Taking risks is an attribute of successful people and successful businesses. What differentiates an average organisation from a leading organisation is the latter’s ability to provide a culture within which its people are encouraged and able to take calculated risks for the benefit of the organisation. This requires a governance framework that provides clarity of authority without inhibiting decision making and that includes a mature approach to managing risk and an effective audit programme.
Risk management is concerned with recognising, assessing and mitigating both the likelihood and impact of all risks. In the financial services sector, risk is core business and the most successful companies are those with the most effective risk management capability. And of course, airlines are a credit risk! In the air transport industry, risk management typically focuses on abuse and fraud in the revenue cycle and business continuity incorporating disaster recovery covering risk areas such as cyber-crime, major systems failure, industrial relations, fire, natural disasters, regulatory environment, critical supply chain, terrorism and political change.
ISO 31000 defines risk as the “effect of uncertainty on objectives” and identifies risk management principles and good practice. A key objective is to create value by ensuring that the cost of resources used to mitigate risk is less than the economic impact of the risk materialising without contingencies in place. This is not straightforward as there can be diverging opinions on the nature of any risk. A company with good risk management practices does not need to have ISO 31000 certification and whether this is sought will be based on management’s view of the commercial benefits.
Risk management is an area that can sometimes suffer from lack of resources. Management time may be seen as an opportunity cost that is better spent on more profitable activities. In addition, risk mitigation costs are invariably a prime target for savings when overheads are being reviewed because there is always some subjectivity in assessing both the magnitude and likelihood of risk, which can undermine the perceived value of the actions required.
Corporate governance has received greater public attention in recent years due to high profile company failures. In the USA, since 2002, in addition to the traditional requirement to give an opinion that the ‘financial statements represent a true and fair view and that the company is a going concern’, external audits of companies traded on the USA stock exchange are required to include an opinion on the ‘effectiveness of the company’s internal control over financial reporting’. This has become known as Sarbanes-Oxley (SOX) compliance. In response to the perception that stricter financial governance laws were needed SOX – type regulations were subsequently introduced into other major countries around the world.
In contrast, internal audit is concerned with assessing the efficacy of an organisations operations, including compliance with company policies and procedures. These are generally referred to as operational audits and involve a thorough examination of the activities and records of each area of the business. The audits look beyond the internal control environment and consider commercial, operational and reputation risks and weaknesses that might affect the achievement of economic, environmental and social objectives. Due to the need for independence and objectivity, the internal audit organisation often reports directly to the Chairman and Board of Directors. Sometimes, all operational audits are outsourced, and a small internal audit team focuses on audit protocols, planning and fraud investigations.
Risk Management and Consulting
Risk management is intrinsic in all consulting work, whether it be the subject matter itself, e.g. the establishment of risk assessment programmes or conducting specialist audits, or whether relating to delivery risks on projects and change programmes or business continuity risks on sourcing or strategic reviews. Consultants add high value by working with the client to identify, assess and classify all risks and to explore and evaluate all options to mitigate each one.