Risk management in plain words
I think most of you would agree that terms like “business risk management”, “risk management planning” and “adding value” are typical terms used by risk professionals on a day-to-day basis – including auditors. As an Information Systems Auditor I also learned to use these terms years ago. However, as the years went by I started to wonder what exactly we were telling our clients when we urged them to “manage their risks” in order to “add value to the company”.
As I am actually a down-to-earth person, I prefer not to use highly academic words to explain concepts. I prefer to speak plainly and to illustrate ideas with story telling (not very academic, though!). For example, I had a problem with the term “adding value”. What exactly is “value” – especially in the context of a profit oriented organization? Now, I know that I might receive criticism on this one, but please allow me to explain.
Let me ask you, “What is the objective of any business?” As I see it, the answer should be straightforward. An organization’s backbreaking efforts, strategies, plans, systems, products and services, marketing campaigns, yes everything is intended to bring the owners or shareholders one benefit – a profit!
Unfortunately, in the past few years, profit turned out to be a dirty word. This was, among other things, the result of wide ranging management fraud in well known companies. Organizations started to place the “company objective spotlight” on mission and vision statements, social responsibility, sustainability and so forth.
Though, as a risk and control expert, I agree that too much pressure to show a profit can result in unethical management activities and fraud, a negative result of this “campaign” was that profit is considered today as a subject that should not be mentioned in certain circles. Business risk experts started to talk about “adding value to the business” – instead of talking about protecting the company’s profits!
In my opinion there are two ways to “add value” to any business (including small and medium businesses), namely by:
Identifying new business opportunities in the market, value can be added to a business as new ways were identified to profit from.
Dealing with the downside of business opportunities – that is the inherent risks associated with the business venture.
The second point raises another question. What is a “business risk” by the way? Again, I will provide you with my definition and opinion:
A risk is ANYTHING that has the power to eat your profits, i.e. any event, action, decision, lack of action or decision as well as any circumstance in- or outside of your company that causes or could cause PROFIT EROSION at strategic, operational, financial or legal level.
Risk professionals are therefore primarily concerned about preventing the occurrence of or reducing the impact of profit erosion. As simple as that!
One operational risk example
A marketing company, let us call them “21st Century Marketing Mavericks”, provides marketing services to clients, needing assistance in different types of marketing activities.
In effect they sell their professional time to customers. In other words, a customer is charged for the time it took them to complete a marketing campaign. For example, if two marketers worked on a project for three days at nine hours each day, they can charge the customer for 54 hours spent on the project at the hourly rates of the two marketers. Rates are determined and based on seniority (and experience) of a marketer. [Note: Marketers manage their hours spent on a project by entering their hours into a timesheet application. The system then automatically calculates the amount the client should be charged (invoiced).]
The marketers’ rates are increased annually (1 January) to compensate for inflation. Rates are determined by the HR department and approved by the Financial Director. Final rates (as well as the new salaries of marketers) are then recorded by HR and sent through to the Systems Clerk who is responsible for capturing the new rates in the timesheet application’s standing data table (file).
Now, let us just look at one potential inherent risk in this case: If these rates were NOT updated in a timely manner on the system (i.e. on 1 January), a client would be charged at the old rates of marketers… meaning that 21st Century Marketing Mavericks would not earn the increased amount to compensate for inflation – which boils down to profit erosion (and remember, this happens WHILE the marketers still receive their increased salaries at the same time!).
So, there was a potential risk (and it eventually materialized). Unfortunately, 21st Century Marketing Mavericks didn’t identify it as a potential risk – i.e. made the time to identify and assess potential operational risks. The informal procedures worked fine as a diligent HR Clerk was always responsible for informing the Systems Clerk of the new rates. Unfortunately, she passed away and a new person was appointed…
Given that the previous HR Clerk was diligent, nobody bothered with the process and procedures. As no documented procedures (CONTROLS) were in place (as the idea didn’t even cross the minds of Management… because, from their point of view, it was not necessary… leave alone the fact that a potential risk existed and a control was needed to mitigate the potential risk), the new HR Clerk was not informed of and trained in this procedure (I mean, why should they? This is only an annual event – a “we will tell her later” kind of attitude).
Finally the day arrived that the Systems Clerk had to capture the new rates. Since he did only what he was told to do, he didn’t bother to ask the important question… “Where are the new rates?” [Note: The new HR Clerk did receive the new rates (she found the documentation on her table one morning). However, her Manager was on sick leave and he failed to inform her about the procedure. She put it aside with the intention to ask later (and, of course, it was a hectic day in HR)... and the rest is history (in any case, we know what is said about good intentions…).]
Two months later it was discovered by one of the Marketing Managers. The billing just didn’t make sense. Oops. TOO LATE to ask customers for more money… they had already been billed. Water (potential profits) under the bridge…
IF, IF, IF…
If this potential risk was identified previously and the necessary policies and procedures (CONTROLS) were implemented, the profit erosion event could have been prevented…
But I am preaching to the converted; I hope. However, I am not always so sure that I preach to the converted when I put “business risks management” in plain English. To me risk management is nothing else but to protect a company’s profits against erosion. A business threat or risk causes (or has the potential to cause) profit erosion and by “managing your risks”, you actually make an effort to prevent the occurrence of or reduce the impact of profit erosion.
I would like to wrap up with one last question and observation…
As a risk professional I know how difficult it is sometimes to explain risk management, and its intrinsic value to a company, to my clients. Would it not be easier to explain it in plain English? I tried it the other day – again – with a great deal of success.
My client experienced a system downtime of 8 days. This was due to the fact that they didn’t identify certain risks associated with their e-commerce system. The system didn’t perform certain data validation edits on the social security number and date of birth fields and as a result shut down after a customer had entered his number (first time to happen). It took them 8 days to sort out the system problem.
The profit erosion was huge as they couldn’t perform transactions for 8 days – i.e. a loss of potential profit. Additionally, law suits are right now pouring in from business partners – due to the fact that they didn’t deliver according to service level agreements in place. Law suits will erode some more profits – lawyer costs as well as possible penalties (direct profit erosion).
When I asked my client to compare the cost of “risk management” (i.e. to identify risks) and controls (i.e. to implement controls) with the amount of profit erosion they have experienced, I IMMEDIATELY saw a sparkling in his eyes… he immediately understood. No more explanation was necessary from my side. I could go home to enjoy my week-end.
For more information about profit protection planning, you may want to read my Business Plan Guide.
If you have any questions, you are welcome to contact us at firstname.lastname@example.org
Michiel Jonker, CISA