Detailing his professional risk management journey, Ahmad said that what used to be a quarterly reporting exercise developed into full-fledged integration of risk management into the processes and procedures of the organisation as he developed a more comprehensive understanding of what was required with ERM. Acknowledging that it was a challenge, he said that understanding where the organisation was, in terms of ERM, was fundamental to identifying gaps in its risk management, and was crucial to helping it achieve the necessary risk maturity levels.
Adding that in the early days, people didn’t see the value of risk management, but it developed over time and got buy-in from the management team. The most important thing was the tone from the top and the use of Risk Focal Persons in various departments to further the risk management agenda. When he was developing the risk management function, Zulhisham said that he interviewed all divisions in his organisation to understand how things worked, then presented a Risk Report to management, to start the risk discussion.
To a question on how the lack of resources, especially personnel, could affect the take-up of risk management, Nurul said that one way of overcoming this was to put Risk Focal Persons in place, to better influence the perception of risk management; staff resources could thus be shared (instead of one person doing all the work). How should organisations ensure the risk management function is operating as intended? Ahmad advised the use of a structured, customised framework built on in-depth understanding of the business, and ongoing measurement against established standards.
On how risk owners and risk managers should deal with risk ownership, Nurul said that mindset change was critical to understanding this, adding that management could impose requirements for risk management, so that staff understand the long-term effects. Commenting on how to differentiate between risk and the impact associated with the risk, Ahmad said that risk managers looked at enterprise risk while risk owners looked at business risk, and the part it plays in achieving the organisation’s objectives.
30 The IERP® Monthly Newsletter December 2021