Currently, Australian companies exhibit varying levels of ‘risk management maturity’ ranging from:
- organisations who have no specific risk management framework,
- those who ‘do’ risk management due to regulatory requirements,
- those who have embedded risk management in all aspects of business management and use risk management techniques to improve overall business performance.
In the short term (1 to 5 years), we predict there will be a significant rise in the trend towards enterprise risk management (ERM) in Australian companies and a shift in focus to performance management. Risk management is rightly being seen as an element of good management and not a discipline in its own right.
Unfortunately, risk management is often ‘done’ because a regulator says it has to be done. Risk management in this case is often just compliance management and no perceived business benefit is gained – often causing an increase in costs. An example of this approach is workplace health and safety regulations which have spawned an entire industry of safety risk management consultants, software vendors and auditors. While the outcome of this regulatory regime is extremely important and required, it has led to an attitude of “we do this because we have to do it” rather than “we do this because it is the right thing to do for our business”.
The regulatory driven approach to risk management typically resulted in the creation of silos of risk management within organisations – one focusing on safety, another focusing on financial, and others covering other risk domain areas that the organisation is required to worry about due to regulation.
The silos often have their own risk terminology, risk systems, and reporting. Individually, they serve a purpose – at a cost to the organisation. There is a growing realisation, however, that a better approach would be to have a single enterprise-wide view of risk management to bring about efficiencies in adhering to a multitude of regulatory requirements and to use the single view to improve overall business performance.
Risk management is more than just taking out insurance. Unfortunately, some organisations and senior executives still see the extent of risk management as being ‘insurance management’. While insurance can and does play an important role in reducing the consequence (or impact) of a risk event (known as a remedial control), it does not necessarily cause an organisation to put in measures to reduce the likelihood of the risk event occurring (known as preventative control). In most cases, prevention is far cheaper than remediation.
Insurance in itself is only one of 5 risk mitigation measures – the transferring of risk to someone else. The other risk mitigation measures are:
- actions that are aimed at reducing the likelihood of a risk event,
- actions that are aimed at reducing the consequences of a risk event once it has occured
- acceptance of the risk as is without taking any actions and,
- not pursuing the activity that could bring about the risk event in the first place.
We are beginning to see a change in thinking in many organisations regarding risk management. Many still see it as a cost of doing business, but recognise that by having a single risk management framework that covers all risk domains, with consistent terminology, risk assessment methodology, and centralised systems, they can reduce this risk overhead and make better business decisions.
Organisations which have started on this journey are able to have a single view of risks, risk causes, and associated controls, and can better manage and learn from risk incidents when they occur.
Being able to reduce the likelihood of a risk event occurring or the consequences of that risk event is easier when an enterprise-wide view of risk management is taken. Embedding enterprise risk management techniques into business decision making processes can and will drive improved business performance.
We are pleased to offer you a complimentary copy of our eBook: "From Risk Management to Performance Management".