’s attention and gets them on the compliance bandwagon.
If the current economic environment has taught us any lessons, one should be that risk management is not a luxury to be practiced only by high-minded Best-In-Class companies.  It also appears likely that risk management standards may soon become a government-mandated set of regulations codified similar to Sarbanes-Oxley – only broader in scope beyond just financial reporting risk.
© 2016. The Fast Track Group, LLC. All Rights Reserved.

 


[i]Dvorak, Phred and Scannell, Kara. “Investors, Take Note:  New Bill to Target Boards, ‘Say on Pay'”.  The Wall Street Journal. 25 April 2009.

last edited on May 13th, 2009 at 4:22 PM