Thursday, August 28, 2008

Is it Time to Reconsider the Concept of Risk Management?

Is it Time to Reconsider the Concept of Risk Management?


Seen from an outside perspective, there are several schools of thought in the field of risk management. The Nordic perspective and approach has long been characterised by ‘hard and technical matters’. In the last few years, particular attention has been paid to IT security and business continuity planning, these having gained a firm foothold in risk management work aimed at preventing, eliminating, minimising and controlling risks identified in business enterprises.

Different Approaches to Risk Management

The Anglo-Saxon approach to risk management focuses on compliance and legality issues, placing a major emphasis on the company’s related internal processes. The Sarbanes Oxley Act, the Patriot Act and other U.S. legislation have had a major impact on this Anglo-Saxon approach making a breakthrough all over Europe. As we know, European companies listed in the stock exchanges of the United States must follow U.S. legislation.

There are also clear differences in the way municipalities and regions handle their risks compared to private businesses. nesses. In many local and regional government units, the risk management function’s duty is mainly to acquire insurance cover in order to manage risks. In only a few exceptions is risk management systematic and holistic and risks prevented with a long-term approach.

Definitions of Risk

The way a company defines risk clearly reflects its approach to risk and risk management. The plethora of such definitions – almost every company has one – ranges from “a threat with major consequences” to “events that prevent the company from achieving its goals”.

In the last few years, we have seen the definition of risk adjusted dramatically, comprising not only traditional risks but also ‘lost business opportunities’, i.e. events that prevent the company from achieving its goals.

An increasing number of companies have started to use the following definirisktion of risk that complies with the Basel II agreement: “Operational risk is a risk of losses resulting from inadequate or failed internal processes, people, technical systems or external events”. Adoption of this definition helps companies to analyse and classify operational risks appropriately and focus more on risk areas that until now have not received the attention they deserve.

From ’Hard and Technical Matters’ to Soft and Human Ones

One of the benefits of a broader ap proach to risk is a major shift in em phasis towards human factors. Various cases around the world such as Arthur Andersen, Enron, Bearings Bank and World Com have proved the amount of definirisk involved in people and internal processes. Who would have believed that a company like Arthur Andersen, valued at billions of dollars, would be wiped off the map only four weeks after one of its employees spent a few nights destroying documents with a shredder?

These examples have contributed to the fact that risk management focus has shifted to employees, managers and corporate culture in a completely different way than before. Consequently, the importance of key employee dependence, leadership, corporate demography, bonus contracts, internal crime and other such factors has grown substantially.

From an Internal, Backward Approach to an External, Forward One

The events of September 11, 2001 in the United States left deep scars, making companies realise how vulnerable they were to uncontrollable events. Furthermore, the tsunami in Asia and the storm, Gudrun, have clearly demonstrated the need for a systematic analysis and monitoring of the operating environment.


Elements of an Environmental Analysis

Analysis of the operating environment can be divided into the following areas:

Business Intelligence – simply defined as a way of handling the known and anticipated operating environment (e.g. competitor monitoring) in order to maintain one’s own position.

Scenario planning – briefly expressed as an analysis of the operating environment with a future perspective, where operations are planned on the basis of various, imagined future scenarios.

Trend scanning – the analysis of the unpredictable and unknown operating environment, encompassing broad areas of data, finding unexpected material and increasing one’s lead on competitors.

Disturbance monitoring – the analysis of events such as paradigm shifts and changes in discourse and trends as well as boundary-breakers and passionate persons that turn our lives upside down.

The three key questions of environmental analysis are as follows:

Relevance?
• How interesting is this event from the viewpoint of our operations?
• What long-term implications does this event have?

Impact?
• How much can this event affect our operations?

Timetable?
• How quickly can this event affect our operations?

In many companies, environmental analysis and monitoring has become a key tool for achieving success.

Risk Management of the Future?

In my opinion, risk management has acquired a completely different meaning over a short period of time. Dramatic national and global events have triggered new needs, placing entirely new requirements on risk management which is now seen as an activity that must support business operations. While I find this a positive trend, it also provides major challenges for we who participate in and develop current and future risk management.


Ulf Rönndahl
ulf.ronndahl@if.se

http://ifnews.if.fi/en/