As times and doing business grow more challenging by the day, how are those who are not directly involved with ERM, coming to grips with what (for them) looks like another major challenge? It’s all in the leadership, and individuals in top management who understand what ERM is about, are at the forefront of convincing corporations that applying its principles will help the firm confidently rise to those challenges.
One practitioner and believer who is in the thick of it is Mr. Poh Ying Loo, Executive Director – Corporate Management, who is also the CFO and deputy chief risk officer with multinational retailer AEON Co (M) Bhd. Even at the best of times, the retail sector is challenging enough, but with the current fluid, dynamic, volatile business environment, the mere thought of implementing ERM is enough to cause many sleepless nights. Yet Poh, who has been a director since 2012, is convinced that ERM is eminently applicable and effective.
Having been introduced to it through Audit and industry peers who had successfully applied ERM in their respective organisations, he co-leads and supports a lean risk management section. “It’s manned by just three people,” he said. Impressive, considering that the firm has at least 10,000 employees. Poh and his team of just three people cover all sectors of risk management for the whole organisation, although he is quick to add that risk management is actually already embedded in all sectors, departments and units. Still, even with this level of alignment in place, there is a great deal of work to be done.
A typical day’s activities encompass extensive meetings on strategy, operational planning and discussions, business development and counter measures, analysis and reporting. With an organisation of this size, Poh leverages on technology/social media, utilising chat groups. “I used to do this in other organisations where I worked before but of course with less technology support back then as compared to now where it is more detailed and more extensive,” he acknowledged. It comes as no surprise, considering the nature of the industry he now operates in. Retailers such as AEON count FMCGs, tenants, authorities, customers and employees amongst its stakeholders; its retail operations also involve supply chain management, facilities management, treasury management, compliance, audit and front-end customer service, and payment solutions.
Admittedly, he did have initial reservations about ERM, particularly where top-level commitment and management buy-in were concerned. But the benefits of ERM are now being cascaded down to non-executive levels. In this interview, Poh gives frank responses to difficult questions:
What convinces non-executive levels to accept, adopt and apply ERM?
Besides being a part of their KPI, the awareness of the consequences of failure to manage their risks is a strong motivating factor. Business units need to see that ERM helps rather than stifles their business.
What are your greatest challenges with regards to ERM in your present position?
Developing a strong risk culture is a major challenge; total management buy-in is another. Embedding risks into business operations is sometimes difficult, although it has to be an ongoing process. It also complicates matters because it is connected to the organisation’s risk culture. Education about risk, which also needs to be an ongoing effort, presents unique challenges in an environment like ours. The other challenge is that as business is always dynamic and moving very fast especially in the competitive environment, unless ERM is embedded strongly into the culture and operations, it may not be given the same priorities.
How do you deal with internal issues of confidentiality or sensitive information?
This is managed through meetings at top management level or at directors’ level.
What kind of training do you recommend for unconvinced staff/management?
There should be a specific agenda which focuses on ERM, and continuous reporting. An understanding of the importance of risk management should be cultivated to enable them to recognise risk. That will be an effective way of developing and embedding risk factors into operations. But this does take time. The training should be geared towards encouraging staff to accept ownership and responsibility for risk and to see risk management as a necessary tool that will help the business and operations.
In your experience, how long would an organisation take to develop a viable risk culture?
At least five years, with continuous education. It is an ongoing process. People need to understand the importance of risk management before they can understand how and why it should be embedded in operations. Only when ERM is fully embedded in the organisational set-up and daily routines, can the risk culture be sustained.
What are some of the common factor’s organisations should recognise when implementing ERM?
They should realise it is about long-term sustainability; not a one-off exercise; and it has to have the continuous support of management. At the same time, management needs to realise that ERM is there to support and not to stifle business.
In your opinion, what is an ideal environment for the development of a risk culture?
Firstly, there should be top-level awareness and commitment; an established organisation should have an ethics and compliance policy in place, and an effective way of imparting this across the organisation. There has to be a realisation or paradigm shift that identifies risk management as essential and a contributor to the company’s vision and objectives including profitability.
What do you think are some of the barriers that are preventing Malaysian companies from adopting ERM more quickly?
It may be due to the local culture and mindset. Malaysians can be quite set in their ways. There is not enough awareness about ERM, nationally; there should be greater efforts to promote it by the authorities. Some Malaysian companies also tend to react only due to necessary compliance, instead of seeing the need for ERM. In such cases, we often see companies doing just the minimum compliance necessary, rather than adopting best practices.