Comments
A former employee of a leading investment bank recently caused an uproar by accusing his erstwhile employer of sidelining clients' interests and ripping them off. The investment bank quickly went into damage control mode, terming the allegations ‘unfortunate'. However, that proved inadequate and the firm's share slid 3.4 per cent soon after, eroding its market cap by over $2 billion.
Though one could argue that the employee's comments were just an individual perception of the firm, it nonetheless had a harmful impact on the bank's reputation and market capitalisation. There have been several similar incidents in the recent past, including the criminal probe into possible Libor manipulation and phone hacking at the now closed British tabloid News of the World .
Initial investigation pointed to oversight and inadequate risk-management frameworks. Notably, the companies in question were global giants with sophisticated processes, checks and balances. Then how could such slip-ups happen?
Networked, fast-paced business
The answer lies in an increasingly interconnected, fast-paced and competitive business environment. As the complexity and the evolving flat, borderless world are a relatively new phenomenon, organisations fail to gauge the impact of risks and their velocity. The common mistakes of organisations include ruling out seemingly improbable situations, overestimating their crisis management ability, ignoring early warnings and responding slowly.
However, organisations now realise that they should take risk management seriously, even putting it centre stage.
In India, risk management is an evolving function, with many companies facing peculiar challenges on this front. A survey by KPMG in 2011 gave insights on where companies fall short in addressing risks. Two things that stood out were that managing risks is fundamental to achieving business objectives; and risk management is a continuous process that has to be imbibed into the organisation's culture and DNA.
Company boards should involve themselves more deeply in the organisation's strategy than they currently do. Board members should astutely question the strategy and seek information on the management's implementation. Boards should use techniques such as scenario analysis to gauge the impact of unforeseen events such as political tensions in the sourcing country, and regulatory changes on the organisation's business. Such exercises will not only add value to the management's strategy but also help it chalk out backup plans for difficult times.
Organisations should have a structured approach to risk management. Their risk management practices should be proactive and not merely follow a “tick-in-the-box” approach. This is important because a force-fitted and poorly integrated practice will lead to risk management existing only on paper and not in spirit. A case in point is fraud prevention, where proactive risk management would call for mechanisms such as a whistleblower policy, process controls and so on.
Organisations should instil a robust risk culture. Our survey showed that in many cases, there was a conflict between organisational and individual decision-makers' attitudes towards risk. A section of senior management was also found to be unclear about the risk management strategy. Hence, it is important to first assess how well the organisation's objectives and strategy are understood.
An effective risk-management process entails interaction with all stakeholders and addressing issues that affect brand and reputation on a war footing. Adequate time and resources should be invested in understanding the changes brought about by the increasing use of social media — one needn't look beyond the Arab Spring to appreciate social media's impact and reach.
And, finally, organisations would benefit from having a C-level executive dedicated to risk management, that is, a Chief Risk Officer (CRO). In the absence of a CRO, risk management tends to exist in silos, with functional and business unit heads creating their own risk management policies and procedures that suit individual requirements. A CRO can provide an integrated view of the risks impacting the company, especially strategic risks, and create a heightened awareness at the senior management and Board level.
Risk management is a relatively new and evolving function. The complexity and speed of today's business environment has made risk management challenging. However, as long as businesses are open to learning from the past, as well as from each other, the function needn't take long to come of age.
The author is Partner and Head of Risk Consulting, KPMG in India
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.