Thinking ahead A properly developed and tailored risk-management plan entails a thorough understanding of the liabilities at play In 2014, Sappi’s KwaZulu-Natal plantations were burning. The company was losing millions to arson-related fires that kept rekindling throughout the year. The latest in fire-detection technology had proven ineffective and the efforts of a team of expert fire investigators seemed futile. Sappi eventually called in the help of a communications firm to search for a solution closer to the source of the fires: the suspected culprits in the communities close by. ‘We had one question to answer,’ says Angy Kgaditse, communications consultant at DevCom. ‘Why were community members setting fire to the forests?’ Developing a risk management plan starts with stakeholders identifying possible risks to the business or a particular project, then only can you start coming up with resolutions. ‘This will be the baseline for your risk resolution action plan,’ says Kgaditse. Founder of 10X Investments Steven Nathan says prevention can only be possible if management fully understands the business and the various complexities of the business. For the most part, risks extend beyond immediate identifiable factors such as cybercrime or plantation fires. CEO of the Institute of People Management, Jerry Gule, says that while risk assessment is generally practised in large companies and formal organisations, ‘assessing risk should be devolved to the lowest unit – the individual – for it to have real meaning and impact’. In fact, he adds that ‘if individuals took a moment to assess the risks of whatever action they are about to take, failure would be extensively reduced’. Risk management systems should identify the risks in the functional units of an organisation and must give informed input to stakeholders so they can devise effective risk responses, says Vijay Gopal, head of the banking, financial services and insurance unit at Sensiple, a fintech company based in New Jersey, US. The Institute of Risk Management South Africa (IRMSA) releases an annual risk report based on workshops and surveys conducted with risk-management experts from every major industry – private and public – in SA. Over the past three years, cyberattacks and data fraud; government policy, legislative and regulatory uncertainty; and unmanageable fraud and corruption have been among the top 10 industry risks, in addition to profound political instability and a skills shortage, including the ability to attract and retain top talent. The IRMSA notes that ‘risk treatments need not remain the sole domain of those charged to address it, given the increasingly complex risk landscape’, and that companies shouldn’t hesitate to call in the help of external professionals. As for external environment risks, where risk responses are limited, the IRMSA explains that strategies should be assessed, and resilience and business continuity plans must be evaluated and developed to deal with and view these risks differently. Gule says there are processes companies should consider when setting up a risk management plan. The main four are comparative analysis (reviewing performance against the business plan and understanding what accounted for the difference); policies and procedures (reviewing how these were applied and complied with, and changing them where required); environmental factors (assessing those factors that could have an impact on business operations); and monitoring and evaluation (internal auditing to identify how controls are being implemented and their impact on the business). Capitec executive director of risk management Nkosana Samuel Mashiya says the Capitec board follows a risk management protocol of identify, measure, manage and monitor. The solutions for managing these risks are to first analyse the risk, measure the impact and likelihood, and then manage the mitigation to acceptable levels of the company’s risk appetite. The risk team then monitors the defined risks to keep possible incidents within pre-set risk tolerances, he says. ‘The first step is to determine the board’s required rate of return, which helps define the risk programme,’ he says. ‘We scope the risk universe and create a framework of oversight and management that is eventually formalised by a set of risk policies. Risk management should serve as the conscience of the organisation.’ The risk team at Capitec uses the Basel III standard (which requires financial institutions to maintain sufficient cash reserves to cover risks incurred by operations) as the backbone of its risk management programme. It includes monitoring credit, liquidity, solvency, market and operational risks. Other risks such as IT and legal risks are also crucial elements of the portfolio, says Mashiya. However, not all risks are quantifiable, says Gopal. ‘Risks are rated based on probability of occurrence and severity, and measurement methodologies may include risk rating, stress testing, sensitivity testing, alongside more complex and structured techniques like value at risk [and] earnings at risk.’ Globally, two main standards are used for risk management plans – ISO 31000 and the COSO standard, says Neels Kornelius, head of risk management at Willis Towers Watson. In SA, the ISO 31000 standard is more widely used. ‘Alongside these standards, two widely used best-practice guides have been developed: the guidelines found in the King IV Code of Corporate Governance, and separately, the IRMSA also publishes a best-practice guide for risk management,’ he says. The main elements a business should have in place for its risk management plan are an overarching risk management policy; risk tolerance and appetite statements through which the board provides management with the boundaries of acceptable risk within which they should manage the business; and a risk management plan, which sets out in practical terms how the management of the company will execute risk management within the organisation, says Kornelius. Companies naturally gravitate toward growth, which often requires investment into new technologies, emerging markets and unfamiliar business models, all of which carry risky baggage, according to Christopher McClean, vice-president and research director at Forrester. While appetite for risk seems to increase at the prospect of growth, there continue to be barriers to entry into investment risk management. ‘Executives are sceptical,’ he says. ‘Risk management is perceived as a hindrance to performance and a cost to the bottom line and business process.’ According to a Forresters report on risk management, only 22% of organisations believe they manage risk appropriately. Of the top barriers, 21% perceive risk management efforts to increase costs, while 14% say it reduces performance. ‘Organisations need to take governance, risk and compliance out of silos and integrate them across the business to understand the intricate ways in which risks interconnect.’ A data breach, for example, has a massive impact on the reputation of the company responsible for the safekeeping of its user data. These are two separate but interlinked risks that can be a catalyst for other risks. When Momentum declined to pay out a life insurance policy of a deceased client on grounds of non-disclosure, the company was following clear protocol, which is why the backlash on social media must have come as a shock. It’s not the first time a client’s claim has been denied but what is relatively new is social media, where clients can vent their disagreement. And this has huge reputational risks for a company. ‘The Momentum issue should be a wake-up call to all companies,’ says Nathan. ‘PR management has become an enormous risk.’ The nature of risk has changed, says Discovery Insure CEO Anton Ossip. It’s no longer simply about insuring a ship against sinking or a building against fire damage, as business risks – such as data leaks or reputation damage, have become more relevant than traditional risks, he says. Many of today’s big businesses that are based on IP and cloud-based data don’t run the risk of, say, a factory going up in flames. At the same time, companies are also becoming more global and the risks are often less centred on local risk factors. ‘Insurers must put themselves in the shoes of the entrepreneur and understand the key risks to the sustainability of the business,’ says Ossip. The risks must be broken down and checked against an insurance policy that covers each of these risks. ‘We believe in risk management rather than dealing with the ramifications of risks.’ Ossip says this starts with a broker who understands the company and can help with structuring a foolproof insurance plan. The IRMSA report found that half of the industry risks mentioned stem from inside the company, and 16 of the 25 risks the are within a company’s immediate control. SME reports forming part of the IRMSA study consistently stress increased awareness and internalisation of the risks and their associated risk response plans. In doing so, companies can better allocate responsibility and partner with experts to mitigate risks, as in the case with Sappi. Fire incidents at Sappi plantations decreased by 89% after the implementation of the Abashintshi programme, a CSR initiative that addressed the arson epidemic by uplifting the local communities. It’s a great example of a risk being taken out of its silo, as McClean says, and approached from a different angle, something that could only have been done with the help of a third-party expert who had taken the time to understand the risk. ‘The bottom line is that having a risk management plan can help an organisation to have a systematic and regularised way of managing its risks,’ says Gule. Risk management has evolved and continues to do so, says Kornelius. ‘The first generation of risk managers in South Africa were mainly compliance-driven, and most companies are now on their second generation of risk management and risk managers, where risk management is an accepted and embedded management function, with more and more value being derived from the data it produces,’ he says. ‘The third generation of risk managers are now emerging, where companies will not move strategically without having plans stress-tested by thorough risk management evaluation.’ By Sven Hugo Image: Andreas Eiselen/HMimages