The risk in managing risk

In today’s business environment, conditions remain challenging for many, and risk retains its position high on every organisation’s agenda. Businesses themselves are changing, which brings new risk horizons. At the same time, they are grappling with the changes brought about by a post-downturn economy and differing geo-political situations in many of the markets in which they operate. The ability to grasp opportunities, anticipate threats, respond and continually adapt is as critical a part of the risk management process as it ever has been.

Some recent research suggests that the most important business risks for 2010 are concentrated in the areas of regulation and compliance. In fact, in my many interactions with CFOs and audit committee chairman this area of risk is having even more prominence as a topic of debate and specifically addresses how the organisation should align its assurance functions. In most companies, the governance, risk and compliance functions can be compared to the evolution of a modern airport: demand grows, regulations change and each time the airport gets enlarged, a new part is added; in the end, the whole building is far more complex and less efficient than it would have been had management taken the opportunity to build from scratch.

These risk functions have evolved due to organisational development and external factors such as regulatory change, corporate scandals, as well as the economic crisis and the accompanying general request for more sustainability. Consequently, the risk and compliance functions in most companies operate in up to seven different areas. If not properly coordinated, and few are, companies can find that they are investing excessively in risk functions that cover some risks more than once, while missing other risks altogether – especially those in areas that fall between organisational activities. This also increasingly leads to reporting efforts which do not satisfy the requirements of major stakeholders.

This does not mean that all risk activities should be brought together into one department – indeed, there are significant downsides inherent in separating risk management from the business. Rather, it requires that an organisation explicitly recognises where the risks fall, identifies who in the organisation is addressing the risk areas, and how the whole scope of activities works together, providing greater transparency and ownership of risk within the business rather than delegation to a single function.

Les Clifford is partner and CFO programme chair at Ernst & Young.

Related reading