The first CRO Networking Group event for the year opened with a short presentation by KPJ Healthcare Bhd’s Chief Risk Officer, Sharizal Hasnifa Baseri, who reflected frankly that the response to this global event could have been better, especially as it had been predicted to some extent. The response could have been different, he said; this has now spurred constant thinking about similar incidents. “With a more interconnected world, we have to think about what the impacts will be,” he pointed out. “There are no hard and fast answers, but we have to be constantly thinking and talking about it.”
Conversations about climate change, for instance, were necessary because this phenomenon affects the way business is done. However, he added, the situation has seen an increase in opportunities to apply risk management in a framework that is anticipatory. “Stop managing risks in the rearview mirror,” he said, advising risk professionals to use their experiences with Covid-19 instead to make changes, reassess, and anticipate better, so that they can emerge stronger from this difficult time. The pandemic has been an opportunity to learn, change, and grow, he said, besides offering a huge opportunity for the risk management function to heighten its profile.
It was time to reorient the risk management approach and do things differently; companies, too, needed to realize that they should not do things in isolation. He advised integrating risk management more concertedly into decision-making, stressing, “This is the value that CROs should be bringing to the table.” A strong, hard relook at how to approach risk management within the current context was required to create value. Moderator Ramesh Pillai concurred, adding, “Anyone who has been looking backward where risk is concerned is a dinosaur. Look back on what has been, to learn, to analyse and formulate responses going forward.”
Other event participants voiced similar opinions, pointing out that when planning, it was important to realise that it was not a straight line but was instead full of ups and downs. One interesting observation was that plans may be made, and scenarios anticipated, but Business Continuity Management and Business Continuity Plans were rarely operationalised. That is, until the pandemic hit. “When the pandemic happened, companies could test if their plans were really resilient, and their defenses were effective,” said a bank CRO. “When it’s really happening, you can see and appreciate the measures that have been put in place, and test them properly.”
Reflecting on increasing globalisation, another risk professional pointed out that there was also a growing imbalance, and long-term market stability was a major concern. Many scenario analyses see increasing alliances between countries. “We must have extensive information or knowledge in other areas (not just risk management) to be effective in risk management,” he said. The need to be forward-looking was emphasised. Companies look back in order to do risk analysis, but lessons are not always learned, and objectives may not be adequately addressed. With risk management, however, the forward-looking element is built in, especially to address strategic, corporate, and emerging risks.
The gap between risk management and the application of policies and procedures needs to be addressed as well. One participant remarked that something ‘gets lost in translation’ – resulting in the misunderstanding of risks or processes. This can sometimes be attributed to ‘old’ risks or processes still being communicated, and it was hard to get everyone on the same page, he said. Additionally, the risk management team tends to be assessed on non-risk management matters; efforts are made, but fewer results are perceived. In the financial industry, on the other hand, financial risks are very well established, but risks in other areas are difficult to grasp, said a representative from this industry.
Remarking that there was a lack of linkage between risk management processes and how these relate at the management level, she said that consolidating the two was time-consuming and tended to decrease the time for high-level, valuable thinking. Technology could be applied in some instances, but strong pushback has been experienced from the first line of defense, as it is usually more concerned with the business. She added that the reporting part needed to be consolidated, automated, or structured to be more helpful for users. Leaders also face challenges; understanding risk management takes time even with regular engagement, and it can be a struggle.
Frameworks needed to be correct from the outset, Sharizal said, while procedures, policies, and practices also required the right structure. Risk professionals needed to upskill, prepare, and equip themselves where necessary. They should also consider where technology can be effectively applied to digitalise risk management, for instance, and collaborate closely with other lines of defense. This was a critical focus area. “We need more maturity here,” he stressed, adding that risk professionals also had to know how to equip their teams with the necessary skills and keep abreast of developments in other areas, like digital capability, for example.
Wrapping up the discussion, Ramesh focused on the power of technology; the psychology of risk; digitization of risk management; upskilling and education; the importance of the tone from the top; and the need to be careful about biases in data and decision-making. He urged risk professionals to leverage the power of technology and to lead the way in applying it, but to be careful when doing so because this is related to the psychology of risk. He said, “Risk management is not about the mathematics of risk. It is about the psychology of risk, human interaction, and making sensible decisions at the end of the day.”
When organisations move to digitisation, risk management becomes the bottleneck because the organisation forgets about digitising it as well. Risk managers need to be proactive about reminding their organisations about this and unblocking the bottleneck. While upskilling and education are integral to effective risk management, these must be applied at all levels, directors included. Ramesh said that many directors do not understand risk management or have a very narrow interpretation of it. There is a big difference between operational risk and enterprise risk. “But there are many risk professionals too who do not completely understand this,” he said.
There were many risks that cannot be managed, Ramesh pointed out, but risk managers can influence how these are managed. “The risk you will manage is the risk where you do not want to be,” he said. “You may want to elevate that risk – but that is an enterprise risk decision, not an operational risk decision.” Learning is constant; it never stops. “As risk professionals, we should be reading as much as we can, and really pushing the envelope,” he said, adding that the tone from the top was just as important. “It’s not just the tone from the top, it’s the echo from the bottom – but there must be consistency. Everyone needs to ‘sing the same song,’ and the taxonomy must be right.”
He urged risk managers to be ‘salesmen’ for risk, to convince others of its importance. He advised caution about biases, especially in decision-making. “No matter how you manage to deal with biases in your data, we are still biased when we make decisions,” he said, explaining that our brains work like computers. This means that when the brain has a complex problem, the brain breaks it down into smaller sub-problems and problem-solves one after the other. But if the problem is too big, i.e., it has too many sub-problems, the brain reverts to heuristics or ‘gut feel.’
“Research has shown that when you have a very complex problem and you give it to a group of smart people to figure it out, and whether you give them five hours or ten minutes, the quality of the decision will be no different,” he said, advising risk managers to avoid using consultants where possible. However, if the use of consultants cannot be avoided, he urged risk managers to be very clear about the scope of what the consultant is required to do. “Do your homework and clarify what you want to use,” he said.
