At the most basic level, management strategy is the implementation of a set of plans aimed at accomplishing specific goals or objectives. Organizations across different industries often employ management strategies to give direction and guidelines that when executed effectively, the firm’s goals and objectives are accomplished. More specifically, business strategies are concerned with enhancing general organizational performance. Risk management is an example of a managementstrategy that organizations are continually implementing to identify risks that could affect operations and mitigating the occurrence or effects of these risks using managerial resources. The emergence and indication of these risks may stem from the organizational activities caused by human resources; technology; corporate environment, both internal and external among others. The essence of risk management is to develop proactive management of risks that will ultimately lead to organizational success (Power, pg. 22).
Risk, Risk management, and enterprise risk
By definition, risk is the integrated combination of uncertainty in the probability that a potential future harm may occur due to an action and that the severity and nature of the outcome may hamper the achievement of on organization’s goals and objectives, such as financial loss or system breakdown which may have adverse consequences for company credibility, financial capacity, and hampered operations. The likelihood of risks occurring is uncertain and inevitable given the nature of humanity. There are different types of risks depending on the context and department of the organization that will be affected, for example, it can be a financial risk, systemic or technical risk. The severity of risks will prompt different reactionary measures. In authorized financial service, firms implement controls to identify and monitor any potential risks they may face such as breaches (Unit 6, pg. 180).
Risk management is the management discipline that integrates the identification of risks; their analysis and assessment; development of preventive and reactionary strategies to manage the risks; and the mitigation of potential outcomes using managerial resources. The scope of risk management and the methods differ for every organization depending on how they categorize the severity of the risks they are likely to encounter and the outcomes. As a result, there is thedifference in approach across sectors, for example, the financial industry may evolve and implement different methodologies to those of the health sector. Additionally, within the same industry, various organizations may adopt novel strategies. However, the common and important concept of risk management is that it should not be an isolated function specific to organization’s departments. A strategic approach to risk management should be implemented such that it traverses general cultural and organizational inputs (Unit 6, pg. 181).
Enterprise risk is an integrated and combinational approach to managing risk by accounting for all potential organizational risks across different departments and implementing common strategies to mitigate them with the aim of achieving organizational goals. The integration and interaction of various types of risks facilitate better handling and efficient management.
International Standards on Risk Management
While there are varied definitions and contexts of risks that are unique to every organization, there are generic risks that are inevitably familiar in every organization referred to as generic risks. The generic risks are defined by International Standards, which are regulatory frameworks and guidelines that empower business managers on how to effectively tackle risk management. In the UK, three risk management regulatory bodies, the Institute of Risk Management (IRM), the Association of Insurance and Risk Managers and the National Forum for Risk Management in the Public Sector provides lists of commonly accepted international standards for handling risk management. Some of the commonmeasures that have been implemented in full or in modified fashion by organizations all over the world include:
- ISO 31000: 2009- risk management – Practices and Guidelines
- A Risk Management Standard- IRM/Alarm/AIRMIC 2002
- ISO/IEC 31010:2009 – Risk Management- Risk Assessment Techniques
- COSO: 2004- Enterprise risk management- An integrated framework
- OCEG “Red Book” 2.0: 2009- GRC Capability Model
- BS 31100: 2008- Code of Practice for Risk Management
Reference to standards encourages compliance and regulatory guidance regarding the best practices in risk management. Given the diversity of risks and their evolving nature, these standards are equally evolved and developed in tandem so that new methods are developed to combat the ever-changing business patterns (Unit 6, pg. 181).
Risk Management process in a financial services context
As mentioned, the implementation of effective risk management requires the integration of individual and organizational accountability to channel efforts to make the risk management process effective at each stage. The stages and the activities in each stage need to follow a systemic flow so that solutions can be administeredefficiently. The initial step of the risk management process is the analysis phase which involves recognition, depiction, quantification or estimation and examination of potential risks.
