Reducing the risk

Recently we completed a research project with Oxford Analytica, which identified the Top 10 Strategic Risks to global business. An interesting finding was the similarity of the risks companies should be worried about – regardless of their sector. There is a commonality around things like regulation and compliance, global financial shock (particularly relevant at the moment), and the challenges faced in effectively capitalising on the potential of emerging markets.

Beyond that, there are some ‘bigger picture’ themes like the impact of an ageing population, increasing consumer demands combined with something we’ve termed ‘radical greening.’ The pace and extent of the “green revolution” is hard to predict but could pay dividends if consumer tastes and regulation shift quickly. When you combine this “greening” with the emerging market risks it becomes an interesting dynamic: companies are trying to leverage emerging markets to improve their supply chains and be more cost competitive, but that brings ethical and environmental challenges. With this radical greening concept popping up on this radar, it’s quite a challenge for enterprise to get right.

We’re finding organisations are beginning to talk about enterprise risk management again. When Sarbanes Oxley came on the scene, a lot of them dived into the detail to focus around financial reporting process risks. To some extent, the wider enterprise risks took a back seat, not getting the same level of attention, despite being risks that can destroy a reputation and lose competitive advantage remarkably quickly. There’s an increasing desire to think of enterprise risk management as potentially very positive rather than negative. If you can effectively understand the risk that you’re facing and be responsive to it you can take advantage of opportunities quicker than others. You will be thinking about the bigger picture, rather than thinking it’s all about avoiding bad stuff.

Regulation

Companies are starting to take things like governance and compliance more seriously. In financial services when Sarbanes Oxley came along there was obviously a lot that had to be done in terms of compliance. Companies are currently trying to increase efficiency and effectiveness in risk activities, and IT governance and process is part of that. Because of all the regulation and acquisitions that certain companies have been through there has been a “wedding cake” effect: layers and layers of risk activities built up with little connection with each other. The term being coined for streamlining this is risk convergence – there’s a real appetite to achieve this convergence in the banking and financial sector at the moment.

Progress

Things work well when an organisation has a good idea of what their strategic risks are and review them annually. Strategic risk is constantly moving, but there is the tendency to think that if you’ve done it once you can leave it on the shelf for two or three years. But the environment we’re in now moves too fast. Reviewing that risk radar on a regular basis is important, and also ensuring that once you’ve identified those risks you effectively evaluate how well you respond to them.

It’s no good just identifying risks. You need to know how you’re going to respond. That means having early warning indicators and decision-making processes that explicitly balance risk and return before any decisions are made. The programs that deliver those strategic initiatives must be robustly managed and monitored. If the worst-case scenario happens and a risk materialises, you need effective scenario planning and operational response plans to mitigate any potential disaster. If all those factors are taken together and hardwired into management’s performance dashboard then you have got a more real time approach to risk management.

If you develop that strategy from the top down across the organisation, then the silo effect – having all these layers upon layer – is whittled away as you focus on those risks that are the most important. A lot of organisations have had multiple pages of risk registers running for a long time, but do any of them actually make a difference to decision making? That’s the key test.

In the research work that we did, one of the top 10 strategic risks for global business was the inability to capitalise on the rise of the emerging markets. As companies are entering these markets – to look for opportunities to grow a market because traditional markets are saturated or to find competitive advantage in supply chains – they are finding problems. Such threats include currency, operational effectiveness, language and cultural issues as well as understanding and complying with multiple regulatory environments.

For example, the Foreign Corrupt Practices Act is actively enforced by the US authorities As you enter markets like Russia, China, Brazil, India or Turkey, you enter areas where the potential damage to a global organisation’s reputation from breaches of the Foreign Corrupt Practices Act can be very severe. Another survey we conducted on risks in emerging markets specifically demonstrated that although this is in the top 10 biggest strategic risks, 56 percent have no emerging market strategy at all. That should be a real concern for business.

Better management

Think of the cases of Mattel and GAP. Recently both companies have had issues with their emerging market supply chain that have attracted negative attention. People tend to think about risk in terms of what they know and understand, but as you reach out for the first time into emerging markets you have to understand what you’re getting yourself into. Think about your due diligence processes, think about the management that you put in there, think about how you monitor that. It’s vastly important to build all of that into your investment decisions.

About the contributor

Fiona Sheridan, Managing Partner, Risk Advisory Services
Fiona is a chartered accountant with 14 years experience in internal audit and risk management and extensive global financial control project experience over the last 3 years. She has a particular focus on the technology and telecoms sectors.

She leads EY’s s404 response in relation to foreign registrants and has been involved in supporting and advising a number of multinational UK based companies on their s404 projects. She speaks regularly about Sarbanes-Oxley and its implications and currently leads the Ernst & Young SOX Think Tank.

She also works with companies to improve their internal audit functions and works in partnership with internal audit heads to deliver leading internal audit services across business as usual processes and also change programmes and projects.

Company leadership must:

• Conduct an annual risk assessment that defines key risks and weights probability and impact on business drivers. Many companies undertake some form of risk assessment, but our experience suggests that too many do not do this on a frequent enough basis.
  Our research suggests that one in five do not perform a risk assessment and over one third conduct a risk assessment less than once a year.
• Such a risk assessment needs to go beyond financial and regulatory risk to consider the wider environment in which your organisation operates and the full extent of its operations. Less than 50 percent of respondents to our survey, Compliance to Competitive Edge: New Thinking on Internal Controls, believed that they had effective controls for M&A, IT implementation, business continuity planning, real estate construction, transaction integration and expanding into new international markets.
• Conduct scenario planning for the major risks that you identify and develop a number of operational responses – this can be a useful part of the planning cycle and help encourage innovative thinking.
• Evaluate your organisation’s ability to manage the risk that you identify – in particular ensure that your risk management processes are linked to the risks that your business actually faces. The responsibility for risk must sit with the business. Do you have a ‘risk radar’? Is it current, and how will it warn you of potential risks?
• Effective monitoring and controls processes can give you both earlier warning and improved ability to respond. There can be value from much of the compliance activity demanded from regulators, but this has to be mined.
• Keep an open mind about where risks can come from. Ours is an increasingly interdependent global economy and risks that can damage your business can initiate in markets and sectors a long way from your own. High-risk mortgage lending in the US to people with limited or no creditworthiness ends up hurting the pension funds of the most cautious saver.