Contributed by Christoph Schwager
Why risk management always needs a systemic approach – explained along the example of a ‘big four’ firm
It’s common sense that we all live in a world full of risks. And we actually like that. Taking risks often is a thrill. Yet, most of the times we have learned to cope with our risks and manage them well. We have routine or experience in doing so.
And then – ouch – the situation is getting more complicated, it is not just us anymore, there are many more elements involves – a lot of people, machines, IT, available or missing information, processes, changing circumstances, etc.
Take the situation in my previous company EY, one of the ‘big four’ where I was a partner responsible for the Enterprise Risk Management practice. A firm like EY is a system, made up of many elements that constantly interact to deliver the services to the clients to satisfy the challenging EY internal targets for revenue growth and profitability.
The main elements of the ‘system EY’ are the people who work for EY. They meet and talk, they invent and solve, they deliver the professional services to the clients, they form the firm internal processes and workflows, they decide on assisting tools like the software they use.
As always, target execution prompts risks. Each partner and employee at EY face the critical risk that they fail and don’t deliver their job according to expectation. They interact and constantly exchange on that. Accordingly, the sum of all risk management activity inside EY is a system – we can call it the ‘EY risk management system’.
Now, to deliver the challenging targets, it is obvious that this risk management system should work as ideal as possible because if it defaults, the targets are missed more or less badly, there is less profit to distribute and that hurts. There might even be an effect on reputation. Partners and employees who run to manage their targets also run to manage their risks to fail the targets.
Not just in EY but in every company, every top management needs to ask the following questions:
- What about my risk management system? Is it mature enough to avoid as many bad surprises as possible?
- Do my people know what to do to manage risks? Are they experienced enough?
- Do they have the necessary routine to manage the complex risks of the system?
For that to answer positively, management and employees need to know what the internal risk management system looks like, what the maturity level is and how it operates. Taking no systemic approach creates a big risk for risk management to fail.
Coming back to the professional service firms, I’m not talking about the compliance risks like independence. They are well managed with zero risk tolerance. I’m talking about the strategic and operational risks like identifying good opportunities, winning contracts with the clients, delivering each and every service in time, cost, quality, recruiting, keeping the high performing teams happy so that they don’t move on to the competition, keeping the IT systems up to date and good information and knowledge flow running, and overlooking the interfaces and dependencies between these elements. Do partners, managers and employees in professional service firms always have the necessary skills?
The sum of all endeavours to manage these and all other risks is what makes up the risk management system. A risk management system includes typically four intertwined components:
- Organization and scope
- Process and reporting
- Methods and tools
- People and risk culture
All risk management systems vary from initial to leading along the maturity scale for effective risk management. The more complex the risk situation, the more a company should strive to get to leading practice. That involves setting up – especially for strategic, operational and external risks – clear rules for engagement, an effective and efficient organization, an easy to follow process and smart methods and tools.
I encourage every top management to reflect whether they feel secure enough that the people they lead are well enough equipped to manage risks and that the risk management system is mature enough to face todays speed and complexity.
It is clear that good management of risks correlates with routine in doing so. Then we often don’t even notice that we have just managed risks. Accordingly, the efforts need to be to train this routine with all elements of the system as best as you can.
There are great methods for that. I’ll come back to this in future.
Christoph Schwager is Managing Director SRI Strategic Risk Institute and former Chief Risk Officer, Airbus Group and Partner EY. You can reach him on email@example.com