No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Can Risk Management Even Be Effective?

by Alex Sidorenko
February 13, 2017
in Featured, Risk
businessman with illustrated wings against city skyline

4 Signs of a Strong ERM Program

There’s always room for improvement, particularly when it comes to managing risk. But the concept of “risk management effectiveness” remains vague. Alex Sidorenko outlines four signs your organization’s risk management program is robust – and doing its job.

By: Alex Sidorenko

Lately, everyone – from the government agencies to regulators to corporate board members – seems to be talking about the need for better, more effective risk management. The challenging part is that, despite the guidance provided in ISO 31000:2009, the concept of risk management effectiveness still remains vague. This article attempts to summarize the basic components of effective risk management, which should help risk managers to respond to the challenges set by regulators and shareholders.

The team at the Institute for Strategic Risk Analysis in Decision Making (ISAR) and www.risk-academy.ru has been studying risk management for more than 15 years, and we firmly believe that effective risk management is only possible when all four criteria below are met. These criteria are based on ISO 31000:2009, the most widely used risk management standard in the world (translated and officially adopted in 44 of the 50 biggest countries based on the GDP).

1. Integrating Risk into Decision-Making

One of the most important tests of true risk management effectiveness is the level of risk management integration into decision-making. ISAR research shows that companies capable of systematically integrating risk management into planning and budgeting decisions, investment decisions, core operational business processes and key supporting functions achieve long-term sustainable advantage.  Just consider an example of a large investment fund that makes investment decisions only after an independent risks analysis and does simulations to test the effect of uncertainty on key project assumptions and forecasts. Another example is a large airline that makes strategic decisions based on several quality alternatives with a risk assessment performed for each alternative.

“For us, it’s very important that risks are taken into account when investment decisions are made. That’s why risk assessments are mandatory for all investment decisions. Risks are identified and evaluated by both the project team and the back-office departments, including legal, finance, scientists, strategy and others. This ensures a more objective and independent risk analysis when making investment decisions.

– Konstantin Dozhdikov, Head of Risk, RUSNANO

2. Strong Risk Management Culture

Human psychology and the ability of business managers to make decisions in situations of great uncertainty have a huge impact on risk management effectiveness. Nobel laureates D. Kahneman and A. Tversky have conducted some exceptional research in the field of risk perception, showing that most people, consciously or subconsciously, choose to be ignorant to risks. Robust risk management culture is, therefore, fundamental to effective risk management. Take, for example, a large petrochemical company that used online and face-to-face training to raise risk management awareness and competencies across all staff levels. The company also allocated resources to integrating risk management principles into the overall company culture. Another example is a government agency that documented transparent discussion and shared information about risks as one of their corporate values and communicated these values to all employees.

“Training is one of the most important factors in the development of a risk management culture. Risk management can become an effective tool as soon as every employee understands what it is and how it applies to their personal area of responsibility.  There are many different kinds of risk management training. It could be risk induction training offered to all new employees. Induction training should include a short explanation of the risks that might arise, information about a useful tool risk management and how to use it when making day-to-day business decisions. It is also useful to conduct separate, specialized risk management training for department heads and key managers in order to help them integrate risk analysis into key business processes. The main thing is to remember that training is not supposed to be a one-time measure and, on the contrary, should be offered on a regular basis. Training sessions can be led by your company’s own risk manager or an external party, but either way, the trainers must possess relevant competencies and qualifications.” 

– Lubov Frolova, Head of Risk, Tekhnodinamika

3. Disclosing Risk Information

Another criterion for effective risk management is the willingness and ability of an organization to document and disclose risk-related information both internally and externally. A mature company not only documents the results of risk analysis in the internal decision-making processes, but also discloses information about risks and their mitigation to relevant stakeholders where appropriate, in external reporting or on the company website. It is also important to note that since actual risk information may be sensitive and contain commercial secrets, the focus of disclosure should not be the risks themselves, but rather the risk management framework, executive commitment to managing risks and culture of the organization. Many organizations tend to treat this formally, often copy/pasting risk management information in external reporting from year to year without any update.

Remember that disclosure of risk management information allows companies to both make and save money. For example, the insurance market positively reacts to a company’s ability to disclose information about the effectiveness of their risk management and control environment, offering a reduction in insurance premiums. Banks and investors also see risk disclosure in a positive light, allowing companies lower their financing costs.

One of large mobile network operators takes risk reporting particularly seriously. Their approach changed after an IPO. To this day, risk reporting as part of their annual report is not just a recount of the typical risks within their industry sector, but a reflection of key risk management changes and achievements over the last period. Risk reporting is composed of two parts: 1) a general description of events linked to risk management within the company; and 2) a description of key risks facing the company over the year. In the first part, risk managers give a detailed description of significant risk management events that occurred within the company that year. For example, there could be a description of how closely the company is aligned with the ISO 31000:2009 principles or how the company has strengthened their risk culture. The second part describes common risk categories facing the company. This should point out the typical risks in the industry sector, as well as the most significant risks identified over the past year. Additionally, the description of each risk should include the status of mitigation actions taken to manage the risk, their effectiveness and the anticipatory measures that the company intends to take in the future.

4. Continuously Improving Risk Management

The final criterion for effective risk management has to do with the continuous improvement of the risk management framework and the risk team itself. One investment fund was able to do this with the help of a regular assessment of the quality and timeliness of their risk analysis, annual risk management culture assessments and a periodic review of risk management team competencies. For example, professional risk management certification helps to boost risk team competencies. One of the reasons behind the need for constant risk management improvement is rapid development of the risk management discipline. The ISO 31000:2009 standard is currently being reviewed by more than 200 specialists from 30 different countries, including experts from Russia and members of ISAR. Some of the suggestions for the new version of the standard include the greater need for integration of risk management into business activities, including decision-making and the need to explicitly take into account human and cultural factors. These changes could have a significant impact on many modern nonfinancial organizations, raising questions about their risk management effectiveness.

“Risk management, just like any other element of corporate governance, must be integrated into the overall management system of the organization. The ISO 31000:2009 international standard explicitly talks about the need for risk management to be adaptive, dynamic, iterative and able to react to change. As organizational risk maturity raises, so will the tools used by the organization to manage risks in decision-making. Professional risk managers should not only develop risk management processes for the organizations, but also improve their own risk management competencies. As I am writing this, work is being undertaken on the update of both of the most widely adopted risk management standards (ISO 31000:2009 and COSO:ERM 2004). New versions are expected to be available in 2017 and promise to revolutionize our current understanding of risk management and not necessarily in a positive way. My experience shows that participating in international conferences, training sessions and certification programs constitutes a good way for risk managers to keep themselves in top professional shape.”

– Alexei Sidorenko, Founder of www.risk-academy.ru 

We recommend executives and risk managers evaluate the current level of risk management maturity using the criteria for effective risk management presented in this article. If even one of the puzzle pieces is missing, it is probably a bit premature to talk about effective risk management.


Tags: International Organization for Standardization (ISO)
Previous Post

The Win-Win Argument

Next Post

Compliance in Trump Era: More Markers Placed

Alex Sidorenko

Alex Sidorenko

Alex Sidorenko is a risk expert with over 15 years of private equity, sovereign wealth fund risk management experience across Australia, Russia, Poland and Kazakhstan. In 2014, Alex was named the Risk Manager of the Year by the Russian Risk Management Association. As a VP at the Institute for Strategic Risk Analysis in Decision Making, Alex is responsible for risk management consulting, training and certification across Russia and CIS. Alex is the co-author of the global PwC risk management methodology, the author of the risk management guidelines for SME (Russian standardization organization), risk management textbook (Russian Ministry of Finance), risk management guide (Australian Stock Exchange) and the award-winning training course on risk management (Best Risk Education Program 2013, 2014 and 2015).

Related Posts

thick hardbound book of standards

ISO 27701: Will it Be the New GDPR Certification?

by David Forman
August 27, 2019

Despite the GDPR being in effect for more than a year, to date, there has been no certification standard for...

two Kings in chess: one upright, one lying down

ERM is Dead! Long Live ERM!

by Peadar Duffy
July 16, 2018

Driving Change to Improve Resilience and Agility Enterprise risk management (ERM) is a framework organizations use to manage risks and seize...

ISO 37001 badge

TRACE: Debating ISO 37001

by TRACE International
June 20, 2018

Judd Hesselroth and Alexandra debate the merits of the ISO anti-bribery standard and the associated accreditation process.  

Next Post
marquee outside office of the attorney general

Compliance in Trump Era: More Markers Placed

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT