The concept of Enterprise Risk Management (ERM) is viewed and applied differently by many corporate organisations around the world. There is no global definition for ERM, as everyone in the industry who has implemented it has done it in a different way. However, through my experience, I have noted that most organisations in the industry have a common understanding when it comes to ERM and the same applies to law firms. That ERM involves a process where a Risk Manager or someone charged with managing risk in the firm or organisation creates a framework document or methodology that is consistently applied to different types of risks across the company and then allows that person on a quarterly or bi-annual basis, to collect risk information and discuss with business units, project teams and so on, the various risks that are seen by all the stakeholders that may impact on the organisation’s strategic objectives. The risk manager or the person charged with managing risk then applies that consistent companywide framework or methodology to those different risks and creates a consolidated company risk profile, that shows the overall picture. This approach has nothing to do with proper effective risk management of a firm.
I submit that the way risk management is handled in a firm should be different within every organisation or firm. Instead of creating a single framework or methodology for different types of risks, decisions, or activities in a firm, it is better to have different types of methodologies that are all consistent in terms of risk management principles, which are aligned to the ideas of the ISO 31000 standards by the International Organisation for Standardisation and all go through the same process of identifying, assessing, and mitigating risks. In addition, for every different activity there may be a different set of tools and techniques for assessment and different options for the mitigation of risks. When risk management is embedded in the decision-making process for management, there would be no need for the firm’s risks to be assessed on pre-set times, such as on a quarterly or bi-annually basis.
It is important to note that risk should be analysed at a stage when a company or firm is about to make an important decision, for example, there should be a different methodology for risk-based budgeting, that should be followed when the budget is being prepared and before it is approved, there should be some proper risk analysis as part of it. The same goes for investment management, where a different risk framework or methodology should be implemented when deciding on which projects or investment portfolios to invest in, on the best deal structuring and exploring the alternatives in different markets, a proper risk analysis should be carried out. Furthermore, the risk assessment of different processes or activities maybe done using different set of tools and techniques. It is recommended that organisations or firms must have several risk methodologies that are aligned with the same principles of managing risks, with different risk checklists, different tools, and different risk considerations, this will improve the quality of decision making.
Legal practitioners are constantly facing many challenges and/or risks in the industry that are threatening their existence or survival in the economy. Such challenges include cyber threats, unreliable and deceitful clients and without proper risk management, legal practitioners may escalate the downfall or collapse of their firms. For example, it is important to perform a proper due diligence or risk analysis before accepting a new client and the constant checking and verifying of information for existing clients so as ensure that the firm’s risks have been mitigated or managed to a reasonably acceptable level by management.
There are many ways in which risk management improves the quality of decision making and in the following article ‘3 Ways Risk Management Improves Decision Quality’ (www.eagleedge.com.au, accessed 5-4-2022) three ways are listed wherein risk management improves decision quality as follows:
Cognitive biases are systematic mental errors, which place limitations on how we view the world around us, leading to errors in decision making. Risk management plays an active part in removing these mental errors from decision making with a two-pronged approach.
First, when risk management is injected into decision-making processes, objective data is leveraged more heavily than subjective information. This helps to bring accurate information to the table to ward off “gut-felt decisions” or intuition from past experiences that can lead to poor decision quality.
Second, risk management processes encourage open discussions on current and emerging risks. This helps to bring cognitive biases to the forefront where they can be identified, addressed and discarded, leading to improved decision quality.
The risk management process helps decision makers explore and select the best alternatives related to a strategic choice. The overall goal is for business leaders to consider all the potential consequences of a decision – or all decision alternatives for that matter – before making an informed and intelligent judgment. Exploring alternatives has an organic way of helping stakeholders think long-term on how a certain decision will play out versus the other options on the table.
These mental processes help to reduce decision errors while increasing insights that improves decision making even more. When a risk assessment is conducted on each option for a decision, quality improves, which increases the probability of more welcomed outcomes.
As business leaders go through the risk management process, the information collected can be used to assist with decision making, leading to improved decision quality. If all stakeholders involved in making a strategic decision are aware of the risks, this will help decision move in a direction that is more calculated. This can also be used as a strategy to always ensure decisions are fitting within the risk appetite set by leadership and internal departments.
As every decision comes with risks of failure it is important to understand what less than ideal outcomes could result. Decisions should be made to ensure the company stays on the path to achieving the intended objective or goal. In the end, risk management gives leaders the tools to increase situational awareness of the world revolving around a specific decision.
Businesses are constantly searching for ways to improve decision making to optimise performance and reach strategic goals. Risk management is a value add-on that increases decision quality through open discussions on risk sources that can lead to goals not being achieved.’
The moment risk management information becomes disconnected from some sort of management process or activity and once it becomes risk information for the sake of risk information, once it becomes a separate agenda on a board meeting, discussing risks of the company, separate on discussing strategic goals, separate on discussing investment activities and budget activities. Risk management will be viewed as a separate standalone activity. It will be viewed as just another item on a performance review, and nobody will really take it seriously in an organisation. Risk management is real when it is not an objective, but when it is a step in a process of something important in the business.
Joel Zinhumwe (FP) SA CFE Bcompt (Hons) Accounting Science/CTA (Unisa) BCom (Hons) Accounting (MSU) is a Practitioner Support Supervisor at the Legal Practitioners’ Fidelity Fund in Centurion.
This article was first published in De Rebus in 2022 (May) DR 12.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|