Despite being a late entrant, business and risk consulting firm Protiviti has made a mark for itself in the internal audit market in India in a short span of six years. Mritunjay Kapur, country managing director, Protiviti Consulting, joined the firm in 2006, and is credited with spearheading the company’s growth strategy in the country. In this conversation with Alokananda Chakraborty, Kapur talks about how talks about the lessons learned from the recent financial crisis and how organisations are reacting to the new demands of risk management. Excerpts.
The global financial crisis of 2008 put the spotlight on risk management and what its failure could lead to. How do you think has the approach of corporations toward risk changed?
The financial crisis has led to a situation where markets and companies are striving towards increased transparency and have become subject to stricter regulatory compliance requirements. Companies will be required to take a closer look at their risk universe. Corporations that have traditionally viewed risk management as an unnecessary cost will be compelled to rethink and realise that the benefits of risk management outweigh the costs. Enterprise risk management (ERM) systems will soon become the norm for most companies. ERM systems can help companies by providing an enterprise wide view of risk, improving information for decision making, reducing unwanted and costly surprises, rationalising the cost of risk management and contributing to long term value creation and protection.
What are limitations of the traditional way of assessing risks? Why do you say ERM systems will soon become the norm for most companies?
It has become increasingly clear that traditional risk management approaches do not adequately identify, evaluate and manage risk. Traditional approaches tend to be fragmented, treating risks as disparate and compartmentalised. These risk management approaches often limit the focus to managing uncertainties around physical and financial assets. Because they focus largely on loss prevention, rather than adding value, traditional approaches do not provide a holistic framework most organisations need to redefine the risk management value proposition in this rapidly changing world.
Under ERM, the focus is on integrating risk management with existing management processes, identifying future events that can have both positive and negative effects, and evaluating effective strategies for managing the organisation’s exposure to those possible future events. ERM transforms risk management to a proactive, continuous, value-based, focused and process-driven activity.
Can you identify the top five corporate risk management areas in need of improvement? Are there barriers that companies must overcome to implement a truly integrated risk management programme?
In our view, a few key areas that are in need of improvement are IT effectiveness and control, data security and integrity, financial reporting, fraud, supply chain and human resource management. The barriers to implementing a truly integrated risk management programme lie primarily in the lack of support from the top management and/or the board and the lack of stakeholder buy-in. There has to be a culture of transparency and good governance in a corporation for such a programme to really take off. Other issues in the way of applying an effective risk management approach across the enterprise pertain to the failure to define risks, associated controls and responsibilities to own those risks and controls and the failure to manage change.
What would be your advice to risk management teams struggling with lack of empowerment?
My advice to risk management teams struggling with lack of empowerment would be realign their reporting to be independent of the business units, consider appointing a chief risk officer (CRO), who is empowered by the board. The CRO facilitates the execution of risk management processes and infrastructure. With the assistance of a staff function, the CRO supports the board (or a designated board committee), the CEO, the executive committee (or a designated risk management committee) and business units and support unit managers. To be truly effective and to enhance the appearance of objectivity, the CRO and his team should be insulated from and independent of business unit operations. This will bring seriousness and accountability in the organisations. Remember, no initiative can be successful without the direct sponsorship of the board and the CEO of the organisation.
But then the challenge for risk management to work is beyond technology — it’s cultural. How does a corporation effectively address the culture issue?
Just appointing a CRO is not enough. An enterprise-wide initiative will require a significant change in the corporate culture, and that will not happen without the buy-in of the top management and without tying the ERM principles to specific business needs. An effective risk management requires a focused effort to gather all the necessary data and involves careful examination of a company’s strategy and global operations. Determining precisely where risks lie is not an intuitive process; it is a disciplined structured approach consistent with market-leading practices. Further, integrating risk management to strategy and the annual operations plan will be the key enabler and will eventually drive cultural shift.
Can you discuss some of the best practices for boards of directors with regard to risk oversight?
Anticipatory and proactive oversight requires a strong emphasis on upfront board involvement in policy setting, risk assessment and strategy formulation. Through the activities of their various committees, boards enhance the quality of the oversight process by adding value to management’s assessment of the organisational risks. Once risks are identified and sourced, boards should ensure the management evaluates the company’s options for managing the critical risks, leading to policies clarifying responsibilities, authorities and accountabilities. Also the board should satisfy itself that growth and innovation are encouraged and rewarded without creating unacceptable exposure to risk. It should see that the risk appetite inherent in the organisation’s opportunity-seeking behaviour in developing new products and new markets is clarified, understood and managed and that the defined boundaries and limits clearly exclude behaviours and actions that are off-strategy and unacceptable. Having a clearly defined MIS (management information system) to monitor risks and take updates on key issues identified is critical for the board to be able to accomplish effective risk management.
The other issue is to ensure that performance measures and targets do not encourage excessively risky behaviour and that effective internal controls and checks and balances are in place in high risk areas. Most importantly, it is incumbent on the board to see an enterprise-wide view, rather than a narrow unit or functional view is taken when selecting strategies to optimise risk and reward for the enterprise as a whole.
Is it possible to go overboard with risk management and, if so, where do you draw the line? How should a company keep risk on the forefront without hurting its performance?
Yes it is possible to go overboard with risk management. With regard to competencies related to risk appetite, many organisations know the risks they face but are less clear about how much of each risk or combination of risks they are willing to tolerate. A conservative risk appetite can adversely affect a company’s performance, employee morale and the ability to grow. Companies need to evaluate their risk appetite levels and then set and define the risk appetite. They is mantra to follow is Know Risk Know Reward.
How can an organisation adequately train employees throughout the company on their role in protecting privacy and data leakage?
The first thing is to establish privacy and data protection policies that are monitored and enforced continuously within the organisation. It is important to ensure there is clear organisational accountability for privacy and data protection, as well as strong coordination among key players — compliance, information technology, security, business lines and internal audit, among other process owners. So, design and implement robust monitoring and testing of privacy and data protection risks and related controls.
There are a few initiatives organisations seeking to build and maintain an effective and compliant privacy and data protection programme should undertake. They should conduct a comprehensive risk assessment that, among other considerations, identifies the nature of information collected, where it is stored, how and where it is transmitted, and the laws, regulations and standards that govern handling of the information. It is important to note that the risk assessment process can be especially challenging for large global organisations that have a multitude of systems and must consider the impact of myriad, and sometimes conflicting, laws and regulations.
In all this the key will be to implement comprehensive training and building employee awareness of risks, particularly what is expected of each employee to protect the organisation. Also confirm the organisation does not have misplaced or unverified reliance on third party providers that have access to the organisations own information or that of its customers and define procedures for addressing possible breaches to ensure timely action and response. By implementing these, organisations can mitigate the risk of regulatory sanction, and more importantly, irreparable risk to reputation.
Can wetake a look at the technology that is leading the way in risk management?
Every risk management solution is impacted by technology. Enterprise software solutions are informational tools that act as an enabler for ERM, particularly for the purpose of managing non financial risks. As companies configure enterprise wide systems to work seamlessly with risk measurement systems, they will consolidate more information.
There are three primary categories of risk management software. One, enterprise risk assessment tools. For instance, decision support, survey and risk registers. Two, Protiviti’s governance portal. Three, operational risk management software tools — the primary components include data collection and self assessment tools, scenario and model building, operational risk exposure and capital calculators, with internal and regulatory reporting. You also have integrated compliance and risk management platform solutions.