Bruce Ferguson looks at the drivers behind risk management, and argues for its prominent position at the heart of every business.

Risk management is an essential tool in the corporate kitbag. It assists organisations of all sizes to take advantage of opportunities by managing risks and limiting potential losses. Risk managers enhance their organisations' bottom lines by implementing sound risk management policies that ensure business continuity and survival in adversity, and help to construct the stable platform from which their organisations can project themselves into a profitable future in which the organisation is seen achieving its corporate goals.

Risk managers must, in reality, be risk management facilitators. No matter how well trained the risk manager, he or she cannot single-handedly take the organisation down the path to prosperity and success. The risk manager must ensure that a risk management philosophy is spread throughout his organisation, from the top level down to the bottom, so that everyone is thinking with a risk management mindset.

The key to successful implementation of any risk management programme is commitment from top management. If the chairman, board of directors and CEO are not fully committed to implementing sound risk management strategies, the organisation will flounder. Risk management is not an add-on function; it is a fundamental, essential to sound business management.

In our workplaces, each and every employee has a risk management function. Each has a responsibility to manage risk in his or her part of the organisation. As risk managers, our job is to see that this is achieved. We must oversee the process to ensure no gaping holes are evident, or even tiny holes that may lead to gaping holes if left unattended. Thus every organisation, regardless of its size, should have a risk management plan in place. It should be a key component of the business plan.

Risk quantified
What are the risks facing organisations, and how can they be measured and managed? Fortunately, Australia has the ideal framework on which to build individualised risk management plans. Australia and New Zealand were the first countries in the world to adopt a risk management standard, AS/NZS 4360. The standard was first developed in 1995, and revised in 1999. The document is a generic framework for the risk management process, establishing the context, identification, analysis, evaluation, treatment, monitoring and communication of risk.

"Risk management is an iterative process consisting of well-defined steps which, taken in sequence, support better decision- making by contributing a greater insight into risks and their impacts," the standard's preface notes. "Risk management is recognised as an integral part of good management practice. To be most effective, risk management should become part of an organisation's culture. It should be integrated into the organisation's philosophy, practices and business plans, rather than be viewed as a separate programme. When this is achieved, risk management becomes the business of everyone in the organisation."

Once the context is established, from strategic, operational and risk management perspectives, the risk management process involves identifying risks. Ask yourself what could happen, and how? The identified risks must then be analysed. What is the likelihood, and what is the consequence? Each risk is evaluated against pre-determined criteria, and a decision made on whether the risk is accepted or treated. Treatment options are varied; insurance is one of many. It is a subset of risk management used to finance the residual risk remaining after other treatment strategies have been implemented, and ensuring organisations are protected from catastrophic exposures.

One of the key differences between the original standard and the revised version is the emphasis on communication. Risk management systems need to be communicated to all affected parties, not just to those in the organisation, but to external stakeholders as well. Risk management training should be compulsory for boards of directors and senior management. No one should be running a company if they do not have a degree of familiarity with AS/NZS 4360.

In Australia, we have seen boards of directors demonstrate a lack of knowledge of the basic concepts of risk management. Evidence presented so far to the HIH Royal Commission, which is inquiring into the circumstances of the collapse of the eponymous insurer, has shown that the HIH board lacked respect for the principles of risk management, which provide the foundation for effective corporate governance. The inadequacy of then-current regulatory regimes contributed to a failure to identify the risk management shortcomings early enough to prevent HIH's collapse occurring or, at the least, to reduce the ramifications it has had for HIH policyholders (both corporate and individual), the Australian economy, the overall strength of the insurance industry, and the industry's reputation globally and domestically.

All publicly-listed companies are required by the Australian Stock Exchange to report on risk management in their annual reports. However, the responsibility for policing this vital aspect of organisations' annual reporting is not clear. A perusal of these documents from some major organisations indicates that this section is frequently given scant regard, which indicates its importance in the overall running of the organisation is probably misunderstood by its board of directors.

Knowledge criterion
Directors should be required to have a sound knowledge of risk management as a criterion for their acceptance to the position. Many prominent board directors have publicly demonstrated their lack of knowledge of the concept. Directors' stock options ought to be on the balance sheet, to ensure accountability. Boards of directors, and not just in insurance companies, have demonstrated that they are not accountable and transparent, so the law must force them to be so. Further, boards should be required to have a majority of non-executive directors, to prohibit boardroom corruption, and directors and officers should be made criminally liable for corporate governance failures where fraudulent practices exist.

Australian Competition & Consumer Commission chairman Professor Allan Fels has called for jail, rather than fines, for breaches of the Trade Practices Act, and suggested it be extended to other blatant illustrations of total disrespect for corporate governance and risk management. ARIMA, the Association of Risk and Insurance Managers of Australasia, agrees. The potential for a jail sentence is a much more powerful deterrent than a fine.

If there is a positive message which has grown from the collapse of HIH and the spate of other corporate collapses in Australia and overseas, it is that the events have prompted greater interest in risk management as a vital element of management practice. Such failures have prompted organisations to look at corporate governance more closely. Australia's auditor general, Pat Barrett, has defined corporate governance as "about how an organisation is managed, its corporate and other structures, its culture, its policies and the ways in which it deals with its various stakeholders."

He said business planning, risk management, performance monitoring, and accountability are key components. "The framework requires clear identification and articulation of responsibility, and a real understanding and appreciation of the various relationships between the organisation's stakeholders and those who are entrusted to manage resources and deliver required outcomes." Mr Barrett identified a mutually supportive relationship between corporate governance, risk management and performance orientation. His comments relate specifically to the Australian Public Service, but apply equally to the private sector. He said that many of the elements of good corporate governance are in place, but they are not always linked or interrelated in a way that allows people in the organisation to understand their overall purpose, and the way in which they need to be co-ordinated to achieve better performance.

It is time organisations are forced to give corporate governance a higher priority. Risk management practitioners, who are suitably qualified to oversee the implementation of sound risk management and corporate governance procedures, should be employed by all organisations to ensure this happens. A risk manager is as important as a chief financial officer or chief information officer, but the role is insufficiently recognised in many major organisations around Australia, and indeed globally. An holistic approach to risk management is essential in any organisation, regardless of whether it is a major corporation or the corner store. Risk management is integral to good business.

  • Bruce Ferguson is president of ARIMA Ltd, the peak body for risk management practitioners.