@ the IERP® Global Conference, August 2024
The views and opinions expressed in this article are solely those of the featured speakers and do not necessarily reflect the official view or stance of the IERP®. The content is provided for informational purposes only.
Speaking on the topic of non-financial risk management, Khushwant Singh, Group Chief Risk & Credit Officer of GHL Systems Berhad, brought more than two decades of experience in various industries, including banking, airlines, and logistics to his presentation. In his overview, he said that significant words like ‘governance’ could not be ignored; many problems, including ESG-related ones, were man-made and therefore had to be resolved by humans. His presentation covered risk management, key risk indicators (KRIs), business continuity management (BCM) and capital allocation.
Risk must be assessed before controls can be set in place, together with KRIs – but many people do not understand KRIs, he said, adding that risk professionals must have a thorough understanding of BCM as well. “As a risk practitioner, if you don’t know the technicalities and competencies of BCM, it’s very tough,” Khushwant said. “If you want to be a CRO or GCRO of a regional company, you must know the technicalities of BCM.” Capital allocation, used to calculate operational risk, also came about due to man-made problems.
“All the policies and regulations we see are (the result of) Madeira’s problems,” he said. “To solve the problems, we came up with regulations because (in the old days) the banks failed.” Referencing what happened with Barings Bank, Lehman Brothers, and the sub-prime crisis, he cited the then-minister of finance in Japan who said that the reason Japan had not suffered as much as others, was that the Japanese market could not understand the language being used to sell the securities packages. He used this as an example to illustrate how organisations should not do what they do not understand.
“The problem is that when somebody introduces something, it becomes a ‘must do’ – but what you cannot control, you don’t measure,” he said. “What you can measure, you can control. These are the principles of risk management.” Further explaining non-financial risk, he said that this was now used for operational risk. “Non-financial (risk) is basically operational (risk), but with the addition of strategic risk and a bit of reputational risk,” he said. All regulators say this must be followed; the more advanced an industry, the more sophisticated its related policies and requirements.
Remarking that everybody speaks a common language with risk, he described risk management as a continuous process of the standard work of identifying, assessing, mitigating and monitoring – a culture that must be embedded and seen. Big corporations may already have an embedded risk culture but smaller or regional ones may not. This is where risk professionals must consider how the board may be appropriately influenced to encourage its development. Risk culture is so important that it must come from the top, Khushwant emphasised.
“The board must endorse it,” he said. “You cannot drive it in the organisation, otherwise.” For risk professionals to be relevant in their respective companies, he recommended having appropriate space and time with top management. This may be achieved through business functions, group governance functions, and non-financial functions like compliance, audit, and executive-level risk management committees. In their roles, risk professionals must bring value to their organisations, not just to their position or function, he stressed.
“When you bring value to the organisation, you are bringing value to your position indirectly,” he said. “When you bring value to the organisation, you are finding ways to increase their business, do it better, or find data or insights. As a risk practitioner, you must be analytical, and data-driven. Be independent, work with the business, with operations, and finance; do not compromise your independence.” It is also quite likely that risk professionals will be required to find ways of raising awareness of risk among staff, through education and training.
There were many ways of identifying risk, he said, but the most important method was through experience. “There are risks which individuals experience that cannot be duplicated. This helps make your risk profile more robust,” he said. “If you want to be a good risk professional, pull out your data and look at trends. Do your reporting, and explain to the board.” When incidents occur, risk professionals often fail to check whether that particular risk was identified in the company’s risk profile.
Incidents may take many forms, and be detected by the business lines, through audits or sometimes by the risk professionals themselves when they do business process reviews. “Make sure that the RCSAs for the incident have been detected, and do analysis for quick decision making and controls,” he urged. “Put in controls, and save a lot of money and people’s jobs.” RCSAs were basically for finding gaps between risk and control. Ideally, action plans based on SMART principles should be applied, with monitoring.
Risk profiles should be checked often; Khushwant recommended checks once every six months because of environmental changes. “If you want to be a good risk practitioner, look at data and trends,” he advised. “All your critical functions must have KRIs. You need to do an assessment of what your critical and non-critical areas are.” ESG may be included in KRIs. With BCM, he said, communication was most important. For new hires, this should be expressed during onboarding programmes.
Call tree exercises in BCP testing should be carried out by risk professionals – but never during office hours or on a weekday. “Do it after office hours, or on weekends,” he advised. “This is something good for the company. The more call tree exercises you do, the better it is for your organisation.” On capital allocation, he said regulators’ expectations must be considered but “If you have good non-financial management, you will have good capital allocation for your organisation.”
