Risk Management
Achieving the Value Proposition
BY PAUL WALLIS
R
isk management is more than preventing bad things
from happening. Properly implemented, it can provide strategic and operational opportunities by
focusing activities on what is important to an organization.
Risk management creates value by providing opportunities for process improvement, controlling the risks that can
hurt the organization most,breaking down silos, and helping the organization achieve its objectives. It empowers
employees by better defining the risk framework management and staff work under, thus supporting more timely
decision making and the potential for managing issues
before they become problems.
client dissatisfaction, unfavorable publicity, threats to physical safety, security breaches, mismanagement, equipment
failure, and fraud.
Not all risk is bad. While we tend to focus on the negative
when considering risk management, risk is in fact the chance
of something happening that might have an impact on a jurisdiction’s objectives, and it can be bad or good. In fact, as the
economic situation requires managers to be more creative
in dealing with budget issues, risk can be an important tool
— risk and innovation are inextricably
linked.
To
An effective risk management initiative includes the following attributes:
n
It is a coordinated activity.
n
It supports business objectives.
n
It is strategic.
n
It is a process, part of the organization’s fabric.
n
It supports informed decision making.
n
It provides reasonable assurance (because risk is not
eliminated but managed).
An organization that understands risk and risk management
can take advantages of opportunities that present themselves;
in this way, risk management can be a value proposition (see
Exhibit 1). For example, processes and controls can be rationalized, and activities focused on the
a large extent, effective key risks. This enables a more holistic
and informed view of programs, sermanagement can shape an vices, and processes.
In the public sector, there are great
risk
opportunities for streamlining processes and being more strategic in meeting
organization’s culture.
Successful risk management is a
citizen needs. Accountability, however,
combination of and careful balance
remains a major issue. Citizens expect
between two key components: risk and
top-quality service, quickly, yet they
cost. Assuming that the questions in the
also want to be sure taxpayer money
risk and cost columns can be answered positively, the potenis well managed. These conflicting objectives can mean
tial value of risk management can begin to be realized.
spending more on processes to manage certain risks that
would have less of an impact in private-sector organizations
KEY SUCCESS FACTORS
— for instance, expense reporting, procurement, travel, and
Many public-sector organizations realize the benefits and
training. The public then perceives the enhanced oversight
value
of risk management, applying a variety of techniques.
as increased bureaucracy and, to some extent, trusts governGood risk management frameworks are available to help
ment less because of it.
guide implementation, including the global standard, The
International Organization for Standardization’s ISO 31000 (at
DEFINING RISK AND RISK MANAGEMENT
www.iso.org), and the framework developed in the United
Risk can simply be defined as the effect of uncertainty on
States by the Committee of Sponsoring Organizations, COSO
objectives or outcomes. Risk management refers to the coorERM (at www.coso.org).
dinated activities used to direct and control an organization’s
Unfortunately, organizations sometimes jump right in and
response to risk. Effective risk management, also referred to
try to implement risk management very quickly. This leads
as enterprise risk management or integrated risk manageto corporate, top-down approaches that can result in failure.
ment, is holistic, addressing risk that affects the organization
Organizations that are already stressed tend to view this
as a whole. Risk can arise from internal or external sources,
approach as just another corporate project that requires addiincluding an organization’s inability to achieve its objectives,
February 2012 | Government Finance Review 37
Exhibit 1: Risk Management as a Value Proposition
Risk
Value
Cost
Risk
Value
n
Does the organization understand the risks it faces?
n
Does the organization understand what the key risks are?
n
Does the organization have an effective risk reporting mechanism?
n
Has the organization defined its risk attitude or tolerance?
n
Does the organization accept the right level of risk?
n
Does the organization know if risks are being properly managed?
n
Does the organization have a comprehensive risk management process or methodology in place?
n
Is the organization focused on the risks that matter?
n
Does the organization have duplicating or overlapping risk functions?
n
Does the organization leverage automated controls versus manual controls?
n
Does the organization optimize the use of technology to manage risk?
n
Does the organization ahave an overall risk mitigation strategy that focuses on minimizing costs?
