You are here

Staying one step ahead of risk

In a fast-changing business environment, top management must ensure that risk management is a company-wide affair.

Risk management should not be something cooked up in isolation by the finance or internal audit office, says Themin Suwardy.

AT NetLink NBN Trust, where Tong Yew Heng is the CEO, senior management meets once a week to discuss any emerging business challenges.

WHETHER it's geopolitical tension affecting the markets you operate in or a new technology threatening to upend your industry, dealing with risk in one form or another is unavoidable in the business world.

The speed of change brought about by technology and heightened security threats - both virtual and physical - is also complicating the task of managing risk. More organisations are now evaluating risk scenarios regularly to ensure that they are not blindsided by events.

However, experts say that companies may be spending too much time coming up with new controls in a bid to manage their risks, when they should be focusing on the human factors that are often the cause of non-compliance with risk management practices.

One way to better manage risk is to ensure that the task is undertaken not just by the finance team, but also other operational units within an organisation.

Market voices on:

Such "business partnering" ensures that compliance, operational processes and business strategy are in sync.

For instance, information on risks should come from multiple departments and varying levels within an organisation in an effort to ensure that major risks are not overlooked.

"Risk management should not be something cooked up in isolation by the finance or internal audit office. The best way to understand organisational risks is to partner operation units in identifying, measuring, evaluating, mitigating and monitoring the risks," says Themin Suwardy, dean, postgraduate professional programs at the Singapore Management University. "This partnership is essential not just in the formulation of risk management policies, it also helps to ensure that there is a ground up buy-in to the whole process."

Irving Low, partner and head of risk consulting at KPMG Singapore, believes that business partnering is the "pinnacle" of mature and effective risk management. "At KPMG, we call this 'Integrated Assurance' and it connects the lines of defence and promotes risk management as a unified process across functional boundaries. In addition, it gives a holistic view of risk assurance and eliminates the inefficiency of having separate siloed assurance processes which may result in gaps or overlaps across the organisation."

He notes, however, that integrated assurance is still in its infancy among most companies in Singapore.

Data as a defence

The use of data is also increasingly being recognised as an important tool to generate insights that can help companies proactively manage risk. Powerful analytics tools allow these insights to be generated in real time, enabling risk professionals to more quickly and better understand, identify and monitor risks.

"As risk professionals, you cannot pick up everything all the time but you can minimise what you miss by using data to help you to intelligently and proactively focus on the areas of concern. Using it to highlight key spikes, trends and other telltale signs that more investigation is needed," says Mr Low.

However, data can be a double-edged sword. While it can be used to manage risk, it is also a valuable resource that must be protected.

Bill Bowman, senior director, risk management and internal control, Infineon Technologies Asia-Pacific, says: "Companies - including multinational companies - cannot avoid handling large amounts of data over multiple locations. Some of that data can be mission critical. For example, ensuring the safe handling of internally developed intellectual property which needs to be accessible to appropriate staff members for their collaboration in development, but must be kept secure from competitors. Having appropriate levels of data security relative to the sensitivity of particular data sets is necessary."

A risk-focused culture

Having a strong risk management culture is often seen as another critical element in building a sustainable and successful risk management programme. Yet, experts also believe that it is one of the most difficult to develop, as it involves fostering deeply entrenched behaviour where risk is top of mind.

"One of the biggest dangers in risk management is to think that you have done all the necessary, have a flashy folder with all the policies and guidelines printed, and say mission accomplished. To be effective, you will need to build a strong risk management culture from the top down. For example, by explicitly integrating risk management into decision-making," says Prof Suwardy.

One company that has built an open and collaborative culture towards risk management is NetLink NBN Trust, which owns a nationwide network that is the foundation of Singapore's Next Generation Nationwide Broadband Network.

The company's senior management meets once a week to discuss any potential or emerging business challenges and possible solutions to them.

"Often times, newer business challenges can be complicated and may affect various stakeholders. Depending on the nature of the challenge, a few members of the senior management team can be assigned to do a deep delve into the issue and to propose a risk mitigation strategy," says Tong Yew Heng, CEO and executive director of NetLink NBN Trust.

The right approach

While risk management is important, companies cannot also become so risk averse that they lose significant market opportunities. To avoid such a situation, organisations should update their risk matrix regularly in order to quantify the potential magnitude of various risks accurately.

Says Mr Bowman: "Identification of risks and the proposed best method of handling should be a 'bottom up' exercise. Those involved with the day-to-day business are best positioned to detect changes in the risk environment, and new risks arising, so as to propose best method of risk management to top management."