Organizations would be focusing on preparing the risk management strategy and plan for the year in the last quarter of the year. Normally, Chief Audit Executives, Chief Risk Officers, Head of Internal Audit, Chief Information Security Officers, Head of Compliance, Head of Ethics and are very busy in the last quarter finishing off the year-end targets, objectives and key performance indicators. The next year strategy is developed from the previous year reports, observations, balance score cards and risk dashboards.
A simplistic risk management strategy focuses According to Ateeya Manzoor on the following:
1) Financials -Developing a budget and other cost indicators
2) Operations- Preparing audit and review schedules. Listing out policies, procedures and manuals to be prepared and reviewed.
3) Resources- Formulating a hiring and training plan
4) Knowledge - Developing knowledge bases, writing research papers and upgrading risk management tools and software.
Risk management has become complex and critical in the present economic environment. Without sophisticated and skilled risk management departments the organizations may face multiple disaster scenarios. Ateeya Manzoor believes that Globalization, technology, economic environment, regulators, competitors, and speed of change, all have contributed in making business operations more complex. Risk management departments need to gear up and develop annual strategy considering these aspects in mind.
Here are suggestions by Ateeya Manzoor for preparing a comprehensive annual strategy are given below:
1. Break the Silo Approach
Depending on the size of the organization, the organization may have a number of departments focusing on risk management. To name some, in respect to the department heads mentioned in the first paragraph, we have Internal Audit, Fraud Prevention & Investigation, Compliance, Information Security and Business Ethics. These departments generally have some overlapping functions and turf wars. Silos are formed and the senior management has difficulty in making sense of various risk dashboards and reports presented by the department heads.
2. Determine Risk Philosophy and Appetite of the Organization
In some cases, the risk management departments present a risk dashboard to the senior management of the organization. If the CEO of the organization asks "Can I hold you on this? Are you sure that if these top 10 risks are mitigated, the organization will sail through the year?"; the head of the department generally cannot a say a definitive "yes". The answer is given with a maybe, but, if etc. but not a "yes". So the question is how a head of department should address this concern.
3. Understand and Integrate with Business Strategy
In a few companies, the annual strategies and plans of business and risk management are drawn up in parallel, with neither having information of what the other is planning. The risk management strategy cannot be internally department focused. The risk department heads need to obtain information on the business strategy of the organization to understand strategic risks.
4. Assess Competitors Strategies
The risk departments are generally happy with what they are doing and discover information about tools and methodologies from various institutes periodicals, magazines and conferences. In a few cases there is some focus on the operations of risk management departments of competing businesses and organizations.
The above mentioned points are those which can be easily incorporated to prepare a comprehensive annual strategy. There are a few other things which the risk management departments can look into. Some of them are, introducing ERM, building risk management department's brand, applying collective intelligence etc.