Cost
Value
Risk
n
Risks aligned to business, program, and process objectives.
n
Alignment of risk to customer service.
n
More informed decision making as risks both positive and negative are better understood.
n
Service or program delivery that optimizes risk versus funding.
n
The right mitigation strategies (controls) to manage the right risks.
Cost
tional processes and more work. Another common problem
is identifying risks and finding quick solutions without considering the organization’s business or strategic objectives or
culture.
The following five activities are essential to a successful risk
management initiative.
Understanding the Organization’s Culture. While it
may seem daunting, this is probably the most important
step. Public-sector organizations are generally risk averse.
Processes and controls are developed to minimize risk as
38 Government Finance Review | February 2012
much as possible, sometimes to a degree that causes inefficiency. A hierarchical organization with strong central
management, layers of approval processes, and multi-layered
controls comprising long, detailed policies and procedures
is not managing risk effectively. Instead, it is being managed
by risk. Trust and innovation are stifled under this scenario,
diminishing the value proposition.
Obtaining Commitment from the Board and Executive
Management. High-level support is needed to gain traction.
The objective is not to get the board or senior management to
Exhibit 2: The Enterprise Risk Management Process
Organizational Environment or Context
(Culture, risk attitude, governing body/senior management commitment, or strategic plan)
Define objectives/
outcomes
Business program,
process or
project objectives/
outcomes
Performance
measures (KRI)
Risk tolerance
(KRI)
Identify risks
or events
Analyze drivers
and effects
Risk categories
Risk source
Event list
Why does the risk
exist? (root cause)
Scenario analysis
(what if?)
Assessment
questions
Potential harm
(what might
happen?)
Opportunity?
Determine
significance
and likelihood
Method for
managing risk
The relative
importance,
within a given
context (impact)
Avoid risk —
(stay out of
the program
or business)
A probability or
chance of a risk or
event happening
(likelihood)
Accept the risk
(take a chance)
Design mitigation
strategies
(controls)
Controls
mitigate risk
Reduce to
acceptable level
Controls are
cost effective
•detective
•preventative
•directive
•corrective
Transfer
(insurance)
Design to seize
opportunity
Risk Reporting
(Key risks = by category, by event, top five)
mandate a risk management initiative, but to champion the
benefits and the value proposition while allocating resources.
Unit, “only 47 percent of respondents [to an EIU survey]
believe that their organization is effective at linking risk with
corporate strategy.”1 Implementing an effective risk management strategy is difficult if it is not linked to the organization’s
strategic, program, and project objectives. Risks related
to achieving those objectives, both positive and negative,
should be identified, assessed, and mitigated.
Keeping the Process Simple. Existing frameworks provide good guidance, but overly strict adherence can be a
problem. For example, COSO has been criticized as a complicated framework that is difficult to implement. An organization needs to tailor its risk management strategy based
on the critical risks it has identified. The value proposition
Recognizing that Risk Management is a Form of
is to identify, assess, and mitigate key risks. The number of
Change Management. Organizations that introduce risk
risks a jurisdiction’s executive management and governing
management as an overall organizational initiative canbody should address depends on individual differences, but
not succeed without paying attention
organizations generally consider 10 to
to change management. An effective
30 critical risks. These risks will be at a
Risk is the chance of something change management process builds
high level and will drive more detailed
happening that might have an organizational awareness, desire,
risk management at the management
impact on a jurisdiction’s objec- knowledge, and ability. Risk manageand staff levels.
ment has to go through the same protives, and it can be bad or good.
cess. Organizational buy-in is vital to
Linking Risks to Strategic/
success. Risk management works well
Business Objectives. According to a
in a supportive, transparent, non-autoreport from the Economist Intelligence
February 2012 | Government Finance Review 39
Exhibit 3: Risk Categories
Reputational Risk
Strategic Risk
Operational Risk
Political
People
Social
Technology/Information
Economic
Integration
Environmental
Emergency/Business Recovery
Contractual/Procurement
Governance
Service Delivery/Process
Asset Planning
Strategic Planning
Financial Risk
Compliance Risk
Credit
Law
Capital Adequacy
Regulations
Market
Policy
cratic environment. The culture has to be open, willing to
talk about risk, and able to have meaningful, constructive
conversations. If the culture doesn’t support this openness,
success is diminished.
BUILDING THE VALUE PROPOSITION
For risk management to be viewed as a value proposition,
it must be a key component of organizational governance.
That means it is built into the normal business practices of
the organization. Exhibit 2 illustrates a six-step process to help
organizations build the value proposition, based on business
processes already in place, including strategic and operational planning, performance reporting, and control design.
zation’s functions and processes support those objectives?
For example, a key strategic objective for a public-sector
organization might be to “protect, enhance, and restore the
environment,” and a number of specific business objectives
and processes support this objective. They could include
recruiting the right people with the right skills, purchasing
the right goods and services at the right time, and providing
adequate funding. Aligning objectives and defining outcomes
sets the stage for risk management.
Given the organization’s understanding of its objectives and
desired outcomes, how does it measure success — what are
its performance measures? And, based on those measures,
what is its tolerance for risk? For instance, a certain error rate
on processing accounting transactions might be acceptable
Jurisdictions need to assess the organizational environment
because eliminating the risk costs more than it saves. What is
or context to determine risk management readiness. Not all
that rate, and when it is exceeded, can
public-sector organizations are ready to
the organization proactively manage
embrace enterprise risk management.
If there is uncertainty about the culture,
An organization that understands corrective action?
commitment or expected value, it is
best to stop here and address gaps.
Organizations can use the six-step
model as a guide. Do all areas of the
organization understand the key strategic objectives and how the organi-
40 Government Finance Review | February 2012
risk and risk management can take
advantages of opportunities that
present themselves.
Can the organization identify the risks
and opportunities that affect its objectives? Analyzing scenarios and asking
the “what if” question provides the
decision framework needed to identify
key risks and balance negatives against
opportunities. Potential risk events include natural disasters,
economic downturn, funding cuts, workforce availability,
privacy concerns, and increased legislation.
Exhibit 4: Example of a Risk Heat Map
Managing each potential risk event or scenario can be complex and time consuming. Categorizing risks is often helpful,
as it allows the jurisdiction to manage risks from an organization-wide level. For example, workforce availability might
threaten a number of key business objectives. If it becomes
an issue throughout the organization, it can be managed as
a risk category across the jurisdiction, instead of in silos or at
the specific business process or program level. When categorizing, keep in mind that risks do not operate in isolation; they
are interrelated or integrated. An operational risk can lead to
a reputational risk.
5
After key risks have been identified and assessed, four decision options are available:
n
Avoid. Decide against providing a program or service
because the cost or risk is greater than the opportunity or
benefit the program or service provides.
Impact
2
4
3
3
6
2
7
1
8
1
2
3
4
5
Likelihood
Risk
Once risks are identified, what is their likelihood and potential impact? The assessment process helps management focus
on the key risks, enabling quicker implementation of risk
management and thus providing value faster. This is a time
when opportunity can be realized; the organization can be
made more efficient by eliminating services or processes that
do not meet business objectives or address any significant
risks. Changes like these can reduce bureaucracy and open
the door to innovation.
DECIDING WHAT TO DO
5
4
Exhibit 3 provides an example of five broad public risk
categories and the types of risks that could be attributed to
each category.
A popular tool for accessing risk is the heat map. Jurisdictions
can use internal surveys, risk workshops, or interviews to collect information to populate the heat map, shown in Exhibit
4. Once risk information is collected and analyzed, the
organization can develop its a risk profile. In this example,
reputational and business recovery risk represent key risks
and would deserve more attention and mitigation (control
strategies) than, say, policy risk, which is likely to happen but
unlikely to have much of an impact. As a medium to low risk,
it would require less attention.
