Building an invisible framework for risk management

Risk professionals need to alleviate the burden of the risk management framework on the business
by operating an "invisible framework", allowing the management of risks in a more natural, implicit
and proportionate way
Recent years have seen the development of a multitude of risk management frameworks of all
shapes, colours and forms, general or specific, complex, multidimensional or basic. In the face of the
mounting jargon and technicality of the risk management profession, it is important to remember
three fundamental roles of the risk function - none of them to do with vocabulary and techniques, or
even with the management of risks.
Risks must be managed where they arise - that is, at the level of each operation or each transaction
in the business. This is why we prefer the term "risk function" to "risk management", referring to an
activity rather than a role: an activity to be carried out by the business.
Risk frameworks are technical structures helping risk professionals to understand how risks and
controls do or should operate within an organisation, but frameworks do not need to be a
preoccupation or a burden for the business.
Expertise and roles of the risk function
The risk function should fulfil three roles: (1) to assist in the definition of risk appetite for the
business and the board; (2) to monitor the risk exposure within the risk appetite, and to own the risk
management framework; (3) to challenge and to advise on strategic business decisions with regard
to risk taking.
These three roles require expertise in conceptual and technical aspects of risk identification,
assessment, mitigation and monitoring by risk professionals. They also need excellent knowledge of
the regulatory demands and of the environment to ensure business compliance and, finally, they
should understand the business's processes, its capacity, constraints and vulnerabilities.
Defining risk appetite
The first and most important role of the risk function is to set up a process allowing the business to
define its risk appetite.
The UK Corporate Governance Code states that "the board is responsible for determining the nature
and extent of the significant risks it is willing to take in achieving its strategic objectives [and]
should maintain sound risk management and internal control systems". The risk function has a key
role to play in assisting the business and the board to comply with these requirements.
Defining a relevant, specific and actionable risk appetite requires a mature risk management
process. Assessing the risks that a business is willing to take and maintaining "sound risk
management and internal control systems" require identification of the key risks that may negatively
impact the business objectives, the evaluation of the current exposure to these risks, and the
definition of additional controls if this exposure is judged excessive.
Internal controls exist for the vast majority of risks that need to be mitigated. Alternative solutions
relate to risk transfer using external insurance or other solutions, and avoidance - the most radical
way of eliminating a risk by eliminating an activity.
In control design, proportionality is key: better risk management does not imply no risk or controls
at all costs. Similarly, the best risk culture does not necessarily mean the biggest risk aversion.
There is a need to balance risk exposure and the corresponding controls, with what they imply in
terms of additional costs, constraints and slowed-down processes. Internal controls are, of course,
critically important; academic studies on 1,000 US financial institutions demonstrate that internal
controls weaknesses are a strong determinant of the frequency of operational risk incidents.
However, over-controlling small operations and petty issues may have hidden strategic costs in
terms of opportunity loss and diminished strategic ambition. By knowing the business processes and
understanding risk assessment, the risk function can assist the business in defining and operating a
successful risk appetite.
Monitoring risk exposure
Operating and monitoring compliance with a well-established risk appetite also relies on the
definition of the outcome of the risk function, its role within the organisation and the ways to
achieve these goals.
It is the role of the risk function to provide a consolidated view of the risk profile of the business,
and its responsibility to inform the executive committee about the degree to which the business is
respecting - or breaching - risk limits.
These responsibilities require the risk function to have great visibility over the conduct of business
operations, and great understanding of the risk drivers impacting the business and the possible
metrics used to measure these risk drivers, in order to put in place a successful key risk indicator
programme that will allow the proper monitoring of risk appetite. Key risk indicators are an effective
way of trickling down risk appetite to the level of operations, by aligning their threshold to the
business priorities and the risk tolerance statements.
Risk monitoring is not limited to the everyday business process; it must extend to upcoming risks
and threats, including those due to significant changes in the business environment, whether
competitive, technological, regulatory, social or political.
Constant monitoring of the regulatory environment, upcoming trends and points of attention from
the regulator but also from the general public and the media can be of prime importance in early
identification - and mitigation - of potential threats. Some organisations have therefore set up an
"upstream risks" committee, in charge of the surveillance of every aspect of the business
environment that may modify its risk exposure, and responsible for reporting these risks to the
board.
Challenging and advising
The third role of the risk function is to act as a sounding board to the business regarding decisions
that may change the risk profile of the institution. Such business decisions may concern new
ventures, commercial accords or acquisitions, new products or new markets, investments or
divestments.
To fulfil its role in challenging the business, the risk function needs to possess enough delegated
authority to freeze business decisions that may either contradict regulatory requirements or
upcoming possible regulatory scrutiny, or exceed risk appetite, without proper acknowledgment
from the board.
Making the framework invisible
The roles and responsibilities of the risk function are thus important and complex, not least because
of its transversal position across the organisation, having to co-ordinate various businesses and
management personalities, convincing individuals as to the benefits of risk management.
