• Date: 1/2/2014

Operating with risks in mind 

Enterprise risk management needs to be positioned as an operational management system and embedded in management processes. In a good company, there will be a carefully thought-out sequencing of risk management interventions in the strategic planning cycle. Thinking about risk should be incorporated from the first step of the planning process to the very end, including such things as adverse commodity price movements, labor relations, the lifecycle of the mine or oilfield, and so on. All of this is then translated into the corporate budget, in which the Chief Financial Officer incorporates risk assessments in the budget. All executives need to understand how the different risks affect key performance indicators. “The planning and control functions can play an important role supporting the Chief Risk Officer in linking risk management to business planning,” says Mantovano.

Many companies skip at least one of these steps. Only 14 percent of survey respondents have developed a formal risk appetite statement, even though it is hard to calibrate the risks of pursuing a given strategy without one. Risks are often not measured in dollars, yet companies cannot understand their risk appetite without this. For example, if there is a three-week strike, what is the dollar impact on operating income? Armed with this kind of data, stakeholders can challenge the Board on whether the company is taking enough risk, as well as too much. Is a same-sized competitor valued more highly in the stock market because it is less risk-averse? The difference may be due to its careful, deliberate approach to investing in the midst of uncertainty.

“Risk appetite sounds so bureaucratic to some people; we’re not going to use the data anyway, so what’s the point?” says Wilson. But in fact, “understanding how much risk the organization is willing to take and then having it cascade to decision makers is important.” Companies are often reluctant to hire a risk professional who has primary responsibility for managing risk. The company is not required to call the person the Chief Risk Officer with a bureaucracy set up around the position, but to assign a risk professional with the task of pulling together the disparate strands of risk management and aligning it with the company’s strategic goals.

Risk appetite statement

View larger chart image 




Share this

Share this