1
1. Reputational
2. Technology
3. People
4. Economic
5. Business Recovery
6. Credit
7. Social
8. Policy
n
Accept. Consider options and recognize tradeoffs, if the
opportunities presented might be greater than the cost or
risk of loss or harm. There is always a level of uncertainty,
which is the price of innovation.
n
Reduce or Mitigate. Find a balance between opportunity and risk of loss or harm by evaluating cost versus
likelihood and impact and then implement the appropriate mitigation strategies or controls.
n
Transfer. Share the burden with a third party, combining
acceptance and reduction of the risk. Examples include
insurance, service-level contracts, and partnership agreements. An organization cannot insure against or transfer
every risk, so it needs to make informed decisions about
what risks to accept, avoid, and mitigate. Getting the right
balance is the value proposition.
February 2012 | Government Finance Review 41
If the organization decides to reduce
or mitigate risk, a variety of mitigation
strategies are available. They include
preventative, detective, directive, and
corrective controls.
Public-sector organizations develop processes and controls to
minimize risk as much as possible, sometimes to a degree that
causes inefficiency.
Preventative Controls. These are
designed to limit the possibility of
an undesirable outcome. The more
important it is that an undesirable outcome not arise, the more important it
becomes to implement appropriate preventative controls,
which tend to be the most cost effective and proactive controls. Examples include authorizations and approvals, physical access controls, and automated controls that limit access
or ability to initiate transactions.
Detective Controls. Designed to identify occasions when
an undesirable outcome has been realized, these controls
are appropriate only when it is possible to accept the loss or
damage incurred and then attempt to correct after the event.
The Role of the Finance Officer
The chief financial officer (CFO) plays a significant role in
risk management and risk governance. According to a survey
conducted by the Economist Intelligence Unit, the CFO was
cited as second in ultimate responsibility for risk management
content and process, after the head of an organization (chief
executive officer or equivalent).*
A jurisdiction’s CFO and financial officers have a strategic view
of the entire organization and can help advise other senior
officials and governing bodies about the risks the organization
faces. By further integrating the risk management tools available, financial officers can help the organization assess, manage,
and report the organization’s key risks.
However, financial officers do not have exclusive responsibility
for risk. That responsibility is organization-wide. Jurisdictions
need to develop a risk management culture that builds awareness and organizational buy-in; CFOs and their staffs have
an important role in building that awareness and shaping the
culture.
* Beyond Box Ticking: A New Era for Risk Management, The Economist
Intelligence Unit, 2009.
Examples include reconciliations, postimplementation reviews, exception
reports, and monitoring and oversight
controls.
Directive Controls. Designed to
ensure that a particular outcome is
achieved, this type of control does not
prevent or detect undesirable events.
Instead, it encourages positive behavior. These are “soft” controls, embedded in the culture of an organization. Examples include value
statements, ethics, codes of conduct, policies, performance
guidelines, and education and training.
Corrective Controls. These are designed to correct undesirable outcomes that have already occurred. They provide a
means of recourse for achieving some recovery against loss or
damage. Examples include insurance and business recovery
planning.
Organizations need to put the right control in place for
a given risk. Apart from the most extreme undesirable outcome (such as loss of human life), it is normally sufficient
for a mitigation strategy to give a reasonable assurance of
confining likely loss within the risk attitude or tolerance of
the organization. Every control action has an associated cost,
so the control should provide value for the money spent, in
relation to the risk being controlled. Again, generally speaking, the purpose of control is to constrain risk rather than to
eliminate it.
CONCLUSIONS
Risk management helps expose uncertainty and allows
for full exploration of an issue, which helps provide all the
information needed to make good decisions for the organization. Although risk management cannot guarantee the one
“right” decision, it does help provide the best information
possible. y
Note
1. Beyond Box Ticking: A New Era for Risk Management, The Economist
Intelligence Unit, 2009.
PAUL WALLIS is director, internal audit, for the Region of Peel,
Ontario, Canada. He can be reached at [email protected]
42 Government Finance Review | February 2012