Wednesday, April 21, 2010

RISK THERAPY 107 - CHIEF RISK REWARD OFFICER - WHAT’S IN A NAME?

“Write about models” a close personal friend urged. “Everyone loves models, of one type or another.”

In business we all need to make a profit in a sustainable manner, to verify that the contribution we make in our chosen arena has validity. Doing it right the first time reduces costs, adds to the sense of legitimacy and promotes an air of satisfaction within the operation. It’s good for team morale and serves as a platform for greater challenges.

Let’s look at business risk or compliance models, call them what you will, in plain language, (given the target audience), without reference to complex formulae. Models have to be legislation compliant including, amongst others, King III and the 2008 Companies Act.

It’s all about the emphasis though, which manifests itself in the company culture. Some aspects of the two hypothetical extremes are highlighted; more factors could be added. Before proceeding, please note that risk tolerance does not always partner customer-centricity; many permutations arise in real life. The linkage is being used in this article as a space saving mechanism:

Model 1 – Risk averse / organisation-centric.

  • We are coming from a long history of corporate power and will only deal with those who cannot challenge us effectively.
  • We start with our structures, processes, procedures and return expectations and address our supply-driven (push) customer interactions later. It’s an intermittent process; we change when we are forced to.
  • Protection of our triple bottom line earnings is our biggest risk(s).
  • We use the ‘tough love’ principle on our staff who, through our leadership example, will then apply similar tactics to our customers.
  • We ignore our customers’ views; we know what’s best for them. Where else are they going to go anyway, to our friends down the road?
  • We prefer to de-emphasise business risk. Risk and Disaster Recovery planning is dealt with by the Audit Committee, the Compliance function, the Insurance Department and damage control is handled by the Corporate Communications Department. There is no Chief Risk Officer, Risk Manager or service quality standards or controls. We have flatter, simpler structures this way and reduce our expense ratio accordingly.
  • The savings we gain by taking a minimalist approach to governance and risk, along with the confrontational tack with staff and customers, are used to outsource almost all potential risk exposures and /or increase profit. Any funding shortfalls are passed onto our customers with the minimum of notice, regardless of the economic climate. This approach has worked for us for decades.

Model 2 – Risk tolerant / customer-centric.

  • We are coming from a long history of corporate power and are prepared to adapt our operations to prosper within the changing business environment, where customers and regulators have the power to inflict serious financial or reputational damage.
  • We’ll start with customer / stakeholder expectations, structure ourselves accordingly and reap the concomitant benefits from our demand-driven (pull) approach. It is a continuous improvement process.
  • The development of a satisfied customer / stakeholder base is the best prospect for sustainable success. Whatever interferes with the servicing of our income base represent our biggest risk(s).
  • We will recognise our customers’ and stakeholders’ views, especially staff, as a free source of potential sales, risks and opportunities. Customers generally know what they want even if they don’t know how to describe it and, if we supply it before our competitors do, then we will be seen as a market leader. If we don’t then our so-called friends down the road will take our best customers and staff, those who are prepared to speak up.
  • We actively manage our business risks to local and international best practice standards. The Audit, Risk and Compliance functions are separate. They interact freely, authenticate each others’ work and are represented on the Audit Committee. All functions have the means to report serious incidents or potential hazards to the Board, and /or external authorities if required, independently of Executive management. Business Continuity planning (BCP) is the direct responsibility of Executive management using input from all functions. The BCP is tested at least annually in one or more functions or branches of the company. The BCP includes draft stakeholder communications for distribution by formally authorised staff.
  • We have confidence in our ability to manage our actual and potential risk costs. Therefore we take a substantial self-managed deductible on all outsourced risk mechanisms. This reduces primary risk costs and secondary money-swapping administration expenses for us and our business partners, without greatly increasing our exposures.

Model 3 – Risk / Customer neutral or ambivalent.

  • All stops between models one and two, by design or inertia.

Corporate Governance came into being because there is an international need to prevent further power abuses, both major and minor. Corporate SA now has an opportunity to polish its image, to be the quintessential model citizen, in more ways than one.

Is there better way though? Are refinements possible within the current system?

The King III guidelines are some of the best available so far. I favour the model 2 manifestation described above, as it is more likely to achieve the legislated aims and quickly adapts to further legislation, such as the 2008 Consumer Protection Act due for implementation in October 2010. I would prefer to be their customer or staff too. The difference is not so much in the structure though, it’s in the attitude. Extinction behaviour, ignore it and it will go away, works on people and opportunities, but not risks.

Call it tinkering if you like but the positive side of risk management is rarely seen or acknowledged. A quick and simple way to remedy this situation is to change the title of the Chief Risk Officer (CRO). Chief Risk Reward Officer is a more apt descriptor. You could probably think of an even better title. It immediately gives licence to the incumbent to deliver on a broader range of business options and clearly demonstrates to internal and external parties a more healthy, balanced portfolio approach.

It is also more realistic for the business to have a cost centre with an income and profit potential. It would be a more attractive prospect for candidates too.

Before closing, I believe that there will be an onus on private equity and non-profit business to demonstrate controls, including risk management, to those who deliver the annual audit or audit review opinion on your ‘going concern’, even though these two business entities are specifically excused from some of the provisions of the 2008 Companies Act.

So which model will you adopt to comply with King III, the 2008 Companies Act and other new legislation? Will you miss the business opportunities that come your way because of your structures, titles, attitudes or some other distraction?

Paul Brightman - ART (Pty) Ltd.

Creators of Risk Therapy.

paulb@artrisk.co.za or paulb@artrhc.com or paulb@pobox.co.uk or artptyltd@iburst.co.za

+27 (0) 83 708 3634 & +27 (0) 11 646 2777.

Websites http://www.artrhc.com/ or http://www.artrisk.co.za/ or http://www.risktherapy.co.za/

ART is an authorised Financial Services Provider - FSP16339.

No comments: