What is failure?
Failure is an outcome of event that does not jive with the expectation of the person. My own definition of risk has  a good semblance with this interpretation or meaning of failure.  My risk definition is  “  Risk is any happening, or event, incident or occurrence that sabotaged, marred, thwarted or prevented the positive outcome of my dreams, aims, objectives, targets, goals, wishes, or expectations”.

Risk management objectives
The objectives of managing risks in an organization are to ensure targets and goals are achieved, bottom-lines are fulfilled, shareholders’ values are enhanced, corporate governance and corporate social responsibilities maintained and goodwill, reputation and image kept intact.

‘Must have’  versus  ‘nice to have’
If you ask me what is the option today in as far as risk management is concerned in any outfit, be it business or non-business? Is it  ‘nice to have’ option, or  ‘must have’ requirement? It is a ‘must have’ function for today’s and tomorrow’s way of corporate management going forward.

Despite the notion by many organizations that risk management today and tomorrow is  a ‘must have’  programme, many failures or ineffective risk management are not uncommon. Why is that so?  We are going to review below the dozen or twelve reasons as to why an entity’s risk management programme failed.

Reasons for failures

I was conducting a course on anti-fraud awareness and risk management in Phon Penh Cambodia and Brunei not too long ago. One of the topics for group discussion or case study was on how risk management can fail. Te one dozen reasons that was summarised at my above workshops are listed below.

Reason 1

Only rhetoric support from board and top mgt

The much needed financial/budget and tactical/resources support from the top management and the board are not substantive. They are mere rhetoric, and the needed commitment and support are ‘surface appearance’, more perhaps to please or justify the authorities and regulators that their companies have such programmes or risk management journeys and commitments.

Reason 2

Poor understanding of risk fundamentals

The nomenclatures, definitions and general fundamentals and concepts of risk management vary among departments and senior personnel in the management

Reason 3

Ill-planned risk mgt framework

The risk management framework is not properly designed, understood and implemented. This may be due to inadequate skills and know-how of risk management and best practices among the Risk Mgt Department’s (RMD) staff. Granted, the responsibilities to manage risks on a day to day basis belong to the various risk owners ( the various business, operational and support units). But the coordinating role and the driver of the various risk management activities and programmes reside with the RMD. Thus this department has to play the ‘lead’ and initiate the necessary risk management programmes and definitely designing and making sure the organisational risk management framework is not only relevant and best practice but must work effectively for the organization.

Reason 4

Risk-scoping for the macro and micro risk profiles poorly conducted

The much needed financial/budget and tactical/resources support from the top management and the board are not substantive. They are mere rhetoric, and the needed commitment and support are ‘surface appearance’, more perhaps to please or justify the authorities and regulators that their companies have such programmes or risk management journeys and commitments.

Reason 5

Little buy-in from employees and staff

The employees must know the values of risk management. How can risk management support them to meet their goals, targets, objectives? If they do not take care of their various risks their targets and goal will not be achieved; and their annual performances will be affected. So it is important to make risk management function become part of their overall KPIs (key performance indicators) for their annual appraisals. Many times this may not be the case. Therefore there may be that meager buy-in from the employees/staff; resulting in risk management to fail in that organisation

Reason 6

More reactive and fewer proactive risk mgt approach

Risk management is a ‘going-forward’ kind of management function. It attempts to pro-act, forecast what can and may go wrong (anything wrong is risk). Risk management function is to alert or forewarn the business and operations units in an organization to get prepared and be ready to prevent those identified inherent risks to occur by putting in adequate and effective control measures or infrastructures. Or should the risk event still crop up, the role of risk management is to advise on the relevant and cost-effective risk mitigants to minimize the negative financial impact on the bottom-line, or the adverse non-financial effects of that risk on the organisation’s image and reputation.
Risk management does however depend on past trends or events and occurrences as the base to review if such types of incidences or risks will recur in the future. Using past data or event-happenings as a base to judge whether similar risk event will crop u one day in the future is not the same as ‘reactive risk management’.