- Risk Identification/ Recognition
This is a methodical process of analyzing and identifying the indication of uncertainty and potential occurrence of risks for an organization. It requires a comprehensive understanding of the internal and external logistics and the environment of the organization, such as operations, technologies, thelegal, political and social environment within which it operates. Once a firm recognizes these risks and fully understands their characteristics, they can implement management strategies aligned with their key objectives.
- Risk description
This stage involves using a description template to structure to identify the scope of potential risks further. It is a major step that serves as a prelude for subsequent steps because it allows for further identification and categorization of risks by highlighting features like the name, type, causes, scope, frequency, tolerance, vulnerable areas, potential action, and strategy for tackling risks. If this step is flawed, subsequent stages in the process of risk management may fail.
- Risk Quantification and estimation
At this juncture, the identified risks are assessed and categorized regarding the probability of occurrence or severity of the outcomes should they occur. The degree of categorization for consequences can be differential depending on the ease in quantification, such that, some outcomes can be easily quantified like afinancial loss, while others are difficult like tainted reputation. Usually, firms categorize risks using a high, medium and low categorization system.
- Risk evaluation
Risk evaluation involves decision making on which risks are acceptable or negligible and which ones are necessary to mitigate. Prioritization of risks can influence the decision as either high or low and whether the consequence of taking no action will not be severe. Additionally, the cost of mitigating risks to avoid escalation is takeninto consideration.
- Risk treatment
This stage encompasses different potential activities that could be used to implement a course of action to modify or mitigate risks if they are classified as falling outside a firm’s appetite. There are four critical elements in the risk treatment stage which include, risk acceptance, risk mitigation, risk transfer and risk avoidance.
Post- risk mitigation monitoring is necessary because risk management is essentially a continuous process because risks are ever-changing and regular policies, controls and responses need to be continually addressed (Unit 6, pg. 182-185).
Risk-based and Cyclical approaches to Risk Management- Advantages and Disadvantages
There are two key options for approaching risk management. The risk-based approach prioritizes risks based on thehigh probability of occurrence. The cyclic approach, on the other hand, involves reviewing risks and mitigating them in a sequential manner. Both approaches are credible and efficient when applied with unique advantages. The risk-based approach has the benefit of addressing high probability risks that can have adverse effects on an organization’s operations and objectives. However, it does not propose reviewing all risks and the eventuality of lower probability and impact risks being ignored and causing harm should they materialize is often never addressed. As a result, depending on their nature, the effects can eventually become severe. In the cyclic approach, the element of reviewing risks is highly advantageous because it enables abetter understanding of the nature of risks and their impact. However, when risks are mitigated in chronologicalorder, it can be potentially dangerous if high risks with high impact are not scheduled for priority mitigation. Ultimately, most firms incorporate a hybrid approach encompassing both approaches which involve a review cycle and prioritization and mitigation of urgent high risks (Unit 6, pg. 186).
Types of risks faced by financial services businesses
Some of the key types of risks that financial service firms are likely to encounter include,
- Regulatory risks- these are risks that occur without as a result of lack of adherence to regulatory requirements. It goes beyond regulatory compliance to financial regulators and includes all regulations affecting the entire organization. They include Prudential, compliance, competition and legal risks.
- Reputational risks- these are risks that have the potential of adversely affecting a financial organization’s reputation and image in its industry, market, and stakeholders which include customers, industry peers, suppliers, and investors. These risks affect an organization in the sense that reputational damage significantlyhas an impact on a firm’s competitive advantage.
- Financial risks- due to the nature of financial firm’s operations, these are the most common risks encountered. They include tax compliance and reporting risk, liquidity assessment risk, budget and capital planning/calculationrisk,
- Market risk- according to the European Banking Authority, market risk is defined as the risk of making losses due to shifting market prices which affect in and off-balance sheet positions and trading books. Foreign exchange risk is an example (Unit 6, pg. 189).
Roles of the board, the compliance function, the business units and individual employees in a successful risk management process
The board’s responsibility should be responsible for overseeing thegovernance of risks by proving strategic by implementing risk management policies and appointing risk management teams, such as a board risk committee for mitigation. The board also has the task of overseeing and ensuring senior management develop valuable systems for risk management that align with the firm’s objectives.