We argue that risk professionals who are able to achieve these challenging objectives successfully
are operating an "invisible framework".
What is an invisible framework?
An invisible framework is substance over form: the content and intent of risk management
supersedes technical terms and tools, to reach a point where all staff manage their risk implicitly, as
part of their day-to-day activities, without necessarily thinking about it.
Making the framework invisible implies that risk specialists reach sufficient levels of expertise and
comfort in manipulating risk management concepts and techniques that they can communicate their
requirements and priorities to the business without the burden of jargon and technique, effectively
making the risk management framework "invisible".
Three attitudes will help companies to operate an invisible framework: using the language of the
business; leveraging existing processes and practices; and providing guidance and using systems to
collect and analyse information.
Use business language
Risk jargon is getting in the way of a constructive relationship between risk managers and business
officers. There is no need to overload the business with specific risk language. It is an interesting
challenge to talk about risk management without mentioning the term "risk". Without reaching this
extreme, there are many ways to translate risk terminologies into concrete business-orientated
questions. "What are your key risks?" can, for instance, be turned into "What could happen that may
impact the achievement of your objectives?" or "What are your main concerns for your business?"
Scenario workshops could start with "What are the largest incidents you have experienced in the last
few years?" and "What are the worst things that can happen to your business?" Discussions
regarding risk appetite limits could be translated into "What are you comfortable with?" or "How
much money are you ready to put at stake?"
Even if senior managers are often familiar with most of the risk language, many members of staff are
not. Translating technical terms into real life discussions is a powerful way to obtain relevant
information.
Leverage on existing practices
Risk being a support function, it will be better accepted if it tends to adjust to business concerns
rather than the other way around. We believe that most successful, accepted and embedded risk
management practices are those embracing business priorities and preoccupations, rather than
trying to conform the business to the risk functions' views and concerns.
Operating an invisible framework requires advanced capabilities from the risk managers, not only in
their core risk discipline, but also in showing enough understanding of the business to put
themselves into the shoes of their counterparts and relate to their priorities.
For instance, the reason to fill in a risk register is not so much regulatory compliance than
protection of company assets, profit and loss objectives and strategy achievement. Scenario analysis
comes from the need to protect against large potential losses much more than from the need for
capital calculations. Compliance with regulations is important but should not be at the forefront of
the risk management argument. Protection of company assets and objectives is a better primary goal
of risk management.
Furthermore, the best way to integrate risk management into the processes is to operate a process
re-engineering. This aspect touches upon the large intersection between the six sigma methodology
and operational risk management at process level. Re-engineering processes - only when it is
necessary - is to reorganise the sequence of tasks and controls so that errors and incidents become
naturally less frequent. It is, in the words of James Reason, the author of Human Error, to adopt a
"system approach [that] concentrates on the conditions under which individuals work and tries to
build defences to avert errors or mitigate their effects". It is about setting up people for success
rather than failure.
Six sigma suggests the DMAIC approach: define, measure, analyse, improve and control. It is time
consuming and heavily process based but can, in some instances, be greatly beneficial to the
business via process improvement and default reduction, improving productivity and reducing error.
Only the business has sufficient knowledge of its own processes and potential benefit to undertake a
six sigma review. The risk function, however, also needs sufficient understanding of the business
operations to support the initiative and evaluate its benefits.
P
r
o
v
i
d
e
g
u
i
d
a
n
c
e
a
n
d
s
y
s
t
e
m
s support
We all need to be willing and able to act; guidance is just as important as motivation and inspiration
in influencing behaviours. When risk specialists require the business to "monitor their risks", or
"assess their risks" without properly explaining what it means, how to do it concretely and support
them throughout the process, very little value is likely to come out of the process.
In an invisible framework, the task of running workshops of risk identification, risk and control self-
assessment, and scenario analysis is not left to the business. These are facilitated by the risk
function - with the involvement of the business of course, but with sufficient guidance, preparation
and background information from the risk function.
Lastly, integrated technology, systems support and, in particular, risks and incidents reporting
structure are of prime importance to ensure seamless reporting process on incidents, risks and
controls. Here, again, any reporting and information requirements that leverage pre-existing uses by
the business are much more likely to be successfully adopted by the business, highlighting the
benefits of an invisible framework.
In conclusion, we believe that the risk function has a much greater chance of being accepted and
respected if it keeps the risk framework among its own preoccupations and interacts with the
business on its own ground, adopting its perspective and language without losing sight of the
ultimate goal of a safer business and operational excellence. By operating an invisible framework,
risk professionals can keep their technicalities to themselves and provide effective, value-adding
assistance to the business lines, improving buy-in, risk culture and compliance.
Dr. Ariane Chapelle is honorary reader at University College London in operational risk. She is
owner and director of Ariane Chapelle Consulting Ltd
Michael Sicsic is the chairman of ORIC International and group operational risk director at Aviva plc
http://www.learnleanlogistics.com/blog/page/3/