Publications & Articles
- Publications
- Articles
- Accounting (3)
- Banking (7)
- Corporate Governance (3)
- Financial Management (9)
- General (10)
- Marketing (1)
- Markets (19)
- Risk Management (73)
- Wealth Management (4)
- Islamic Finance (2)
- Financial Services Sector (2)
- Anti Corruption (1)
- Corporate Social Responsibility (2)
- Economics (6)
- Research (1)
- Bonds (1)
- Human Resources (2)
- Business and Management (1)
- Expert Opinion
IABFM Articles > > Risk Management > Why the timing of detection of problem areas in Risk Management is so significant?
Why the timing of detection of problem areas in Risk Management is so significant?
By M Salman Kahn
30 September, 2019
All organizations inevitably encounter challenges and events that test their ability to not only survive through a crisis situation but also demonstrate how well they are prepared in managing a difficult scenario when challenged. I would classify organizations facing challenges that would arise as a result of two distinct factors or reasons, i.e.,
- A series or cluster of events that take place over a period of time (most likely categorized as being 'low' or 'medium' risk severity)
- A single or multiple 'high' risk rated events occurring over a given time period.
- A single catastrophic or 'severe' risk rated event challenging the very survival or reputation of an organization.
Based on the above types of events that could eventuate or happen (sometimes with warning or altogether suddenly), what is most important for organizations in relation to these events? Before I talk about the importance of 'timing', it's important to clarify at the outset that I am only referring here of risk events that are well within an organization's control in terms of remedial measures or actions that could be taken to mitigate or manage a given risk event. There will always be risk events that are at times outside an organization's control that I am not factoring in here for the purpose of analysis. Such events could be a major stock market crash, a major damage to infrastructure due to an earthquake or a major rare virus attack on a system for which there are no available fixes available.
In terms of the importance of 'timing', when a risk event arises, there are some key information elements that need to be captured ie, date and time of a risk incident or event, where and why it happened, who was responsible and what impact it had. However, what is most important in relation to timing is as follows:
- 1. For those organizations that are have advanced risk management analytics and detection capability and have a proactive risk management driven approach, more often than not, the staff within the organization should be able to understand that 'there is something wrong' or just as we know in the medical field ' be able to understand the symptoms' before the disease strikes.
- 2. For those organizations that are still on their risk maturity journey and do not have the advanced tools and capability to detect a risk event before it strikes, the timing of capturing the risk event is 'key' and any delays in identifying the risk event and taking timely remedial action can easily escalate into a full blown crisis.
So why is timing so important regardless of the state of risk management maturity or capability of an organization? It's important for 2 key reasons, namely,
- 1. It allows organizations to reduce the impact of the risk event that otherwise could be much more in case of delays in identifying the risk event.
- 2. It allows organizational staff to enforce and develop a culture of 'proactive' risk management as opposed to a 'reactive' risk management approach. Most organizations predominantly react only after a risk event has taken place or take action far too late by which time, irreversible damage has been done or where the reputational damage has been significant.
This naturally leads us to the next question as to what organizations can actually do to improve their timing and detection capability of risk event or incident detection. In my opinion, there is no easy answer to this and any meaningful risk event detection and identification capability rests on a multitude of factors that can include the following:
- a. The quality and effectiveness of the Risk Management Governance structure. The role of the Board, CEO, CRO and Management in enforcing a proactive risk management culture is key. 'Tone from the Top' is key here.
- b. The Quality and Effectiveness of the staff or human resources residing not only within the risk management function but across the organization including internal audit.
- c. An effective reward mechanism that consistently and continuously promotes proactive risk management detection and reporting. Regardless of whether we are referring to any of the 3 lines of defense of an organization, those employees that demonstrate and add the most value to detect and prevent risks from impacting should be rewarded for proactive risk management behavior. Here, I am referring to a 'Conduct Risk' mechanism where good conduct is always appreciated and supported by the Board and set as an example for others to follow.
The process of adopting best practice timing in risk management takes both time and effort and one that is often learnt from experience. There is no prescriptive recipe for adoption of best practice timing however, the starting step on this journey will always need to begin from the first step of 'recognizing' that timing of risk event detection is not just detecting a risk event 'after' it has happened but having the ability to be able to detect an event that is likely to surface before it has even occurred.
This is one among many of the steps in excellence in risk management.
Reproduced with the kind permission of Mr M Salman Kahn
