Risk management in Etablissement Kazoza et Compagnie-Rwanda

2.2.4.2 Inputs to risk monitoring and control

Risk Management Plan: The Risk Management Plan is details how to approach and manage project risk. The plan describes the how and when for monitoring risks. Additionally the Risk Management Plan provides guidance around budgeting and timing for risk-related activities, thresholds, reporting formats, and tracking (www.anticlue.net).

Risk Register: The Risk Register contains the comprehensive risk listing for the project. Within this listing the key inputs into risk monitoring and control are the bought into, agreed to, realistic, and formal risk responses, the symptoms and warning signs of risk, residual and secondary risks, time and cost contingency reserves, and a watch list of low-priority risks (www.anticlue.net).

The Approved Change Requests: They are the necessary working methods and contracts. Changes can impact existing risk and give rise to new risk. Approved change requests need to be reviewed from the perspective of whether they will affect risk ratings and responses of existing risks, and or if a new risk is a result (www.anticlue.net).

Work Performance Information: Work performance information is the status of the scheduled activities being performed to accomplish the project work. When comparing the scheduled activities to the baseline, it is easy to determine whether contingency plans need to be put into place to bring the project back in line with the baseline budget and schedule. By reviewing work performance information, one can identify if trigger events have occurred, if new risk are appearing on the radar, or if identified risks are dropping from the radar (www.anticlue.net).

Performance Reports: Performance reports paint a picture of the project's performance with respect to cost, scope, schedule, resources, quality, and risk. Comparing actual performance against baseline plans may unveil risks which may cause problems in the future. Performance reports use bar charts, S-curves, tables, and histograms, to organize and summarize information such as earned value analysis and project work progress.

All of these inputs help the manager to monitor risks and assure a successful project/business ( www.anticlue.net)

2.2.4.3 Dangers of uncontrolled risk

Uncontrolled risks for any business/project may be summarized into financial loss due to product recall, customer defecation, fines, customer disfavour, bad publicity, workforce dissatisfaction, theft of money etc. While also, they can cause direct human sufferings like harm to staff and customers when caught with fire which appear accidentally within the company's premises ( http://portal.surrey.ac.uk).

2.3 Benefits of Risk Management

Management of risk is an integral part of good business practice and quality management. Learning how to manage risk effectively enables managers to improve outcomes by identifying and analysing the wider range of issues and providing a systematic way to make informed decisions. A structured risk management approach also enhances and encourages the identification of greater opportunities for continuous improvement through innovation (http://portal.surrey.ac.uk).

Risk management techniques provide the personnel, at all levels, with a systematic approach to managing the risks that are integral parts of their responsibilities. Also, a number of studies have been undertaken to identify the benefits that can be expected by those implementing a structured approach to risk management (Newland, 1997). These benefits include; better informed and achievable business plans, schedules and budgets, increased likelihood of business growth, proper allocation of risk through the contract, identification of best risk owner, improved communication etc. It is of paramount importance for each business company, development project to have a working risk management plan that help top managers to early identify and treat risks that may negatively or positively affect the business/ project. However, almost all writings are from the developed world and there is little third world experiences shared in risk management.

2.4 Challenges to risk management

Risk management challenges are implicit in a corporation's activities because risk events are typically uncertain. An effective risk management process helps a company's top leadership establish rules to prevent operating losses due to human error, employee carelessness, technological malfunction or fraud. To illustrate, a company's management may put into place internal controls and procedures as well as periodic internal audit reviews to ensure that employees comply with rules when performing duties. A risk management policy also may cover financial risks such as credit and market risks. Challenges that may arise in risk management processes may be significant if a corporation does not establish proper decision-making mechanisms, and internal controls are not adequate or functional. A functional procedure provides appropriate solutions to internal problems. An adequate policy instructs employees on how to perform tasks and report problems. Risk management challenges may include staff non-compliance with rules and regulations, technological problems due to software or hardware updates and inaccuracies that may exist in financial market data. Also, Challenges may relate to operational, technological or compliance risks ( www.ehow.com). Other challenges like market and credit risks are also common.

Very few organizations find enterprise risk management implementation easy. It requires a rare combination of organizational consensus, strong executive management and an appreciation for various program sensitivities. Despite the effort required, however, ERM is worth it because it forces most organizations to step back and identify their risks, which is one of the first steps to protecting capital and driving shareholder value. As boards and executive management evaluate ERM, however, they usually come away with more questions than answers. While each company faces specific concerns, the more challenging ERM issues are generally consistent across companies and are largely unrelated to industry, geography, regulation or competitive landscapes. By examining some of these common ERM challenges, as well as the creative solutions that have been applied by other organizations, management will be better equipped to develop and revamp their own enterprise risk management programs.

However, J. Negus (2010) insisted on 10 ERM challenges commonly found as the following: assessing ERM's value, privilege, defining risk, risk assessment method, risk assessment method, time horizon, multiple potential scenarios, ERM ownership, risk reporting as well as simulations and stress tests. 

