Whenever you see a fatal road accident, do you strap up your helmet or feel this can never happen to you? If you do feel so, you are definitely from a world where ignorance is bliss. In this fast moving world, no one is immune to disaster.

This is true with any business enterprise. In order to be a successful, you need to take risks. That does not mean you should take blind risks; business is all about making informed decisions.

If this sounds familiar, then welcome to the world of enterprise risk management. Every leader, who understands this very nature of business risks, always craves to avoid operational surprises. So how do you channel your efforts to avoid operational surprises?

Every organisation needs to embrace a culture of risk management; just like the culture of TQM, TPM and Six Sigma that transformed the manufacturing sector.

The intelligence of what could go wrong helps getting the right things done.

Organisational culture

An organisational culture of openly talking about risks should be promoted. The thought of considering risk management as a cult of pessimism needs to be grandfathered. A risk-aware organisation has a better understanding about its strength and weakness.

It, however, is not the job of a few individuals at the corporate office. It is the responsibility of each and every individual.

Business users should be trained to consider risk in every activity. Even if the organisation has a designated Chief Risk Officer, he can at the most perform the role of a coordinator to standardise the process. The responsibility to identify and mitigate risks should always rest with business users, since they are the experts of their own process.

In many high-profile scandals, it has been found that people engage in malpractices not to financially defraud the organisation, but to show better performance. The possibilities of performance-related malpractices can be reduced through — Specific, Measurable, Achievable, Realistic and Timely (SMART) goal setting. The culture of looking at failure as an embarrassment needs to change. If there were SMART goals and an opportunity to improve, many of these malpractices would not have happened.

Promoting accountability

Apart from intentional fraud, most other operational surprises are due to oversight, negligence or lack of awareness.

Institutionalising a system of self-audit and self-assessment will promote voluntary compliance and accountability. A neatly designed self-assessment check list should bring out the regulatory and business requirements in a clear and concise manner. A system of self-assessment provides the opportunity of a business issue getting rectified before it goes overboard.

Stakeholders should not be penalised for issues brought to notice through self-audit/self-assessment, rather they should be given the opportunity to rectify. The composition of the organisation’s internal audit team needs to evolve with the business environment.

Moving away from the traditional job description of an internal auditor, the internal audit team should also comprise of engineering, IT and operational experts rather than just finance and audit experts. This is because the focus areas for internal audits are evolving beyond traditional business processes. Niche areas like cyber security and product lifecycle management are also responsible for business surprises as in the case of GM’s India unit violating vehicle emission norms. The Internal audit function within the organisation should be independent and objective. Though the business inputs may be considered, scoping of audits and audit plans should be the prerogative of the Chief Audit Executive as well as the Audit Committee.

The Chief Audit Executive must report to a level within the organisation that allows the internal audit activity to fulfill its responsibilities. The internal audit team should never assume responsibility for implementing a remediation action plan. All these independence requirements ensure that quality audit issues are brought to the notice of the senior management before they become surprises.

Whistle blowers

The most collusive and structured frauds have been brought to notice not because of internal/external audits but through some sort of internal leads. However prudent and diligent the audits, there is still a possibility of structured frauds surviving for years. This necessitates the need to have an efficient whistle blower system. This could be IT driven or manual.

Leads on fraudulent events need to reach the right individual within an organisation before it becomes public. The individual designated to operate the whistle blower system should be a person of high standing and integrity.

The identity of the whistle blower should remain anonymous. The leads gathered should be subjected to an impartial investigation before disciplinary action. This boosts the confidence in the system and ensures that even if the event does go public, the organisation will be better prepared.

There is no panacea to avoid surprises, but little improvements to governance go a long way in reducing the risk.

The writer is a Governance, Risk and Compliance Consultant at the Enterprise Risk Management Practice of Robert Bosch

comment COMMENT NOW