CPA Magazine – Enterprise Risk Management: Common Causes of Failure and What you can do about it
Date: October 6, 2014
Name: CPA Magazine – Enterprise Risk Management: Common Causes of Failure and What you can do about it
Presenter: Robert Torok, CPA, CA
Robert Torok, CPA, CA is the co-founder of Better Vu. He specializes in performance and risk management, including risk identification, assessment and monitoring. His expertise in wide range of industries has been benefiting many business owners. Moreover, in this webinar, Torok will share his personal view of enterprise risk management and provide directions for business owners.
The things that can go wrong
Based on statistic from IBM Global Business services, material risk events encountered in history categorize in operational, environmental /heath, legal, strategic, political, and financial.
| Operational | Environment / Heath | Legal & Compliance |
| Hurricane Katrina | West Nile Virus | Fraud |
| Date center outage | Safety crisis | Product Liability claims |
| Delivery risk | Compliance with environmental standards | Missed timeline for legal changes |
| Balst furnace cold run | SARS | Embezzlement of parts |
| ERP application crash | Food sanitary management problem | Safety of goods or products |
| Plant disaster causing production Stoppage | Climate change | |
| Environment Pollution | ||
| Strategic | Political / Geopolitical | Financial |
| Industry consolidation and globalization | Change of government – and minority government | Currency Exchange Rate |
| Error-filled release of software upgrade | Grants and budget changes | Interest Issue and increasing reserves |
| Change in core product demand | Constant change of ministers | Accuracy of realistic balance sheet reporting |
| Cancellation of major customer contracts | Federal Accountability Act | Ability to manage cash |
| Performance standards and service quality | Terrorism | Non-transparent markets |
| Economic recession | ||
| Energy and commodity costs |
Torok believes many organizations assume CFO has the responsibility of risk management; however, finance is a small portion of overall risks. The operational risk events are related to other sections and it has rappel effects. Therefore, risk can be encountered everywhere in the organization.
Understanding Failure and Positioning for Success
Torok emphasizes 70% of business owners failed to identify half of the risk events in the organization; therefore, more than 50% of the risk events are totally unexpected.
In addition, 70% of business owners failed to accurately estimate the impact of the half of the risk events that are identified. This indicates in average, organizations have 20% success rate in dealing with business risk events.
Torok believes there are 3 reasons organizations fail.
- Lack of understanding
- Enterprise culture
- Focusing on the wrong things
If organization cannot define their risk appetite or tolerance, business owners will have hard time to determine the risk valuation. If organization do not have share risk information incorporate in the in the business culture, organization will not be able to learn from the mistakes. Moreover, if organizations focus on different direction, they will have poor management in strategic risks.
Torok suggests business owners to think over 5, 10 or 20 years vision instead of fiscal quarter or year. This is important because business owners can define their goals with effective decisions.
“The biggest risk is the question you forgot to ask because the danger is always something you do not know”
Business owners can be in 4 kinds of positions.
| Hero | Organization are prepared and the risk occur |
| Unsung Hero | Organization are prepared but the risk has not occur |
| Lucky Fool | Organization are not prepared and the risk has not occur |
| Villainous Scoundrel | Organization are not prepared an risk has occur |
Business owners need to understand numbers and quantitative analysis are not enough to identify the risk. Therefore, Torok has listed several questions business owners can ask to dig deeper in to the risk.
- What happen if…?
- Have we considered…?
- What is our past experience…?
- What kind of competitive reaction might we expect if we do…?
- How will other stakeholders react to…?
- Have we tested the response plan what is the best backup plan?
A Deeper Dive
In average, half of organizations do not have proper risk management philosophy documented. Therefore, many organizations are making independent decisions. Business owners need to understand it is not one person responsibility; it is the whole organization’s responsibility to determine the risk.
Torok recommends all organization should have cross-function risk team. The team will help organization to develop risk management philosophy that can be embedded in key business processes. Organization will apply proper practices when risk events occur. All processes will be documented, captured and analyzed for future review.
Business owners need to provide flexibility for employees to response or make risk-related decisions instead of creating boundary. Organizations can utilize risk management through rules, policies, procedures and controls.
Overall, enterprise risks are chain reaction from external risks. This involves financial, strategic, hazard, and operational risks.
There are different set of risks business owners need to consider.
- New Competitors
- Offensive Advertising
- Skills Shortage
- Pollution
- Geopolitical
- Natural Disasters
Lessons learned and call to action
Before organization can create Enterprise Risk Management (ERM) strategy, Torok emphasizes the practitioners are not judge, and yet they are consultant. They should ask questions instead of challenge them. ERM is a combination of what is expected to go wrong and what could go wrong. Therefore, the reporting should not be too elementary or simplistic. It is important to think ERM leads to potential cost, not expected cost.
The irony of ERM is that at the end, nothing bad happens. This might lead to segregation of responsibility, such as “not in my term of office” or “not on my watch”. Therefore, Torok suggests all business owners to take these considerations when implementing ERM.
- Take a broader and longer-term view of risks
- Be more inclusive in the organization
- Establish a feedback and learning process to avoid repeats of failure to identify and failure to estimate impact
- Establish a culture of risk, with employees knowledgeable about risk tolerance and appetite and able to act within those bounds.