Risk management, am I doing enough?
Depending on the type of company, and more importantly the type of management you have, the phrase “Risk Management” can take on different meanings. Though I prefer to agree with the way one of my clients referred to it, the auditors who help with risk management “are the good guys!”. Some think those who help with risk management just tell them what they are doing wrong. Maybe there are consultants out there who do make people feel that way, but the real purpose of risk management is to help. Help? Yes, Help! Have you ever wondered if your organization was doing what it should to manage risk? Have you taken the time to identify what risks your business faces? If you answered, “I think so”, “to some extent”, “I’m sure we do enough”, or just flat out “No”, then you are probably not, or definitely not, getting the most out of your risk management function as you should be.
What is Risk Management? The purpose of risk management is to help an organization understand where its risks are, the severity of those risks, how those risks are being mitigated through the use of internal controls and evaluating whether the internal controls used to mitigate risks are working, or “operating effectively” as we call it. Many will identify a risk and say “yes, we have an internal control for that”. But all too often, the control established really doesn’t mitigate the risk the way you think it would. A common example is having an individual review a report to ensure nothing on the report is unusual or agrees to support, but what if the individual performing the review can also make entries appearing on the report, even if they are not supposed to make changes? Many organizations do this thinking they’ve addressed the risk, and while they have addressed some of the risk, they have not addressed all of it. So, while a control is in place, it may not be operating effectively. This is the benefit of having a risk management team or utilizing outside consultants to help you even if you don’t think you need it.
But do I need a risk management function? This is a common question. Based on your industry or the size of your company, something like this may be required by regulation or law. But if it’s not, the question may not be whether or not if you need it, but whether or not you would obtain value from one. When I took a course in college related to risk management, the professor was able to get some local businesses to sign up to let the students come in and evaluate their risks and determine if they were being mitigated. This allowed the businesses a chance to get some outside perspective and students a chance to get real world experience. I was assigned a restaurant on campus and we walked through all of the processes of a restaurant to determine if there were any control weaknesses, at the end of it, we had identified a few areas where controls could be improved to help prevent errors or theft. While there was nothing earth shattering, the owner was ecstatic with the work we performed to hear about all of the risks we identified and how they were being mitigated. They were fortunate to get our services for free, but at the end, it certainly seemed like something they would have been happy to have paid for as well knowing for the most part, they had sound internal controls in place to mitigate the operational risks of running a restaurant. The bottom line, if you have a business where there is any form of risk, then your worst-case scenario of having a risk management function is obtaining peace of mind knowing you have addressed risks associated with operating your business.
Who can help with your risk management function? This all depends on your size, available resources and the frequency in which you expect to have audits performed. Larger organizations opt to hire someone internally or a team of individuals to assist with these. This is good, so long as the individuals can maintain their independence from management. A common issue with hiring someone internally is they may find themselves with frequent downtime, and “savvy” management teams always want to leverage available resources where they can, so on occasion, we have seen the individuals used for this be used to review reports or perform other responsibilities normally assigned to management. The problem with this is, the risk management team is no longer independent of these controls, and in fact has now become the control. This is why many organizations will opt to outsource the risk management function, in addition to the usual cost savings associated with not having to employ someone full-time. Outsourcing can save you money, time, and resources, while getting highly experienced and efficient individuals to do the work. In addition to this, an outsourced risk management team will generally have a multitude of available resources within their firm to help with other issues that may arise within your organization.
Another option is having both someone internally and hiring a third party, or co-sourcing as it is called. Co-sourcing allows you have someone year-round while also getting the high level of expertise a consulting firm can provide without having to pay multiple salaries or worry about having to keep multiple individuals busy all year. The third-party can either be the busy bee who you leverage to get the work done, or the ones in charge of overseeing your staff to ensure they stay busy throughout the year.
The bottom line, there is no one size fits all, or one best solution. The solution is, and always will be, whatever makes the most sense for you. But the solution should include risk management, because without it, you’ll never really know what you don’t know.