Introduction :

An oil company in Gulf region which has a number of oil rigs and platforms, exports major portion of its oil across the world. It has an internal audit department which is called ‘Best Practice Transfer and Risk Management’. The head of this department (the Chief Internal Auditor — CIA) wants to develop an enterprise-wide risk management structure for the company. He seeks support from the General Manager (head of the company) who also supports this idea.

The CIA then attends a workshop at Kuala Lumpur in Malaysia on Risk Management, being conducted by two Indians. He then invites the two Indians to Gulf to be consultants and facilitators in helping him implement the risk management initiative in his company.

The Indian team of consultants helped implement the enterprise-wide risk management structure in the company over a period of one and a half year with visits ranging from one week to a fortnight every month to :

• Develop awareness and vocabulary for risk management, by running work-shops for top management and process owners across the company.
• Develop a brochure for Internal Audit Department and the programme of risk management to be conducted in the company and distribute the same across the company including putting it up on notice boards and also spreading this through the intranet in the company.
• Identify one person in the Internal Audit Department who would be the database administrator and who would keep getting information from across the company and clean it and present it in a structured form to the CIA. (This person would also liaison with risk manager in each department to ensure that risks were being continuously assessed.)
• Identifying along with the CIA the process owners — heads of departments — like Commercial Health, Safety & Environment, Finance, Research Head, Utilities Head, etc. The team also identified one person in each department who would anchor the role of risk manager for the department. This person would continuously update data on risks and controls in his department and after approval from his department head (process owner), forward this on a monthly basis to Internal Audit Department.
• Conduct workshops where top 20 risks were identified from each department and entered in a structured form in a template along with controls to be observed.
• Top 50 risks were then presented to the top management from among the risks identified in all workshops over two months.

The word ‘risk’ derives from the early Italian ‘risicare’, which means ‘to dare’. In this sense, risk is a choice rather than a fate. Risk, as per the Australia/New Zealand Risk Management Standard — AS/NZS 4360 : 1999 is the chance of something happening that will have an impact upon objectives. It is measured in terms of consequences and likelihood.

Business organisations are facing new and stiffer challenges on a daily basis. The complexities, uncertainties and volatility that everyone experiences in his/her environment have increased tremendously. In this scenario, each person ‘dares’ to take decisions and thereby undertakes risks to meet challenges. Success or failure of an organisation is defined by the quality of decisions taken by the people managing the organisation. The culture, processes and structures in an organisation have to be geared towards effectively exploiting opportunities and managing hazards.

Risk Management seeks to institutionalise the process of risk taking in an organisation involving all those who take decisions. Eliyahu Goldratt in his book ‘The Goal’, has brought out this principle well :

"If we just thought systematically before we implemented it, rather than after the fact, we could have prevented many problems . . . all the facts were known to us, we simply didn’t have a thinking process that would force and guide us to examine it early in the game".

Managing risks is a skill that is an integral part of the decision-making process and risk management is the processes and structures established to enable decision-makers to manage risks.

Risk Management Standards :

Australian/New Zealand Standard 4360 : 1999 is a good standard — it being the oldest, first released in 1995.

There are various Standards again released by the USA, Canada and other countries across the world. Even ISO (International Organisation for Standardisation) is moving towards releasing a standard, and we learn that it is adopting from AS/NZ 4360. Further, COSO (Committee of Sponsoring Organisations of the Treadway Commis-sion) is also working towards a Risk Management Standard based on the Internal Control Framework that it has already released and established in the USA and across the world. An exposure draft is available on the internet for download and comments.

Risk Management — The process :

1. The essentials :

The development of an organisational risk management policy and support mechanism is needed to provide a framework for carrying out a more detailed risk management programme at the project or sub-organisational level.

Risk management policy outlines the objectives and confirms the commitment of the top management in the form of a structure. The top management makes the policy operational through plans for the development and implementation of the system and procedures including regular performance reviews. At this phase, the adoption of a Standard like AS/NZS 4360 : 1999 provides a strong foundation to the risk management process.

