Thursday, January 01, 2009

Lessons Learnt in 2008 and Looking Ahead in 2009

Happy 2009 to everyone and Good-Bye 2008!

I doubt if any risk manager would or could have anticipated the extent of events that had unfolded in 2008. I certainly didn't, and most of us in oil and gas, cushioned by crude oil prices reaching new highs, felt we were insulated by what really began in as early as 2007. I think we are all still reeling from the impact of events as we navigate ourselves, in our personal and professional capacities, to steer the ship to ride this storm.

What was unimaginable happened and having experienced this organization's weathering through the 1998 Asian Crisis and the 2008 Credit Crisis, these crises ultimately in my view, will have long term implications in shaping the practice of risk management.

There will be a series of risk management areas that I will be writing this year focussing on scrutinizing our own risk management practices and what we should be doing in shaping the practice of risk management in this organization.

I would like to begin with the topic of risk governance. Risk governance is the key element in risk management that sets the foundation for the remaining key elements. It is the glue that holds together the remaining elements in risk management. Without risk governance our efforts in risk management becomes futile.

What is risk governance? When we mention risk governance, we conjure images of risk management structure, principles of independence, creating a risk culture, developing risk capabilities etc. While these are crucial elements in risk governance, I am of the view that at the core of risk governance is that risk management must be given equal seat in any business decision-making process and treated at par with the growth and profitability strategies.

In the past risk management is treated as a process that each business activity or strategy undertakes to perform, identifying potential risk events and potential mitigation strategies and typically takes place in the form of workshops and templates. Unfortunately, the good intentions of these processes gives us a false picture or assurance that the risks are always mitigated. Now the reason I say that is

  • Who monitors the effectiveness of such mitigation strategies?
  • Who monitors the appropriateness of such mitigation strategies in the event of a stressed situation?
  • Who re-evaluates whether the risk events and therefore its risk mitigation approaches and strategies are still relevant to the current situation? How quick do we respond to a certain risk event?
  • Who executes the risk mitigation strategy? Given the multi-disciplinary experts required to manage such risks, who coordinates these collaborative approaches?
  • Are our risk management talent empowered in a way that they have the ability to say "No" and business decision-makers pay heed to risk management because they bring value to the discussion table?

Who holds the answer to these questions depends on the risk governance approach and design of the organization.

  • Is the risk culture pervasive enough that each business will be able to monitor the impact of risk events and trigger a chain of command to respond appropriately?
  • Is there a risk management function at the business level that will work closely with the business decision-makers and act as an enabler to manage such risks?
  • Or is there a role for those in Enterprise Wide Risk to play an intervention role when a risk event is triggered and before an action is taken, the impact to the Group is quickly assessed, rather than making a marginal business decision?

To be continued

No comments: