It is hard not to think about risk, considering that risk incidents are occurring more often; often inflicting worse consequences than the one before, adding to the challenges of an already volatile, uncertain, complex and ambiguous world. The second presentation of the virtual Risk Forum jointly organised by the International Institute of Enterprise Risk Practitioners (IERP®) and the Brunei Institute of Leadership & Islamic Finance (BILIF) saw Nurul Diana Intan Zafirah Ishak, Head, Programme Management Office, Cyberview Sdn Bhd, speaking on what it takes for an organisation to develop a viable risk culture.
ERM professionals often talk about risk culture being the glue that holds frameworks together but what does this entail? Threats can come from any direction, and have a major impact on the business despite companies having set risk management practices, systems, controls, processes and procedures in place. “Statistics show that only a small percentage (of firms) is doing it successfully,” Nurul said. “The failure rate is high.” Unfortunately, many organisations still hold the view that risk is a waste of time, and an additional cost.
“People perceive risk negatively but risk is an enabler,” she pointed out. “Risk management is an art, not a science.” Having started on risk management, not progressing to developing an appropriate risk culture is a waste of resources – but this is a complex undertaking as it involves core values, including individuals’ upbringing and personal values. More than that, risk culture has to be internalised. The first step is to have a formal structure that clearly defines who does what in the organisation, she said. Understanding the processes and procedures of risk management is crucial.
Training and awareness sessions should be scheduled regularly to develop competence in these area. Risk focal persons should be identified as change agents at all levels in the company because risk management is not the job of just one person; as many as possible have to be involved. Individually and collectively, the organisation’s personnel have to develop the ability to anticipate risks, know when and how to report issues of concern, and respond to situations appropriately. Additionally, they need to be aware of how all this aligns with the organisation’s goals and objectives.
Those identified as risk focal persons should be given more training as an effective way of embedding risk further in the firm, and spurring transformation at their respective levels. What needs to be developed is a risk mindset that sees risk as natural and manageable, she said. Risk matters but it should not be viewed as something completely negative. Taking responsibility and being proactive is the key to managing risk. “Risk is about uncertainty but we need to take charge,” she said. “Be the victor, not the victim.”
Together with an awareness of risk should come the alertness to the opportunities that may arise from it, which could benefit the organisation, as well as subsequent threats which could erode the firm’s value. This level of awareness can only come about if risk culture is internalised, when staff know how to anticipate risks and report issues of concern. Having the right strategy is not enough; organisations need the right culture as well which will enable it to respond to the dynamic environment in line with its risk appetite and corporate goals.
Following her presentation, Nurul was also one of the panellists of the forum discussion on Building a Healthy Risk Culture, together with Ahmad Azwang Aisram Omar, Head of Enterprise Risk Management, SME Bank Malaysia, and Zulhisham Zolkepli, Head of Risk Management, Insurans Islam TAIB Holdings. Among the issues discussed was what corporate-wide risk culture looked like; its key elements; how to get it to work effectively; and what to leverage on, to develop the right kind of culture in the organisation.
Detailing his professional risk management journey, Ahmad said that what used to be a quarterly reporting exercise developed into full-fledged integration of risk management into the processes and procedures of the organisation as he developed a more comprehensive understanding of what was required with ERM. Acknowledging that it was a challenge, he said that understanding where the organisation was, in terms of ERM, was fundamental to identifying gaps in its risk management, and was crucial to helping it achieve the necessary risk maturity levels.
Adding that in the early days, people didn’t see the value of risk management, but it developed over time and got buy-in from the management team. The most important thing was the tone from the top and the use of Risk Focal Persons in various departments to further the risk management agenda. When he was developing the risk management function, Zulhisham said that he interviewed all divisions in his organisation to understand how things worked, then presented a Risk Report to management, to start the risk discussion.
To a question on how the lack of resources, especially personnel, could affect the take-up of risk management, Nurul said that one way of overcoming this was to put Risk Focal Persons in place, to better influence the perception of risk management; staff resources could thus be shared (instead of one person doing all the work). How should organisations ensure the risk management function is operating as intended? Ahmad advised the use of a structured, customised framework built on in-depth understanding of the business, and ongoing measurement against established standards.
On how risk owners and risk managers should deal with risk ownership, Nurul said that mindset change was critical to understanding this, adding that management could impose requirements for risk management, so that staff understand the long-term effects. Commenting on how to differentiate between risk and the impact associated with the risk, Ahmad said that risk managers looked at enterprise risk while risk owners looked at business risk, and the part it plays in achieving the organisation’s objectives.
Zulhisham added that past incidents could be held up as examples to avoid, and mitigative measures could be based on these accordingly. There should be alignment of organisational objectives, strategy and risk culture, with risk management being involved from the outset with strategic development. But how can risk management actually gain traction, and how can people be encouraged to take it up or align it with strategy, without apprehension? Zulhisham advocated discussion, reiterating that it was not a burden although it could be onerous at times.
“It gets better over time,” he said. “Incorporate risk management tools that are relevant (in the discussion), and be objective-centric.” Nurul urged risk managers to be proactive about raising awareness of the matter. Working from home (WFH), she said, was allowing more time for awareness sessions for staff, and they were becoming more aware of being able to do things. But it was ultimately leaders with ethics who could effectively drive common goals and strengthen risk culture. “Ethical leadership is important,” she concluded.
