Embedding risk management is about more than monitoring risk metrics, risk and control assessment or independent oversight from the risk function.
That is the finding of Dr. Simon Ashby from Vlerick Business School, the lead researcher of a new report, which uncovers how board-level risk management activities vary in organisations as a result of internal and external factors.
The report, Risk and performance: Embedding risk management, by the University of London’s Cass Business School for the ACCA (the Association of Chartered Certified Accountants) highlights common challenges and good practices to overcome risk management difficulties.
The study combines findings from four in-depth case studies including interviews as well as a review of current academic literature.
The insights were consolidated to create the ‘risk gearbox’, a conceptual model for embedding risk management in organisations. It puts forward a number of recommendations for organisations looking to improve the effectiveness of their risk management arrangements. These include:
- Effective risk management requires the use of complementary formal and informal mechanisms to achieve strategic objectives;
- Communication is vital between business units and functions, as well as communication to/from the risk management function and internal audit function;
- The risk management function has a pivotal role in communication and building risk management relationships.
“Staff within organisations need to believe that the tools of risk management and the work of the risk function add value,” Ashbey said. “To achieve this, risk managers must be experts in social networking and relationship building. It is hard to achieve technical expertise in the formal tools of risk management and in the informal aspects of human relations, but we observed four risk functions that were successful in doing both.”
“This new report finds effective risk management is an essential element in the success or failure of these organisations but it cannot be effective if it is not embedded,” ACCA interim director professional insights Jamie Lyon noted. “There are no easy answers or quick fixes when embedding risk management. Given the variety of means available, organisations must allow risk management practices to evolve to their needs.”
Meanwhile, Dr. Cormac Bryce from Cass Business School said risk management is more than threat reduction, and that the report highlights the important value-add that risk management can provide.
Informal modes of communication have proved to help risk managers succeed in building productive relationships across all areas of organisations, increasing the profile and effectiveness of risk management in businesses, Dr. Patrick Ring from Glasgow Caledonian University added.