2. The contexts :

Decision-making is always related to entity-specific environment consisting mainly of the strategic and the organisational context. The risk management context provides all decision-makers with the limits — appetite — that the organisation has for risk taking. It prescribes the limits of what does the entity need to do right, in order to satisfy its various stakeholders — shareholders, employees, customers, government, sup-pliers and community, needs to be defined.

3. Risk identification :

Comprehensive identification using a well-structured systematic process is critical because if a potential risk is not identified and it is excluded from analysis, it would be a ‘risk’ in itself. Identification should include all risks whether or not they are under the control of the organisation. Identification process focuses on not only ‘what’ of the risk incident but also the ‘how’ and ‘why’ of the risk incident’s occurrence. This may be done through workshops involving all concerned in taking decisions or through checklists or systems analysis or other analytical techniques. Refer Exhibit 1 for an illustrative list of risk incidents and Exhibit 2 for an illustrative list of questions for brain-storming ideas.

4. Risk assessment :

Risk assessment involves two stages — risk analysis and risk evaluation.

Risk assessment is at the core of Risk Management. It is a process and not a set of equations. The success of the assessment mainly hinges on skillful handling of an organisation’s educational, communication, and political aspects of the process. Technical competence, while required, is an empty promise when not combined with the knack for engaging and facilitating individuals and groups.

Taking more time than is absolutely necessary to design a risk process and to implement the risk model is a destruction of value as people at all levels, in whatever business, are busy — busier perhaps than people in earlier times with equivalent positions.

5. Risk analysis :

Risk analysis aims to separate the minor acceptable risks from the major risks and to provide data to assist in the evaluation and treatment of risks. The risk incidents are analysed with respect to consequences and likelihood. Existing controls are evaluated for effectiveness on occurrence of the risk incident.

The best information sources available should be used for ascertaining the consequence and likelihood. The criteria for reference should be defined for each level of consequence or likelihood to enable risk rating. Sources may include :

• Past records — in the organisation, in the group, in the local area, in the country, in the world in similar organisations, in other organisations with similar circumstances.
• Relevant experience — of the consultants, and of persons participating in the assessment process.
• Relevant published literature — technical, newspapers, magazines, internet, etc.
• Specialist and expert judgements — specific to the organisation or industry.
• Experiments and prototypes — specific to the project being considered.

Special analytical techniques like fault trees or event trees or quantitative modelling techniques may be adopted. Wherever quantitative modelling is done, sensitive analysis should be carried out to test the effect of changes in assumptions and data. A probability score to the likelihood could also be added for a more objective rating of the same.

In order that the risk assessment efforts are successful, good assumptions, excellent communication, sufficient partner/stakeholder intimacy, absence of selfishness and arrogance and realistic expectations are some of the critical features of the process.

6. Risk evaluation :

Risk evaluation involves comparing the level of risk found during the analysis process with previously established risk criteria that result in a list of risks. The decision is then reached as to whether the risk is acceptable or it needs treatment. If the risk is evaluated as acceptable, it should be monitored and periodically reviewed to ensure that the limits fixed remain acceptable.

7. Risk treatment :

Risk treatment involves review of alternative options and selecting one or a combination of several, on the basis of its appropriateness within the contexts including the cost dimension. The attempts are to make those risk incidents that are high or extreme to be treated in a manner that leads to a low risk. It may take on any of the following forms :

à Avoid the risk — People who are averse to risk, normally avoid taking risk. Inappropriate risk avoidance may increase the significance of other risks.

à Improving Control Systems and thereby reduce the consequence or likelihood. See Exhibits 3 and 4.

Transfer in full or part — Risk may be spread between different parties. Mechanisms may include the use of contracts, insurance arrangements, joint ventures, partnerships and such others. The transfer may itself lead to probable new risk incidents.

Having selected the treatment mode, a detailed implementation plan needs to be defined with clear identification of responsibilities, schedules, performance measures and the review processes.

