12 September 2022, reading time 7 minutes
Risk management happens mostly behind the scenes. There is a perception that the subject is only
relevant to big corporates. And that risk mapping is only about financial risks. The fact is that the
work of a risk professional is important for everyone. For employees, but also for clients and, in some
cases, even for society as a whole. In this blog, we discuss the topic of risk management from
different perspectives. Because every organisation consists of people, processes and many other
things that affect the survival of the company. Our consultants, for example, make an important
contribution to the risk management of our financial system every day at operational or strategic
level. And the same is probably true for you. Here's why...
Risk management in a business context is primarily about the planned anticipation of hazards within
or for an organisation. To support risk professionals in this, there are frameworks, including Kaplan,
the 3lines model (3LM), the Dutch Governance Code, the Baseline Information Security Government
and the Watermelon model. All have the goal of making risk management practicable and, within it,
properly informing and involving all stakeholders within an organisation in the risk management
process. After all, the main mission of a risk manager is to have a complete view of things that can
have a negative impact on the company's bottom line. And then to quantify those. And those risks,
there can be a lot of them.
Consider a scandal that causes enormous reputational damage. This is not only a nightmare for the
PR department, but also something a risk manager tries to avoid, or has already factored in if risk
management is well organised. Think of the Diesel scandal at a well-known German car manufacturer
or the junk mortgage trading of some US banks, which led to a global financial crisis in 2008. These
are equally two examples of operational risk and financial risk. One took place at the heart of the
organisation, the other had direct consequences for the financial position and survival of the banks
themselves.
These examples are certainly not exhaustive. Cybercrime and strict AVG requirements pose risks to
organisations' IT infrastructure and the privacy of customers and consumers. Within organisations, all
work processes must be set up in such a way that consumers, laws, employees and watchdogs should
have no cause for dissatisfaction. And that is a big job for any risk professional. In short, risk
management can be about the investment policy of a pension fund, but also about how the
marketing department of the Mediamarkt deals with your payment information.
So risk management requires full attention to what is happening within the company at policy,
process and product level. A risk manager is also aware of what is happening in the market, for
instance in terms of legislation and innovations. A company that does not keep up with the times
sufficiently runs the risk of offering outdated products, using outdated systems and thus losing the
competition in the long run. This makes risk management perhaps the best remedy against tunnel
vision and ostrich politics.
The risk coin also has an opportunity side. Because focusing fully and continuously on the dangers
also offers opportunities. Knowing what the risks are gives perspective for solving problems,
sometimes even before they arise. Having your risk models in order gives insight into themes that
should be on the agenda of an organisation's management in the short and long term. This allows the
risk manager to be a supplier of important input for boards and policy advisers.
To help companies with risk assessment, general standards have been created, such as the
International Standards Organisation (ISO) standard. Such standards not only provide risk managers
with guidance on risk management and compliance, but also provide companies with certification.
Complying with the standard and receiving the stamp that goes with it instils confidence in
(potential) customers and partners that corporate risks are being addressed. Such "proof" of good
risk management tells that information processing, systems, legal compliance, financial records and
privacy within the organisation are in order. This is why you often see the certifications reflected on
organisations' websites, but will also provide reassurance in due diligence investigations prior to
mergers or acquisitions.
Because many companies are profit-driven and because every organisation, public and private, has to
be efficient to maintain its right to exist, risk management always has an important financial
component as well. An important consideration in any risk analysis is therefore: what are the
financial implications of this risk? In short, a risk is not really properly identified until it is quantified.
One industry where financial risks in particular receive a lot of attention is the financial sector.
Together, banks, insurers and pension funds manage billions in corporate and retail assets. At both
customer and investment level, financial service providers must therefore put in place the necessary
checks and balances.
If we zoom in on banks, for instance, risk management has a business and strategic as well as a
societal function. The Financial Supervision Act (Wft) and the Anti-Money Laundering and Terrorist
Financing Act (Wwft), for instance, ensure that core employee and customer processes comply with
legal requirements and standards. But besides, for example, customer investigations into the origin
of money and assets, bank employees (actuaries, risk managers, auditors and risk consultants) also
deal with strategic issues. They do so by, among other things, reporting on income, expenses,
investments and predictions for the future. One protects society from rogue customers, the other
protects the organisation from bad policies and external risks. But both have the special attention of
the risk manager.
We stay with banks. Because risk experts at these institutions must constantly make trade-offs based
on numerous variables and scenarios. Think of economic trends occurring in the capital market, or
demographic developments within society. A pandemic may be harder to predict with a
mathematical model, but the risk manager who incalculates something for it proves that there are
few risks he would overlook. Since risks almost always have a financial consequence, it is advisable
for organisations to be able to absorb a financial hit. For the big banks, this is even more important
because of the too-big-to-fail principle and the disruptive effects of failure. Good risk management
helps with this and is an interplay between the risk professional and other stakeholders within the
bank.
Risk managers engaged in identifying potential threats cannot do so without solid information. Data
collection is therefore an important part of a risk specialist's work. Getting that information can be
done in several ways. In particular, the workshop method focuses on training employees.
Overcoming risk by placing knowledge and responsibility low down in the organisation is the best
way to mitigate risk, according to some experts. Other methods include risk self-assessments using
staff questionnaires and the watermelon model. Here, the risk consultant draws up the "key risks and
controls" and submits them to staff primarily responsible for related activities for supplementation
and review. Again, risk management is an interplay between the risk professionals and the rest of the
organisation.
You don't consult all data internally. Depending on the type of organisation, news, company
information, sanction lists and PEP (Politically Exposed Persons) lists can also be relevant sources of
information for a risk manager. A risk professional who uses these will also be less likely to suffer
from the tunnel vision and ostrich politics that sometimes lurk as long as things are going well. A
good risk manager appreciates the good, but takes into account the worst.
Then contact one of our Interim Recruiters, or check out our traineeships for your career path within
financial services.