The compliance function or department is responsible for ensuring that a firm adheres to risk management policies and processes by developing implementing a policy structure. The function of conformity differs depending on the structure and size of a firm. Large corporations implement multi-layered and structured systems of compliance that incorporate three essential functions, risk management, oversight, and assurance.
The business unit is responsible for thedevelopment of efficient risk management processes, monitoring and reporting of potential risks to the risk management team on a daily basis. It requires anunderstanding of risks that are likely to occur and includes collaborative efforts from all departments, legal, HR, accounting, marketing, etc.
Finally, employees ought to understand that risk management is part of organizational culture and that they should be accountable and responsible for their individual risks and report risks promptly to the risk management team.
Regulation of risks- severity and extent of regulatory breaches, sanctions and Production Orders
Organizational operations and economic value can be hampered by regulatory risks because it can lead to thewithdrawal of operating licenses by a regulator. Therefore it is important to understand the dimensions and consequences of breaching regulatory risks and how to tackle sanctions or court orders. Management information (MI) is a fundamental aspect of understanding and dealing with regulatory concerns and enforcement. A regulatory concern can be defined as any indication that a statutory obligation is not followed accordingly and a breach occurs. The compliance officer is responsible for the assessment of regulatory breaches, for example, the nature and level of criminality encountered, the reason for the violation and the parties involved. Thereafter, it is important to categorize the breach regarding the significance and severity if the breach and developing a risk-based approach to tackle. It is important to conduct an internal investigation to determine the steps for resolution, for example, assessing an audit trail or interviewing employees for feedback. The internal investigation should be carried out by parties who are independent of any involvement in the breach and after that informing the relevant authority as the board, senior management or a regulator. Additionally, a regulatory officer may visit the organization to conduct an external investigation, and it is important to be prepared for such a visit. Regulatory investigations are usually conducted through legal instruments known as Production Orders or Investigatory Warrants. These legal instruments allow regulatory officials to carry out investigations and allowing them to obtain relevant documentation or statements as evidence, such as, bank statements, account signatories records, pay-in slips, telephone conversation records and correspondence, etc., which eventually can lead to the issuance of a court order. For documents that are considered private and confidential and whose acquisition by regulators may potentially violate client confidentiality, a legal professional privilege can be administered. However, it is important to note that legal institutions do not treat financial firms differently and a disclosure of confidential documents can be effected through compulsion law. Regulators have the power to implement sanctions by law, for example, under the FCA, the Financial Services and Markets Act 2000, the PRA, on financial firms that have regulatory violations like, public censures, disgorgement, authorization or license withdrawal, financial penalties, etc.
The link between Risk management and the GRC control framework
A firm’s risk management process should be aligned with the firm’s GRC-system. This link can be detailed in four distinct processes:
Risk assessment and planning
Firms encounter risks from all segments and departments due to continuous emergent issues such as globalization or market conditions. It can be difficult to plan for every possible risk and impact, but it is important to monitor any potential risk.
Risk identification and analysis
This process involves the recognition of risks in detail and consequences that they present. It also requires assessment and quantification of risks so that mitigation strategies can be administered.
Developing a risk response strategy
After the identification of a risk, it is important for a firm to develop strategic plans to counter the materialization of risks or to remedy or mitigate the consequences of dangerousrisks. The risk response strategy should also capitalize on future opportunities in risk analysis.
Monitoring the occurrence of risks
Risk monitoring is a critical aspect of the GRC control framework and aligns with the essence of risk management where the likelihood of a risk occurring is monitored and should a risk occur its status post-mitigation is monitored as well.
Making sure risks do not happen again
This process prevents the recurrence of risks. For example for financial firms that have encountered a regulatory breach that affected their financial capabilities or reputation, it is important to initiate remedial actions and investigative plans to strengthen their systems or operational activities.
Power, Michael. The risk management of everything: Rethinking the politics of uncertainty. Demos, 2004.