Risk management: tool or administrative nightmare?
“I have seen many, if not most, risk management processes fail within the first year,” declared Louw van der Merwe, director of GRA Services, a company that specialises in risk management services. Here he discusses the reasons for that.
The release of the King Code of Corporate Governance (King 3) last year has brought the concept of risk management to the fore again, with most organisations nowadays attempting to establish a risk management function.
Many risk management processes fail because of two main reasons: firstly, organisations try to do too much too quickly. It’s like trying to move from crawling to playing football in the World Cup in a period of three months. Secondly, the initial risk identification is haphazard. Hundreds of risks are identified, some in more detail than others. The result is a convoluted, administrative-intense process which is difficult to manage and has virtually no long-term benefits for the organisation.
It is important to acknowledge that risk management is neither a new nor a complicated process. Not only is the successful application of basic risk management principles the cornerstone of most accomplished organisations, it is the very reason for their success.
This holds true for small and big organisations. In fact, smaller organisations have a much greater sustainability risk therefore they are much more in need of the benefits of an entity-wide risk management process than bigger organisations.
The challenge in most organisations is not in the implementation but rather in formalising an existing thought process, and in ensuring that thought process is embedded and consistently understood throughout the organisation. It takes time and is best achieved through simplicity.
The advantages are myriad. Imagine an organisation in which:
- everyone shares the same appreciation for, and understanding of, risks facing that particular organisation;
- every action of every employee, no matter how junior, is focused on addressing a particular risk; and
- the degree of focus and application is commensurate with the likelihood of that risk arising, as well as the particular impact that risk could have on the organisation.
In such an organisation aspects like budgeting and applying resources (both time and money) will be simplified. Top management, directors and non-executive committees (such as the audit committee) will identify and understand key business risks, thereby focusing their energy on those risks that could affect the very existence of the organisation.
The key to managing risks effectively is to take small steps. Don’t get bogged down in detail and make sure you have a knowledgeable and very experienced person on board to assist you, especially in those crucial first 12 months. To get the process right may take up to three years.
For more information contact Louw van der Merwe on tel. (021) 882 8140 or e-mail louw@exceed.co.za.