The headache of how to update a company's risk management procedures in the wake of recent events shows no sign of abating.
Emerging risks, systemic risk, risk management effectiveness, developing a new risk culture — these are all issues which senior management is having to devote considerable brainpower towards.
It's worth however going back one step and remembering that risk stems from change. That's why companies should ensure that their critical activities are correctly aligned, regularly reassessed and able to identify and cope with the possible effects of change. The misalignment of such activities poses an enormous threat to any business and is potentially the greatest risk of all — as Mike Nolan of KPMG's Advisory practice explains.
One key learning point which I will be taking from this credit crisis is the danger of misaligned management activities.
The current discussion about risk should not be just about risk management. It should also consider the alignment of critical business processes such as strategy, goals, incentives, performance metrics, controls and risk. At its most basic level, consider what happens when strategy looks in one direction but incentives encourage movement in a different direction. The difference between the two positions poses a risk to the future health of the business.
In turbulent times like this, with companies indulging in massive upheaval and change — adjusting strategies, restructuring, reducing costs, transforming business models — the task of maintaining these critical alignments, ensuring that everyone is pulling in the right direction, becomes even greater. Failure to correctly align such aspects of a business can represent a very real risk in its own right.
Change almost always equates to risk; more so if change also results in a significant loss of alignment. Where risk does exist, it can be monitored and managed if alignment is maintained but will be greatly exacerbated if management reacts too slowly to restore that alignment.
In the new world of risk management, we may hear a lot more about the ‘velocity of risk'; a concept which, sadly, many Boards are now all too painfully aware of. It stems from the understanding that risk can evolve far quicker than we previously realized. The rapid pace at which risk can now manifest itself is what makes this challenge of alignment far harder than it ever was. Annual or semi-annual reviews of management activities will have to give way to something far more frequent.
Much is made of internal audit functions and the enhanced front-line role which they can have in the fight against risk. While that is true, this particular debate about alignment also brings the audit committee into the equation. As a body, they are well placed to ensure that management has in place the linkages between the array of activities that must be aligned (and constantly realigned) as significant changes occur and risks develop. The unique overview which their position affords them could make audit committees' role invaluable in the coming months and years. Intriguingly however, questions have arisen as to whether audit committees have the capacity and skill sets to execute an expanded role which is why many are calling for - or moving to - board level risk committees.
As an example of what I mean by alignment, consider what happens when a company's supply chain or distribution channels undergo substantial change as a result of the economic crisis. In itself, this change poses new risks to be managed, requiring new risk mitigation activities and controls. However, it may also require the adjustment of compliance plans and audit plans and perhaps the adjustment of incentives to ensure that all this is managed properly. In short, other parts of the business may need to be realigned to take into account the changes elsewhere. Doing one of these things without the other can exacerbate the risk which stems from change.
Needless to say, much of this thinking is rendered redundant if businesses are unable to spot the possible risks arising from change. At the very least, businesses should consider implementing a formal process to identify the significant changes — both planned and unplanned — taking place in the business and the risk that these changes pose.
While audit committees and / or risk committees will be tasked with ensuring that management linkages are in place, it will fall to the internal audit function, as an independent and objective evaluator of management's risk processes, to observe the genesis of new risks and how they are managed. To do this properly, it will need its ‘seat at the table' at the Board level — to make its voice heard — and the flexibility to adjust audit plans and activities as required.
Ultimately, this can all be distilled down to management; ensuring that goals, objectives and incentives are aligned throughout the business. This is a key step towards ensuring that the corporate risk culture is fit-for-purpose and that businesses can seek to avoid a repeat of the risk failures which brought us to where we are today.
Mike Nolan is the Global Head of KPMG's Risk & Compliance Service Group and a partner in the U.S. firm.
www.kpmg.com 
