COMPANIES need to fundamentally shift their thinking about risk management and use it as a strategy to spur their growth objectives, say experts.
"Risk management should not be viewed as a compliance tool to satisfy regulatory, disclosure or reporting requirements," said Neo Sing Swee, a partner with EY, who advises the professional services firm's clients in risk management practices.
"This gives the perception of having to deal with overwhelming mundane risk reporting activities with little or no linkage to business operations or performance."
Rather, an expanded risk management approach should be seen as something that can bring opportunities for companies to grow and improve their performance.
"If successfully integrated and understood, risk management can and should be an enabler to expansion strategies - providing the agility and confidence to move forward through well-defined risk appetite and the necessary checks and balances through risk review, escalation and monitoring," said Irving Low, partner and head of risk consulting at KPMG Singapore.
Critics of an expanded risk management regime have long complained that companies, especially smaller ones, are overwhelmed by the amount of work required for managing risks that they do not enjoy any benefits from such investment.
In two recent studies, however, EY found that companies with more mature risk management practices generated the highest growth in revenue and earnings before interest, taxes, depreciation and amortisation (EBITDA).
And companies in the top 20 per cent risk maturity generated three times the level of EBITDA as those in the bottom 20 per cent.
But recent KPMG studies show that many Singapore-listed companies are still challenged in determining what and how much to disclose on their risk management processes.
In an April 2014 study, KPMG found that 31 per cent of all queries issued by the stockmarket regulator related to risk management and internal control disclosures.
Of those queries, 29 per cent did not disclose the "effectiveness" of risk management and internal control systems, and 29 per cent failed to even mention "risk management systems".
Strong risk culture a must
Experts suggest that having a strong risk culture and robust governance, risk and compliance system in place is essential.
This should be driven by the right tone from the top, establishing clear roles and responsibilities and empowerment, investing in competencies and capabilities, and integrating risk management into existing processes so that it is not a standalone exercise.
Observers also say before organisations start implementing any risk management activities or framework, they should first ask: "Why are we doing this?"
"If they are just ticking the box because the law or rules say so, then clearly the intention to do it is misplaced," said Mr Low of KPMG.
"Confidence in the organisation will be lost, and to kick-start would require much more effort than the first attempt," he added.
Companies should also actively find the balance between effective risk management and business expansion, noted EY's Mr Neo.
For instance, they can develop a risk-enabled performance management programme that involves integrating risk management into the rhythm of the business.
This means risk management is within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to line management.
"Companies should require that risks and the uncertainties that drive them are tied directly to business objectives, quantified to identify a realistic range of potential outcomes, and used to challenge or validate the assumptions that go into analysis and solutions," suggested Mr Neo.
There are several practical ways for organisations to assess how much risk coverage they need as well as to optimise their risk management coverage.
In a risk-enabled view of the business, EY suggests organisations will need to ask:
- What are the upside opportunities (growth) and downside threats (protection)?
- Where and how is uncertainty introduced, such as strategic choices, processes, external influences, etc?
- How can the company best calibrate and quantify those risk exposures to the business, factoring in uncertainty and vested interest?
- How can existing practices be optimised to ensure maximum benefit from the efforts and resources?
The answers will provide a good view of the company's risk profile, such as how the types, levels and potential impact of the aggregate risk exposures are represented in the organisations' current plans, said EY.
"This allows the actual risk and reward levels to become clearer, and management is able to see the uncertainties and challenges inherent in its choices and investments. This is often a breakthrough moment," said Mr Neo.
KPMG advises its clients that in coming up with an effective risk management framework, organisations will need to establish their risk parameters or risk boundaries.
This sets limits and defines what are considered to be low- and high-risk events. These risk parameters are both quantifiable (such as financial risks) and non-quantifiable or qualitative (such as the impact on reputation).
Once these are defined by management and approved by the board, risks can then be identified and assessed consistently, based on the clearly defined risk parameters.
"This simple approach will help organisations focus on risks which are assessed to be high, rather than all other risks," said KPMG's Mr Low.
"As economic resources are limited, the allocation of such resources should be diverted only to those areas that are more deserving and clearly to those which have a higher impact on the organisation and which may prevent it from achieving its strategic or business objectives," he added.