In many corporations, there is a principal concern to have a proper system for risk assessment and risk control within the business that can assure the corporate board and executive that its risk exposures are thoroughly and regularly attended to.

This paper outlines a case study example of the adoption of a risk management process into a newly corporatised enterprise. The key purpose of this process was to have risk assessment and risk control integrated within the operations and commercial practices of the corporation so that its directors would be assured that all risks of the business were being properly managed.

Setting

Broadly, a picture of the corporation can be painted as follows. It was a public utility. Recent corporatisation and legislative changes have placed it in a commercial environment.

It operates in a mature market with little opportunity to increase profitability through increased price or increased volume. The corporation has gone through substantial change and its corporatisation has directed priorities to the following in particular:

Increased emphasis on efficiency

There is a need to gain a critical scale, higher utilisation levels, lower cost supplies and tighter financial controls – particularly of overheads. The emphasis is on reducing costs and the creation of individual business profit centres.

Increased flexibility

The organisation requires greater operational flexibility than previously in light of a more uncertain environment, potentially a volatile marketplace. In practice, this means decentralisation and a greater autonomy at lower operating levels.

Market protection

Protecting and maintaining revenue and market share, and particularly key customer accounts, is now a prime commercial objective. Similarly, satisfying the organisation's stakeholders is a concern; stakeholders include not only the Government, but also the customers, suppliers, employees and the public.

Devolved structure and accountability

Accountability lies with individual business managers who operate somewhat autonomously and as individual profit centres. Their emphasis has shifted from attention to the technical base (commitment to additional assets and spare capacity) of the organisation more to commercial reality (meeting customers expectations on price, security of supply and quality of service).

The cultural shift in the corporation involves the following changes:

• hierarchies become teams
• boundaries become connections
• internal focus becomes external focus
• supervising becomes empowering
• second guessing becomes trusting
• controlling becomes supportive
• technical becomes business
• analysis becomes lateral thinking/action
• avoidance becomes calculated risk taking

The changes and the uncertainty associated with empowerment and calculated risk-taking clearly raise concerns, e.g. are all the necessary legislative checks and balances in fact still in place?

External factors such as greater commercial pressures, and the introduction of new legislation, add to management and particularly directors' uncertainty.

The risk management structure

The corporation is exposed to a number of risks, for example:

• property damage and machinery breakdown
• failure to supply
• contractual liabilities
• fire
• environmental
• external impacts such as changes to its operating market regulations

As the corporation has devolved into accountable business areas, line managers are answerable for the costs and consequences of these risks and the business must bear the costs of both insured and uninsured losses.

The main issues are shown below. These:

• require line managers to be properly instructed and report periodically to the board on the operation and effectiveness of the system
• include supervisors at all levels
• require periodic inspections and random audits
• require relevant line managers to report, as quickly as possible, on any significant matter of non-compliance
• require line managers to report any identified concerns from either internal or external sources
• involve proper training for everyone involved in compliance
• involve appropriate division of responsibilities

An outline of the risk management structure

The structural characteristics of the risk assessment and risk management process within the business involve due diligence for:

• Directors, executives, managers and supervisors: formal risk assurance and risk control reports
• Accountability: risk management standards, structure and process
• Training and awareness: scheduled program and external assistance, advice
• Risk transfer strategy: risk, price and coverage reviews at insurance renewals

Broadly, the risk management strategy comprises two components: risk control via management actions and risk transfer via insurances. The major characteristics of the risk control process and the assurance that risk controls are in place are the following:

Reporting up to the board

This uses a 'self audit process'. Responsible middle managers and supervisors complete predetermined risk assessment checklists for their respective business managers. The business managers, in turn, collate these checklists and prepare a summary report for the board, justifying any 'gaps' or risk exposures that still remain to be resolved. These reports are provided to the board every six months. There is a 'fast track' process to report significant exposures and incidents.

Reporting back by the board

The board provides the business managers with the necessary policy, direction and motivation by completing the loop and providing its feedback into the organisation through the management chain of command.

Periodic inspection and random audits

A system for random sampling and audit of the self-assessment reports ensures consistency and accuracy in reporting. This check is undertaken by an external risk management specialist. Individual business managers also arrange periodic independent audits of key specialist areas in their area of accountability, report and attend to any concerns raised by the auditor.

Peer review

As a further check on consistency of risk assessment and control, there is a system of 'peer review'. A supervisor from one area will undertake a physical inspection of the facility operated by a colleague. To do this, line managers agree a schedule. The board has access to the review schedule and may request reports should it wish. In this way it can 'drill down' into the organisation. As well as contributing to the risk assurance process, these reviews provide a mechanism to 'share best practice', provide consistency and utilise internal resources.

The risk focus of one business may appear as a different risk focus in another, but all have the ultimate objective of protecting the customer base and protecting the revenue of the corporation.

Audit committee

There is a sub committee of the board accountable for audit management. Their responsibilities also focus on the risk assessment and risk assurance process.

The 'drivers' that make it work

Risk assessment is requested by the board in a culture where managers are empowered, trusted and supported by the organisation. Random sampling, audits and peer review provide the consistency checks. Feedback and questioning by the board complete the loop.

Managers and supervisors also have risk management policies to follow. These are supported by performance standards and a six-point strategy designed to lead to a progressive improvement in the management of risks.

Conclusion

The process exemplified by this case study indicates how risk assessment, and subsequent risk control, can be readily and simply integrated into corporate operations and its business culture.
The process provides comfort to the board of the corporation and enables them, if so desired, to 'drill down' into the organisation on specific matters. It also provides managers and supervisors with a straightforward risk management structure and procedures.

Risk management guidelines from this case study

This case study suggests the following guidelines for a risk management structure in a corporate environment:

• The structure must be clear and simple
• The structure should be integrated into the existing management and supervisory processes
• The goals for risk management need to be well defined and understood
• The interest and commitment to risk management of the executive of the organisation drive the attention of operational managers and supervisors
• What gets measured and reported on gets done.

Back to case studies