Inheriting risk and residing with it
Contributed by Abhishek Paul
Has it ever happened to you that someone has told you their secret and asked you not to share it with anyone else and you have shared it with no one else but one and that cycle continued?
Risk though has a perpetual existence in some way or form but the scenario above will help you understand the perspective of having Inherent or residual risk. The person who has kept his own secret with himself and to avoid the fact of leaking it out decides not to tell anyone is his/her way or process of managing the inherent risk of loss of information through a simple control of not speaking about it, and the residual risk here is the one person to whom he/she decides to share the secret with assuming that person wont tell anyone but there is no way to control that.
As a risk management professional it does at times get difficult to explain such basic or fundamental concepts due to the complexities of modern day definitions but in essence it is as simple as you want to understand it. Inherent risk is what you inherit from the risk exposures of surviving a business with the dynamic internal and external environment. You may feel that regulatory stipulations can adversely impact the way your business appears to the regulators and choose to practice very strict controls to prevent any non-compliance and that is what inherent risk is all about. When you do a risk assessment for your business all that you do is perform horizon scanning which is like looking at the sky for clouds and anticipating whether it will rain or not and if you are planning to go out carry an umbrella accordingly. You are not expected to be able to get it 100% right on predicted outcomes but you are also not expected to not consider it at all. Its more about taking reasonable due professional care and responsibility to ensure that the inherent risk factors don’t expose your business or function to risk beyond your current risk appetite. Doing a self review of identifying the key risks to your business or function and deciding whether to tolerate, transfer, treat or terminate a risk is not a very complicated task, it is just being conscious of the vulnerabilities of operating a business and being cautious.
When you go for a vacation with your family, do you not usually check the weather conditions of the place you are going, the hotel that you will stay at and reviews thereof, the money that you should carry to help suffice in case of need and may be even take travel insurance, that’s exactly what a risk assessment requires you to do, look at your key risks check whether that is a risk which you would be able to tolerate, transfer or terminate and if not treat it with appropriate controls and operate them regularly and if you have the luxury of getting the same tested by an independent assurance team and internal audit them work with them to get your controls right before it’s too late.
So once you have performed your risk assessment on your business or function, you should have a pretty clear list of all the possible key risks that your business is exposed to and as an owner of all those risks you then would need to design some controls around it and also operate those controls from time to time to ensure that you are doing what you are supposed to be doing to treat or mitigate the inherent risk factors.
When you do perform testing on your internal controls you would also be able to identify some residual risk that still remains to be treated or tolerated despite having the controls you have placed. If the risk of loss arising out of the residual risk is substantial and beyond or original risk appetite then you do need to further enhance your controls and if they are tolerable then you probably can do it with an acceptance of the residual risk without any further action. For example, To avoid the risk of loss of your car being stolen, lets say you implement a control of putting a gear lock or a clutch lock, but does that notify you in anyway if a burglary still happens and the burglar still manages to break the locks, so this risk of loss that still remains despite having a control in place may be called as your residual risk. Now lets say you further strengthen the security and you install a burglar alarm in your car and also a GPS tracking device and a cctv camera, these will also further enhance the security and apply more deterrents to prevent the burglary or even track who the burglar was and identify him and find the car as well, this would have now further reduced your new inherent risk to tolerable residual risk which may be more acceptable.
In some instances you may also decide to transfer the risk by taking insurance and outsourcing some of your operations and alternatively you may also choose to terminate the risk if it is not treatable or subject to transfer like shifting the country of operations due to political unrest or increasing terrorist activities.
All this put together is what is called your risk assessment that identifies and defines:
1. Your inherent risk with likelihood of occurrence and the impact of anticipated loss.
2. Your current level of risk appetite and tolerance as on date (this is dynamic and keeps changing and hence the need to review your risk assessment on an agreed frequency.
3. Your approach towards risks that cannot be tolerated and may need to be transferred or terminated.
4. Your controls to treat or mitigate tolerable risks which are inherent and currently at an unacceptable risk appetite level but are expected to be within appetite with the implementation or some controls.
5. Your anticipated residual risk post implementation of controls and assuming they are designed and operated adequate and effectively.
As a risk manager in the 2nd line of defence what you should understand is that your role is not that of internal or external audit which is fault finding and qualifying observations, your role is to work with the business or function to help them look at risk exposure from a fresh pair of eyes and make their risk assessment more accurate to enable the risk appetite to be well defined and highlighting any factors that may have been missed on the original risk assessment. If I may say so, if the business or function (1st LoD) are supposed to do the risk assessment to analyse their inherent risk then 2nd LoD is supposed to review and challenge the risk assessment and ensure what is classified as inherent or residual risk is appropriately captured as the role of risk management or 2nd LoD is not to work reactively but proactively and build a risk culture through review and guidance from a 2nd perspective and enable building a strong risk culture and control environment to protect the business from all tangible or intangible exposures that can be reasonably imagined. I feel that if internal controls are found to be inadequate or ineffective then it does not reflect poorly on the business or function rather it reflects poorly of the 2nd LoD as risk management is the core job of the 2nd LoD whereas 1st LoD also has additional responsibility of running the business as well. Risk may be owned by the business or function head but that does not mean that the ownership of the risk of the 2nd LoD is any lesser. Every organisation which has been able to understand this concept of risk ownership at every level has had exponential growth even in the weakest economic times.
Inheriting risks is unavoidable but residing with it is. If you would truly want your organisation to respond to risks quickly you need to first build a strong risk culture and then encourage people to make risk based decisions and making risk simply the way we think.
Some formal education on risk management can definitely help us in looking at it and understanding it from a completely different perspective. I speak out of my own personal experience and I truly feel that there is a vast potential that may be hidden within the organisations to upskill their current teams and enable them to think differently and make a very strong internal governance framework that will effect the longevity of survival and existence of every organisation.