Reason 7

Peer review of risk mgt not carried out

It is well and good to know that an organisation has fulfilled many or all the necessary requisites and infrastructures for a reputable and effective risk management architecture and function. But is that enough? Will that bring complacency? Has that organisation benchmark its risk management set-up and practices with another player in the market? Are all or the relevant best-practices in risk management implemented or adopted, moving forward? Failure to look into this peer-review and exchanging notes with other organisations in the country and abroad can also bring about the state of false bliss or complacency which will be detrimental to the effectiveness of risk management because it has not factor in or manage the element of ‘change’ in the organisation’s internal and external environment.

Reason 8

Risk mgt function or contribution not effective from the context of users

Have all targets and risk management programmes been completed and implemented timely? Have all the deliverables and risk management outputs produced/delivered for the use of the internal customers? Does Risk Management Department (RMD) know its customers?  When Risk Management Department has the comfort that it is effective and relevant to the organisation’s management and board, on whose judgement or  standard did it say it is ‘effective’? When was the last time RMD did an internal  customer-survey to find out how other departments in the organisations feel or behave towards it? Has it ever sent out such survey, by the way?  RMD is to serve the business units and other support units or functions in an organisation. It is also to support the overall management and the board. So really its customers are the (i) business units, (ii) other support units, (iii) management, and (iv) the board. If these four clients of RMD do not give good report card or scores for RMD, then it is time to re-look at what else need to be done or delivered, because in as far as the customers are concerned RMD is seen to be not so effective seemingly. Risk management  dose not exist on its own or ‘per se’ but to support these four customers. Thus if they do not find effectiveness in the discharge of its functions, RMD has to re-invent ways and structures to best suit these customers; since effectiveness is from their point of view, not from the rationale of RMD itself.

Reason 9

Inadequate risk mgt resources

The resources needed for risk management to function adequately have to be in place and ready. The resources will be in the form of manpower, equipment, system and other infrastructure. Are these adequate? Are the systems up to date and efficient to serve all and sundry, bearing in mind that the daily management of risks rest with the individual business and support units. Many a times there could be lackness  not in people or manpower, but inadequate risk tracking and monitoring systems that are needed for risk management to function and support the business units and other support units likewise.

Reason 10

Meagre culture and awareness training

A working or corporate environment that is not conducive to risk management is a harbinger for failure of risk management. How does an organisation promote this conducive environment? Awareness of risks among all employees, senior  management and board is cardinal to the success of an effective risk management journey. This will exude a good and conducive environment for the organization. Such state of affairs engenders the important aspect of making sure that risk management and risk concerns get embedded in the organisation’s corporate and working culture. Such operating culture makes every one risk-averse, and to think of  every operation, activity, process, transaction and documentation with ‘risk first’ in mind. With that kind of mindset, likelihood of errors, omissions, defects and faults to be non-existent or at least at the very worst, minimised.  The objective of risk management any how is to ensure that these errors, omissions, defects and faults are eradicated. Only then can organisations produce goods that are defect-free, and the service-quality that consumers and users expect.

Reason 11

Failure to focus on change-management

Changes, as we all know, are indeed real risk issues that all organisations must be wary of.    What is in vogue today will be obsolete and out of fashion tomorrow. With this down to earth understanding, one of the first issues to manage as far as risks in an organisation  is concerned is the risk that changes to the business, operations an environment will bring. Any oversight or neglect in this area will make an organisation’s risk management not only weak, but  rather meaningless and futile, or at most the role of risk management can be seen to be merely perfunctory.

Reason 12

Inadequate risk mgt tools and infrastructure

When any one goes to battle, the important thing to ensure is that there must be take adequate arms and ammunitions available. These are tools that a soldier uses in the battle or combat. On the same rationale, risk management is akin to going to war. WE are fighting the enemy that we named as ‘risk’. Don we have enough arms and weapons? Are our weapons relevant, effective and user-friendly? Are they cost-effective (bearing in mind that too expensive a weapon is also a risk to our financial constraint/budget; and worse still this expensive tool may not help us a lot in defeating our enemy i. e ‘risk’. Adequate, relevant, user-friendly, cost-effective or cost-benefit risk management tools in the forms of control systems and procedures are what we need. ‘How adequate, cost-effective and relevant are they’, would be the forever perennial question that we have to unravel. Not knowing what tools to use, or investing in the expensive and less relevant, ineffective tools/systems will produce a white-elephant that would make the rest of people in the organisation ridicule and bad-mouth risk management set up.