The Importance of Risk Management
December 03, 2020
In this podcast, the first in a series of three, Nina Kelleher and Ray Soriano, directors in our Process, Risk and Technology Solutions group, discuss the rising frequency of regulatory fines and the importance of Risk Management.
NK: Ray, I've been noticing a lot more regulatory fines for financial services related firms popping up in the news. We've heard of Wells Fargo, Citibank, Goldman Sachs, just to name a few. These are some long standing well-known companies. And while I don't want to talk about these specific instances, it's difficult not to notice that some of these fines are quite significant. What I do think would be great to talk about today is if you could discuss your opinion, if you're seeing some sort of common theme.
RS: Well, Nina, it's a very interesting and unfortunate for these circumstances that have surrounded the pitfalls for these highly recognized brands. In particular, these financial institutions, you can imagine they're highly sophisticated and complex organizations. They likely have very competent and capable teams that are part of their overall risk management strategy. The pitfalls that these global and likely very sizeable companies faced, highlight the need that any company or all companies, regardless of the size need to be mindful about risk management. And thinking about risk management, not only as a point in time focus, but thinking about it as a programmatic and systematic reality, that needs to be nurtured and routinely taken care of as part of the company's DNA.
Therefore, I believe companies should be prepared to apply appropriate rigor and persistence with their ongoing risk management approach. It seems that the risk management program should include proper design, implementation and maintenance for effective and relevant internal controls to reduce their overall risk to the business.
NK: Why should risk management be an important focus for companies if it's not already?
NK: Well, risk management is a simple process for, in my opinion, identifying all possible risks and contextualizing these risks to the importance for the overall business. It's critical to have a proper understanding of what are the inherent risks and where these risks reside within the business. I believe that a proper risk management approach will help you decide which risks are the most detrimental to your overall business and how the company and its constituents and shareholders should be impacted by those risks if they occur. Again, risk management should be taken into context and based on the overall company's risk appetite. It also should be, considering the influence of regulatory requirements, perhaps localize social, economic, or other influencing factors. And all of these should be taken for the organization to assess as part of the risk management strategy.
In brief, I think that proper risk management can have severe impacts. Like we've seen with some of these other larger institutions you talked about earlier, that they've had to deal with and losses, and ultimately the fines that they've had to address.
NK: Can you share with us your experiences on how some companies have effectively managed risk and identified inadequate control measures, shedding light on any best practices that you may have seen?
NK: Yeah, sure. I think in part, the first place to start is with an overall risk assessment. I think the risk assessment will support your efforts to help you identify the risk. And when you're identifying the risk, you can ask yourself a simple question, what actually could go wrong? And then as part of that risk assessment, you're going to have to analyze those risks and that will help you get to, well, how can I be affected? Or how all of my company be affected by this risk? Once you've determined how to address all those risks and whether you want to accept or go through the process of mitigating all these risks, you'll have to inevitably translate that to what should we do and how should we do it.
Personally, I feel this is addressed in a couple of ways. As we mentioned through risk mitigation and that's in short, it doesn't necessarily eliminate the risk. It may only reduce the risk to the organization. And this means that it should be done through internal controls and proper thinking as far as how to minimize your exposure. The other approach is to essentially accept the risk and either be satisfied with whatever present conditions you have or realize that there are no controls that you can implement at a given time.
NK: Great insight, Ray. I've really seen some clients stumble with conducting a robust risk assessment. Sometimes they just focus on a portion of the business, such as their financial reporting controls and mitigating the risk of a financial misstatement. However, they've really fallen short at times with looking at the full universe of risks. Are there any last takeaways you want to leave us with today?
NK: Sure, certainly. Thanks Nina. A few quick takeaways that I can offer to our audience members based on performing several of these risk assessments personally. And this includes first, to not underestimate the value of conducting a thorough risk assessment. An organization that sufficiently plans and proactively performs risk assessments generally will gain more valuable insights into their potential impacts and the exposures that may influence their business. And it could be done whether these hazards are predicted or even unplanned. Secondly, I think as part of the risk assessment planning, you need to understand the scope and the applicability of the risk assessment to the intended stakeholders or constituents that are part of the program. By knowing your intended audience and the relevance of the observed risk affecting the parties, the organization can have an improved clarity and context for their intended purposes and outcomes realize from a risk assessment.
This will lead to my third point. A well-designed and plan risk assessment will effectively provide the foresight of identifying and determining reasonable control measures to mitigate or manage inherent risks. And finally, using an independent and objective assessor to perform your risk assessment. The value from a neutral party is that they can help rationalize recommendations and control needs. More importantly, the neutral party can be an agent if you will, to potentially counter any preconceived biases or assertions that have been formulated to the overall state of affairs and the risk posture for the organization.
NK: Ray, thank you for this valuable information. Thank you for listening to the EisnerAmper Podcast Series. For more information on this and a host of other topics, visit eisneramper.comax/prts and join us for our next podcast.