Our approach to risk management & control principles
Accepting, managing and controlling risk is fundamental to business success. Good risk management is not merely concerned with mitigating risks, but also with achieving an appropriate balance of risk and return. Adapting risk exposure to the current market environment and managing the profile of the balance sheet should be a strategic priority for all executive teams.
An effective control environment ensures the integrity of a company's processes. Processes with integrity are repeatable, consistent and scaleable, and these attributes are integral to producing consistent high-quality returns to shareholders/owners. However, in of itself, an effective control environment will not yield satisfactory returns, sound risk management practices and a strong ethical culture are also required.
Good risk management starts with the tone at the top. The leadership team should act, and be seen to be acting, in the best interests of the company, always. This extends to personal conduct both inside and outside the company. A strong ethical culture, combined with sound risk management practices and an effective control environment are the ingredients of success. The tone at the top is paramount - risk limits and key controls can be overridden by senior management and it is for this reason that managements' override of controls is a key area of focus for external auditors.
Organisations which fail to adequately manage and control risk can incur significant financial losses. However, possibly more important is the resultant damage to organisations' reputations, which could undermine market values through reduction of its client base and impairing its ability to retain talented employees.
We understand that taking risk is integral to any business and that operational risks are an inevitable consequence of being in business. We work with clients to minimise earnings volatility and to help them minimise exposure to "stress events".
Earnings are protected by controlling risk exposure at the level of individual exposures, at a portfolio level and in aggregate, across all risk types and businesses.
An organisation's reputation is protected by managing and controlling the risks incurred in the course of business and for this reason organisations should avoid risk concentrations of all kinds and limit potential stress losses not just from credit, market and liquidity risks, but also from operational risks.
Who is responsible for risk management in an organisation?
The simple answer is, everyone. Risks emanating from the core business processes are owned and managed by front line management. Front line management is the First-Line-of-Defence (1st LoD) which is responsible for managing risks within the risk appetite approved by the governors of the business. The 1st LoD must manage business activities in accordance with the agreed upon policies and procedures and within the governors' approved risk appetite.
The Second-Line-of-Defence (2nd LoD) comprise business functions, such as Finance, HR, Risk, Health & Safety etc. The 2nd LoD is responsible for establishing the parameters within which the 1st LoD operates. This is achieved through devising and implementing policies designed to maintain material/ significant risks within the governors' approved risk appetite. Individual policies should define the relevant risk, where the risk arises (scope) and include unambiguous limits for the risks. Policies should include escalation measures in the event of limits being breached. The 2nd LoD, should be independent of the 1st LoD and should regularly issue management information which includes risk exposures against governor approved limits, incidents where limits were exceeded, and remedial actions taken etc.
The Third-Line-of-Defence (3rd LoD) traditionally comprises companies' internal audit functions. The 3rd LoD independently monitors and reviews the activities of the 1st and 2nd LoDs.
The diagram below details the above:
The Three-Lines-of-Defence model is designed to minimise any conflicts of interest within the corporate structure. That said, each company is unique and the model can be tailored as necessary. The goal should not be to dogmatically impose a rigid governance structure which stifles the business. If the principles underpinning the Three-Lines-of Defence model are understood, the model can be tailored and applied to suit individual company circumstances. For example, many companies do not have an internal audit function, or there may be a lack of segregation between 1st and 2nd LoDs. Once these conflicts are understood they can then be managed, and if segregation is not an option then compensating controls and alternative assurance mechanisms can be implemented.
Broad risk categories & risk control steps
All businesses need to control their risks. The nature and magnitude of risks will vary from company to company. All companies face financial risks - i.e. risk of non-receipt of payments from third parties (credit/ counterparty risk), and/ or inability to meet financial commitments as they fall due (liquidity risk) for example.
All high level (key) risks should be clearly defined and the quantum of risk that the governors are willing to accept for each of the key risks (risk appetite) should be documented and explicitly approved by the governors.
All companies should understand the maximum risk that can be tolerated before they become unviable (i.e. is no longer a going concern). This quantum of risk is defined as the organisation's Risk Capacity. It is self-evident that the organisation's Risk Appetite should be set well within its Risk Capacity.
The source of risks to an organisation stem from its core (key) processes. The risks inherent in processes can be managed by implementing well designed controls. These controls are usually embedded in key policies and processes which together comprise the firms' control environment. An effective control environment does not entirely eliminate risk, but it will reduce risk to levels acceptable to the governors. This "Residual Risk" must be maintained within the Risk Appetite approved by the governors.
We can help clients develop a framework for effective risk management. We can work with your staff to help them develop and implement an effective Risk Management Control Framework (RMCF) which will:
- Establish common principles and standards for the management and control of all risks and to drive congruent behaviour across the organisation
- Provide a shared framework and language to improve awareness of risk management processes
- Provide clear accountability and responsibility for risk management
We can work with clients to develop a Risk Appetite Framework which is aligned to their business strategy and objectives. The framework will include all material risk categories faced by the business, the quantification of Risk Capacity, development and implementation of:
- Risk Appetite(s)
- Risk limits
- Processes to monitor & report risk exposures