1. Assessing ERM's Value

The issue: In an economy driven by positive return on investment, organizations often struggle to demonstrate sufficient ERM value to justify implementation costs. While traditional investment decisions are evaluated using common risk and reward metrics such as return on equity (ROE), return on assets (ROA) and risk adjusted return on capital (RAROC), ERM value drivers are less prescriptive. Despite growing guidance, ERM remains largely voluntary, resulting in a value proposition void of compliance language and regulatory encouragement.   

2. Privilege

The issue: An ERM program allows management to quantify the company's risks. As risk information becomes increasingly event-driven and dollar-based, company lawyers may raise issues regarding risk distribution to external regulators, auditors and constituents. Organizations must balance risk visibility and legal exposure.   

3. Defining Risk

The issue: One of the biggest challenges is establishing a consistent and commonly applied risk nomenclature. Any inconsistencies between risk definitions or methodologies are likely to jeopardize the program's success.    

4. Risk Assessment Method

The issue: Enterprise risk assessments are performed using a variety of approaches and tools, including surveys, interviews and historical analysis. Each approach offers its own value and drawbacks that must be closely reviewed to determine organization suitability.     

5. Risk Assessment Method

The issue: A key decision for many organizations is whether risks are assessed using qualitative or quantitative metrics. The decision is generally driven by the organization's industry, commitment to ERM, its view regarding privilege and overall cost.  

The qualitative method provides management with general indicators rather than specific risk scores. Qualitative results are commonly presented as red, yellow and green light, or high, medium and low risks.

Qualitative risk assessments are frequently favored because they require less sophisticated risk aggregation methods, mathematical support and user training, which means lower implementation costs. Conversely, qualitative results are commonly criticized for their limited alignment with key financial statement and budgetary indicators. Additionally, some critics suggest qualitative results are generally more difficult to interpret, which limits management's ability to assign accountability and remediate. 

6. Time Horizon

The issue: The time horizon of ERM risk assessment is largely based on the organization's intent to use ERM risk results and its willingness to invest in risk management.  

Many companies use ERM results for quarterly or year-end planning, while more sophisticated companies integrate ERM results into annual budgeting and longer-term strategic planning processes.  

The shorter-term time horizon (less than 12 months) is generally preferred as it requires less user training, provides increased risk estimation accuracy and is generally less expensive than the longer-term alternative. The longer-term solution is applied where management values risk visibility beyond the annual financial reporting period and additional time to remediate. Regardless of the approach, the risk assessment time horizon must be consistent with intended ERM program objectives.  

7. Multiple Potential Scenarios

The issue:  Consider the following scenario: The ERM team asks a respondent to assess the likelihood of counterparty default and its subsequent loss impact during the current fiscal year. The respondent determines that there is a 100% probability of at least one counterparty default with a low financial impact over the defined time horizon (high probability/low impact event). There is also a 5% probability of at least one counterparty default with a significant financial impact (low probability/high impact event) and several default scenarios with varying loss severity estimates (moderate probability/moderate impact). 

This situation highlights an issue associated with basic risk assessment methods most risks have multiple event likelihoods and risk severities.  

8. ERM Ownership

The issue: The question regarding who should "own" ERM is often unclear and commonly disputed at the board, audit committee and management levels.  

While there is no one single industry practice with respect to organization structure, ERM administration should generally be held by risk management followed by internal audit, finance/treasury, legal and various supporting departments (e.g., compliance, strategic planning).  

 9. Risk Reporting

The issue: Organizations often struggle with two risk reporting issues: 1) what information should be shared with various internal and external constituents, and 2) how should risk be communicated.  

10. Simulations and Stress Tests 

The issue: Stress tests allow management to assess the degree that business operations may be negatively affected by prescribed events and gauge the organization's ability to respond. While the concept is intuitive, organizations often struggle to balance the need for meaningful simulation and stress tests against a nearly infinite number of potential scenarios. Similarly, organizations frequently struggle to identify and predict unknown or unlikely risks (also known as black swans or game changers).  

2.5 Risk awareness among employees

All business institutions should have a vibrant risk culture. A healthy risk culture gives employees a stake in risk management. Employees' basic principles, values, and attitudes as well as their understanding of how to deal with risk shape a company's risk culture. An appropriate risk culture is necessary for corporate risk management procedures to work effectively (www.rsmi.com). This requires that employees directly involved in internal controls be fully aware of risks. For the company's internal control system to fulfill its purpose, employees must operate within a well-established, enterprise-wide risk culture. The tone at the top, the ethical atmosphere that the organisation's leadership creates is fundamental. This is imperative for all employees to become `risk aware' to evidence and ensure compliance ( www.safetrac.com). A risk aware culture is required to support and pervade the work ethic.