Risk management is a vantage point of perception, which has now become endemic. Almost nothing gets done without some reflection on the risks involved. Progressively, it is being remitted to the audit function. Yet, it is not bound by it. Concerted attempts are being made to widen and deepen its operations. Historically speaking, the area received the first formal limelight when corporate regulatory agencies made it mandatory to have a function with this “title” in all listed companies. The aim of risk management was to have a separate identity. It was envisaged that under his/her overall control, the risk management wing shall carry out its responsibilities and he/she would at least have the rank of an executive director of the company. If any listed company actually institutionalised the structure of this silo with all the nuances of risk a process, the experiment is yet to be documented. In the meanwhile, the area grew both in terms of quantum of attention and the range of activities. Skill formation in this area was still weak and not surprisingly, many with little understanding or insight, entered the domain.
The method followed was usually simplistic. The way of listing risks usually followed the narratives of some key people and their perceptions. It was then categorised into high moderate and low risks. The “juggernaut” rolled on and very often, there was more noise than light. What this method yielded by way of results was not clear to many. More complicated was the fact that there were no established standards against which its efficacy could be evaluated. Only a detailed review at a subsequent point of time could establish this. The process is still in the making
The “notable” consulting companies (especially those with non-Indian names and linkages) made a killing. Their demand was high. Special magical attraction was for such firms that had connects with the Atlantic rim institutions. More specifically, and professionally speaking, any delineation of “risks” should have followed an enunciation of risk management and mitigation policy at the board level. This in turn should have been followed up by the immediate next executive level to remarket, internally in the organisation, the areas of risk.
Areas of defined unpredictability and risks could have been identified and specific episodes could have been sighted, where risk was visible. This would have led to a robust delineation of the risk terrain. Customised training programme would then have to be designed to cover the foot soldiers of that area and above. This would have made the orientation and processes more professional and rigorous. No such thing happened in many cases and in several such cases, training programmes were launched in very general and commonsensical terms. Sometimes this was in imitation of what had been attempted in another organisation, in another cultural context. There were cases where this was done without a policy statement on the risk in place in the organisation.
Pointing this out by well-meaning professionals did not always yield results and was often discouraged by the top management, who were keen to demonstrate their conformity to a given directive. Incidentally, the directive, like any similar exercise, could have been only a statement of intent and could not have substituted for a policy statement. If there were people at the top, who saw this contradiction or were worried about it, they took care of not to show their anxiety.
In the process, perhaps, more damage than help was caused. But that’s another story. Usually, the financial, economic and material indicators of risk got flagged. Illustratively, where relevant foreign exchange risk was listed. Similarly, if there was inflation, the trend was cited as a risk. Similarly, losses in inventory and poor quality products got listed as risks because market would not be tolerant to it. What was often left out was a broader risk of skill deficiency at multiple level of organisations or the sheer ineptness of the CFO. Few people understood the problems of a badly designed job description and even fewer saw it as a matter of great concern. The organisation flows were often not identified and, hence, the bottle necks to productivity and results could not be pinpointed.
At the end of the day, risk management became fashionable but its integration to the overall strategy formulation was low. The situation was further compounded by the sheer absence of any assessment of the risk management process. The highest level of the organisation was happy to receive the “results”. Perhaps, a decade or so down the line, it became obvious but there was a lot of effort with no commensurate outcome. The issue is still being tackled. In the meanwhile, the risk registers are being compiled. The risk matrices are being created and who knows, one may even begin to see a sense of direction sooner than later?
(The writer is a well-known management consultant)