8. Risk Management

— Role of Chief Risk Officer

Risk Management is a process to be executed throughout the organisation and is not the responsibility of one person or function. Despite this, there is a need for a Chief Risk Officer (CRO) who will co-ordinate the function of ‘risk’ management.

The risk process begins with two fundamental elements — a need (usually ill defined) on the part of an individual or group and a vision held by a person or a group of persons. The CRO provides the unifying force that harmonises the views of different groups in the organisation. He acts as a facilitator, administrator of the risk management programme, an educator, owner of the risk management manual and a one-point contact for everyone in the organisation from the Board to the lowest decision-maker on matters pertaining to risk. He reviews risk documentation and reports prepared by different groups in the organisation and ensures uniformity in documentation and reporting. (In this case, initially the CIA was also the CRO for the company).

The CRO and his team become responsible for the maintenance of the Risk Register — the listing of all risks with treatments and action plans. The CRO continuously scans the horizon and revisits the risk models for reviews, which ensures that the risk exposures faced by the organisation are under control at all times. It may also from time to time review the effectiveness of controls. The CRO manages the communication channels for Risk Management, keeping the stakeholders informed regarding risk management initiatives and status and thereby manage their perception.

This programme of enterprise-wide risk management was highly successful and resulted in substantial savings and structured decision-making with learnings for the company. The Board appreciated the consulting role of the Internal Audit Department which had fulfilled its role aptly described as ‘Best Practice Transfer and Risk Management’ and directed the CIA to ensure that this programme was spread to all functions of the company. The Board also directed the CIA to submit a list of top 50 risks (along with remedial measure taken and proposals for taking remedial measures, if not already undertaken) identified during the exercise every quarter. The structure of risk management within the company was thus institutionalised.

Illustrative list of risks faced by organisations : (Exhibit 1) :

• Delay in implementation of projects
• Increase in cost of raw material in a fixed price contract
• Impact on profit due to delayed commissioning of the new plant/ modification to existing plant
• New molecule identified by R & D
• Discharge of untreated effluents in the water system, ground
• Leakage of poisonous gas in the environment
• Spillage of oil
• Leakage in oil/gas pipelines
• Introduction of subsidy in steel
• Favourable political party winning elections
• Risk of bad debts
• Suit filed for disputed tax liability likely to be won/lost
• Flooding of project area
• Popular objection to project location
• Employees not committed to Internal Control
• Inappropriate role assignments
• Third party contract terms not
• adequately defined
• Invalid transactions captured by reporting system
• Investment opportunities of cash balances not maximised
• Inappropriate approval and disbursement of refunds/exchanges.

Illustrative list of questions for brainstorming (Exhibit 2) :

• What will be the annual production from the new plant ?
• What are the competitor plans in the product under review ?
• What will be the cash flow from the new plant ?
• This project has to be completed quickly enough so that our competition does not build a similar plant first.
• What are the environmental constraints on the plant production in the new plant area ?
• How will this project compare with other projects competing for corporate funding ?
• What will be the construction costs for the new plant ?
• We should use in-house engineers to design the plant rather than contract engineers.

Possible actions to reduce or control likelihood (Exhibit 3) :

• Audit and compliance programmes
• Contract conditions
• Formal reviews of requirements, specifications, design, engineering and operations
• Inspection and process control
• Investment and portfolio management
• Project management
• Preventive maintenance
• Quality assurance, management and standards
• Research & development, technological developments
• Structured training and other programmes
• Supervision
• Technical controls
• Organisational arrangements.

(Source : AS/NZS 4360 : 1999)

Possible actions to reduce or control consequences (Exhibit 4) :

• Contingency planning
• Contractual arrangements
• Contract conditions
• Design features
• Disaster recovery plans
• Fraud control planning
• Minimising exposure to sources of risk
• Pricing policy and controls
• Separation or relocation of an activity and resources
• Public relations.