Most companies have taken concerted steps to re-examine the way they manage risks in the light of the recent financial crisis. This should be seen as an essential board-level responsibility and be an intrinsic part of any strategic planning exercise.
It is a mistake to think that a company known for a conservative outlook manages risks closely, while one regarded as entrepreneurial will necessarily have fewer controls. For both, it is important to manage risks tightly by observing relevant regulations and applying strict internal guidelines.
The basic difference should not be a question of whether to be vigilant or not. Rather, it is in how and where they decide to invest after completing due diligence and putting the appropriate measures and controls in place.
To develop a comprehensive programme to identify risks and quantify them, the only sensible approach is to be methodical and keep considering possible worst-case scenarios. Given the variety of risks that any organisation can face, the task requires a good understanding of the company's business, sound judgment, common sense and a little imagination.
The process should involve senior - and junior - staff from each department or discipline and not be limited to individuals in, say, the risk management or finance function. Whatever their range of experience, they may overlook day-to-day practicalities or not know which questions to ask.
In order to carry out an effective review of risk-management policies and procedures, an organisation should consider:
Appetite This should be clearly defined by the board of directors. Some companies have a much greater appetite for risk; they may have deeper pockets or a dominant shareholder pushing for faster growth. This outlook determines the culture of the company and the sums it is prepared to venture, but does not mean it should be taking questionable shortcuts or evading rules.
Identification Internal staff should be able to pinpoint most of the likely risks. However, it is always wise to seek input from external advisers who have specialist experience and alternative viewpoints.
Compliance Each organisation is subject to series of laws and regulations depending on the country and sector in which it operates. The most basic step in terms of risk management is to understand and fully comply with these requirements and to ensure staff are left no room for uncertainty. Strict supervision and regular checks go a long way to eliminating the sort of risks that can otherwise materialise from lax observance of certain rules, willingness to turn a blind eye, or a general laissez-faire attitude.
Training It is fair to say there are significant risks attached to every job. A managing director can make the wrong call on a billion-dollar deal. But in their own sphere of influence, a production manager, systems supervisor or accounts clerk can also cause considerable disruption through simple inadvertence. Therefore, a crucial factor in managing risk is to arrange appropriate training on a regular basis. In that way, staff at different levels will come to understand the risks involved and see the possible repercussions of any slip-ups.
Coverage The logical practice is to start by reviewing the risks that are more prevalent in the sector. At some point, though, it is also important to step back and consider the big picture.
In this context, that means asking how well the company is prepared and how it would have to react if faced with major changes in the political, economic, regulatory or competitive environment. Such exercises might seem over-speculative, but companies that plan for the unexpected are generally those best equipped to deal with risk.
Scott Lane is principal and chief executive of the Red Flag Group, a Hong Kong-based ethics and compliance consultancy.