Meeting objectives through risk and compliance management
By Honest Madzivadondo
Senior Manager: Governance, Risk and Compliance FFR-NAM
In order for a risk management framework to add value, it needs to be formulated and implemented in such a way that it addresses the organisational needs. Additionally in order for an organisation to be able to ascertain and measure its needs, it has to come up with its ‘needs statement’, which is what we call the strategic plan or the business strategy.
It it is through this that I ask organisations one pertinent question: Does your organisation have an approved strategic plan?
Business Strategy
Business strategy is the art, science, and craft of formulating, implementing and evaluating cross-functional decisions that will enable an organization to achieve its long-term objectives. Strategy drives and determines the risk and compliance process. Strategies are typically planned, crafted or guided by the Senior Management, approved or authorized by the Board of directors, and then implemented under the supervision of the organization’s top management team or senior executives. It is at this level that risk appetite of the organisation is determined. The risk appetite statement is based on the broader context of the strategic, tactical, operational and compliance objectives of the company, as set out in the organizational strategy.
Risk Appetite Statement
Any organisation is made up of a number of different people, each taking decisions on behalf of the organisation on a daily basis. Unless the organisation has a defined risk appetite, it is reasonable to assume that these people will be taking decisions based on their own personal risk appetite.
The Institute of Risk Management has recommended the following steps when developing an approach to risk appetite and the production of associated risk appetite statements:
1. Identify stakeholders and their expectations, together with an analysis of the risks to strategy, tactics, operations and compliance, as set out in the risk register.
2. Establish the desired level of risk exposure that will lead to a risk appetite statement that provides a set of qualitative and quantitative statements.
3. Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of acceptable risk tolerances.
4. Reconcile the risk appetite, risk tolerances with the current level of risk exposure and plan actions to bring current risk exposures into line with risk appetite.
5. Formalize and ratify a risk appetite statement(s), communicate the statement with stakeholders and implement accordingly.
Does your organisation have a risk appetite statement?
Policies and Procedures
The senior management has the responsibility to formulate strategy. That strategy is designed as a screen meant to shield the business from the internal and external exposures and to maximize value out of them as well. The same team must then formulate the policies that guide the business. According to the business dictionary, policies are “principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible.” Policies must be shared with everyone relevant in and outside the organisation to make them aware and to protect the organisation.
Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view. The policies are therefore meant to guide the decision making process in such a way that it is aligned to the strategy. Do you have policies and procedures to protect your organisation, are the employees made aware? Are your policies and procedures reviewed and updated regularly?
Compliance
In an organization there are policies and procedures that should and must be adhered to. In an industry set up, there are rules and regulations to be complied with. Some acts of non-compliance will expose the business to fines, loss of business, even loss of life, reputational damage, loss of assets, liability claims and perhaps even complete business failure. Management must formulate a process of managing corporate compliance to meet all these regulations within a workable time frame and budget. The company act, environment act, financial intelligence centre act, banking act, insurance act are some of the few legal compliance, among many, that enforces compliance.
Is your organisation submitting tax and or social security returns, and on time, do you know the implications of non-compliance? Do you understand all the acts that govern your industry, do you know the effect of non-compliance with those?
Meeting Objectives
Risk and compliance management acts as enabler that enables the organisation to meet its strategic objectives within the constraints of time, cost and scope. The cost benefit analysis is the best measure to evaluate the efficiency of your framework.
Risk management workshops facilitated by experienced risk consultancy will help the business to identify and analyse potential risks. This should be done in a practical way that will help management understand the risks it is taking and appreciate the need for risk management in enabling the business to meet objectives. Do you know and understand the sources and causes of risks that could affect your business, country and country as well as the consequences?
What are the factual risks your organization is managing? And do your colleagues also perceive these as risks? Take a moment to go back to basics and make sure you take into account the perception of risk.
Picture This
Every day, everywhere we read, see and hear about fraud cases, disciplinary hearings, labour disputes, and businesses closing down due to license cancellation. These are only a few of the loads of risks that businesses face on a daily bases and your business is not immune to that. Every organisation needs a risk management framework that addresses its set up. Prevention is better than cure.
