Can you “outsource” risk management? Management of risk may be outsourced but the risk still has to be borne by the organisation. There is no getting away from the fact that regardless of whether risk is managed in-house or is contracted out, the risk itself remains the responsibility of the firm. Outsourcing certain areas of risk management may be expedient but with so much riding on the risks of the business, an organisation may be doing themselves a disservice by allowing an outside party to deal with matters that involve the very core of the company. Consultants may certainly provide guidance and clarity when it comes to applying the principles of risk management, or the training necessary to undertake it, but the company should undertake the actual “nuts and bolts” itself.
The consultant may offer an objective eye but identifying where risks lie in an organisation, has to come from the stakeholders who are the most closely involved with it – staff, Board and management. Risk management needs a lot of deep-diving into details of the organisation; this inevitably involves different levels of intimate business knowledge and confidentiality. It should, therefore, be undertaken in-house, preferably supervised by the organisation’s own employee, its Chief Risk Officer (CRO). Data collection is crucial to the efficacy of risk management. But gathering it has a lot to do with levels of comfort and organisational culture – two elements that can influence the effectiveness of risk management implementation.
Gathering data for risk management purposes involves accessing information that only insiders may have. People may want to cooperate but they will baulk if they have to provide information which, from their perspective, is sensitive, confidential or embarrassing. This is a stumbling block that makes it that much harder to implement risk management effectively. In the course of implementing risk management, it will become evident that parts of the organisation are still operating in silos; these are less likely to give up information to “outsiders.” They are more likely however to provide information to someone like the CRO, who is a part of the organisation, not an independent consultant.
Information-gathering also means having to engage on different levels at different intensities. Risk management is not something that happens overnight. It takes time, and people need to be convinced that it is effective, before they give you their cooperation and support. Part of encouraging this kind of conviction is to make them feel invested in what they are doing. Everyone in an organisation needs to be involved in risk management because risk has far-reaching consequences and repercussions. Its effects can be felt long after an actual incident occurs, and is not confined only to the unit, department or region where it originated.
The people who work in an organisation should feel invested in it, to the extent that they want to be involved in managing its risks because they see the risks as having a direct impact on them. This sort of attitude – a part of corporate culture – is not easy to develop. Consultants may be able to give the initial training which jump-starts the processes, and perhaps establish the frameworks on which the culture can be built, but the culture itself has to develop organically to be truly effective. Additionally, it has to be ongoing, and be able to evolve with the times. This means that the organisation has to be able to respond to internal and external environments simultaneously.
To a certain extent, internal and external environments dictate organisational agility as well. The firm may find it has to backtrack or reverse decisions quickly – i.e., make internal adjustments – because of external pressures from increased interaction with various stakeholder groups, not just shareholders. Organisations may find that in collecting data, a certain amount of control is necessary over how it is utilised, particularly for decision-making. This is best understood in-house, as a better understanding of the organisation begins to emerge with in-depth information. Feedback on possible pressure points, for instance, may be sensitive, and require management away from the spotlight.
As more details are presented, a clearer picture of the organisation appears. Shortfalls become apparent, and mitigation measures can be identified. A better-informed Board will be able to formulate more effective strategies, and Management may improve the alignment of operations with the firm’s objectives. From the employees’ perspective, their feedback has been taken into consideration and made a difference; the value of their input is recognised. In time, the organisation has a very good chance of developing a positive, supportive, progressive culture that will continue to attract the right talent and help it hone its competitive edge.
Firms often turn to consultants or outsource various functions because of expediency or the lack of internal resources. The down side to this, particularly where risk management is concerned, is that the skills to undertake it are not developed internally, and the internal resources may not be fully utilised. The firm therefore is unable to fully leverage on its capabilities, and may become less competitive in the long term. Risk management is an ongoing activity, not a one-off exercise. It develops in tandem with the organisation, and supports its decision-making process, which increases in complexity as the firm develops. Ultimately, it is about ensuring the firm’s growth and sustainability; it places the responsibility for this entirely in the hands of the stakeholders who will benefit the most.