Think about risk management and it’s financial systems that quickly come to mind. Ask Bob Aylwood, vice-president, operational risk at RBC Financial Group, and he’ll get you thinking about it in non-financial ways.
Risk management (RM), which uses a variety of techniques and software to calculate
financial losses associated with everything from fluctuating exchange rates to the effects of natural disasters, is not new. It’s in the limelight though because of a lot of new types of threats from wars to corporate accounting scandals.
“”No doubt, Enron has helped the cause because it grabbed so much attention,”” says Aylwood.
But, and it’s a big but, it’s often the more mundane things in corporate life that pose as great or even greater risk to a company’s financial health. Take, for example, a company that wants to replace its general ledger system. Straightforward enough, right?
Wrong. Risk management will tell you not only whether it’s more prudent to modify an internal system versus purchasing a packaged solution, it will calculate the risks involved and the costs. Those examples can be a lot more real and more immediate to most companies.
William Bishop, president of the Institute of Internal Auditors says risk management has only recently become much broader in scope. And while it may seem obvious, he says: “”You really need to understand the environment and the wide variety of risks out there.””
While world events, volatility in the financial markets and increased competition are usually given as reasons for this new interest in risk management, Bishop says “”vulnerability to IT systems”” should also be high on that list.
The problem is that either upper management is alarmingly unaware of the importance of risk management, says Bishop, or even if they are aware, it has not translated into action. According to a recent survey undertaken by the Institute, two-thirds of organizations do not have a risk management process in place and one-third have no idea of what risk management is, let alone knowing what the risks of doing business actually are.
Bishop says it’s the internal auditor who can champion the risk management cause. “”There is some misconception out there that an internal auditor is a financial thing.”” Increasingly, internal auditors are knowledgeable about a company’s processes and procedures, including its IT systems.
Indeed, many internal auditors see this as welcome news. While often stereotyped as the company watchdog who keeps a tight lid on a company’s expenses, they are the first to recognize it’s the non-financial items that can have the greatest financial implications, and this helps them see new ways to improve a company’s operations.
Steve Taylor, president of Resolver Inc. a Toronto-based supplier of risk management software and services, says “”the hybridization of the risk management and internal audit roles”” is a key trend that will only accelerate.
“”Without question, the discipline of risk management, which has for years matured inside financial institutions, is now being propagated to the business community,”” he says.
One new area is sales and marketing, which demonstrates that not only can risk management applied almost anywhere, it can also be as complicated or simple as you want it to be.
At Labatt Breweries of Canada, in a few hours, senior management was able to debate, identify and score five key “”priorities”” starting with a list of 30, using risk management techniques.
That executive team began by identifying a risk universe consisting of barriers that might prevent a company from meeting its sales targets, then assigning a value and/or voting on all of those risks.
In the background, the software does the calculations much like a spreadsheet might be used to do a sales forecast. Performed like this, risk management can be done in a half-day or full-day workshop.
On the other end of the spectrum is operational risk management which is much more quantitative, often using complex algorithms to determine, for example, exposure to risk at a financial institution. It’s this form of risk management that will only get more complicated.
With sets of regulations such as New Basel Capital Accord, (which says by 2007, every major financial institution in the world will be forced to comply with stringent requirements on reporting and documenting measures for market and credit exposure calculations), risk management will get a greater sense of urgency.
The time to think about it is now, says Aylwood, because when the accord kicks in, RBC will have accumulated three years of operational loss data, which will help it prepare for a test run of Basil II compliance reporting requirements planned in 2006.
For Aylwood, though, risk management is not just about “”forced compliance.”” It is also, plain and simple, a “”better way to run your business.””