Effectively managing risk within an advisory practice or an SMSF comes down to a few key elements, Marcus Turner writes.
Managing risk is part of the human condition. We manage risks every day, whether crossing the road or understanding our investment options.
Where risk management becomes problematic is when we use our innate risk assessment procedures evolved over the millennia to manage the sophisticated risk environment of the modern business world.
I can’t imagine early humans needed to understand anything like the Australian Prudential Regulation Authority’s long-awaited prudential standards on risk management and governance, CPS 220 and CPS 510, which came into effect on 1 January to deal with risk.
Clearly modern humans, especially those working with SMSFs, require a more sophisticated means to assess risk, not only for peace of mind, but to fulfill legal requirements.
The reality is we do manage risks, daily in fact. Getting to work can be a risky proposition and once we are there, we continue to manage our investments and portfolio risks. We are professionals. We are great at this. So why introduce something new to add to the compliance burden?
But are we good at managing risks? The global financial crisis, economic downturns and trade crises don’t just happen, nor do they happen because an individual failed to manage certain risks. They happen when enough of us take our eyes off the objective and march forth without applying rigour to our thinking or applying sound risk management.
Contrary to popular belief, risk management is not a hazard identification or side-step mechanism any more than it’s just some compliance exercise or only the responsibility of a chief risk officer. Effective risk management is having the right focus and mindset to approach opportunities.
The person in charge of an organisation needs to make a clear statement on what levels of risk are acceptable. The form of this statement can be different for different types of organisation, but they will have a few things in common so that all risks can be assessed and managed at the appropriate level.
Risk management and the risk management process are elegantly simple on a conceptual level. Within any given context:
- What is our objective?
- What will prevent or promote us achieving that objective? (Risks and their identification.)
- How big or likely are those risks and what are we doing about them? (Assess and treat.)
- How do we keep an eye on them? (Monitor.)
- What else if anything do we want to do about them and where will that get us too? (Assessed action.)
It’s simple enough right up to the point where we try applying it.
Complexity is not born of risk management. Complexity is born from the businesses we seek to manage. This is why when we try to overlay a template risk management process on what we do, invariably it doesn’t meet our expectations. The template approach or compliance approach to risk management will never be a silver bullet. The key to effective risk management lies in the mindsets of people.
Therefore, when we understand what an effective risk management discipline is intended to do and equip staff with the right thinking, business decision-making is revolutionised into effective, evidence-based decision-making.
It’s the combination of a robust process, balanced approach and solid reasons behind the decisions we make at each step along the way. Each of these elements requires good people with mature thinking and the process itself is merely a tool to ensure the thinking gives itself over to transparent rigour.
The trustees of an SMSF combine many roles to fulfill their duties and obligations. As a trustee you cannot pass the risk management responsibility to others. So how do you effectively manage risk along with all the other legal and fiduciary requirements? What you require is a practical approach to risk management that is tailored to your requirements.
The identification of risks
The starting point is to identify your risks. This is where the practical implementation of risk management can lend the most benefit and is also the point where it often starts to fray around the edges.
A risk is something that has the capability of impacting on the achievement of your objectives.
Identifying risks generally sounds easier than it is, but the reason it is certainly worthwhile to take a little time to get this right is that the risk itself will tend to point toward the treatment. These risks can be simply listed and each one walked through in the assessment process. Table 1 will be used as an example, although it should be noted it is just that, an example, only and intended to illustrate how the process can work. Caution, however, without the appropriate mindset and level of risk maturity, a risk register or risk profile can quickly become outdated and therefore an illusion of risk management.
A well-managed risk management framework and profile can not only support the achievement of business objectives, but also:
- underpin your compliance program through the treatment activities that are in place to manage particular risks, including due diligence,
- enable business resilience through risk-based allocation of resources and the identification of key vulnerabilities,
- support governance through capturing the basis for decision-making and thereby support transparency of decision-making,
- preserve corporate knowledge by recording the analysis of risks and key decisions in the process, thus enabling experience to be built upon as opposed to it being reinvented, and
- enable management agility by allowing more rapid, evidence-based change.
With the focus on objectives, risks are identified. Keep in mind these risks are risks within the framework of achieving the objective. Often and in the absence of objective focus, organisations can identify risks and set about managing them when in fact they bear no relationship to their objectives. They belong to someone else and result in wasted resources and divert focus away from your objectives.
The risk assessment described above has the objective at the top of the page. This stays front of mind through the identification and assessment. More sophisticated models will also include other key information, such as assessment date, who is involved in the assessment and the version of risk tolerances being applied.
The first column sets out the identified risks that relate to the objective – both positive and negative. Now at this point I will keep the version simplified as I would like to focus on the governance and compliance elements. The things currently in place to address the risk are matched to the risks. Keep in mind these are the things you currently have in place, not the things you want to have in place.
The documents that support these assertions begin to support your compliance program. For example, if you identify a risk along the lines of “Improving workplace safety through supporting a more safety aware culture” the things you may currently have in place to ensure this occurs could include safety briefings for staff, due diligence training for managers, and work procedures in place consistent with codes of practice. The documents you have to support these actions actually help evidence your compliance with work health and safety requirements.
Assessing risks in terms of consequence and likelihood
The next step in the process is the assessment of the risks in terms of consequence and likelihood. This assessment will be drawing on the risk appetite and metrics that are determined by the board, chief executive or trustee. For the purposes of this article, risk appetite is a clear statement made by the board or CEO that defines, specifically, the acceptable level of risk for the organisation. Typically it will be reflected in clear lines of difference in consequence and likelihood measures.
In assessing the risks, you make decisions based on evidence, even if it happens to be a professional judgment call. An evidence-based approach will support resilience and capture corporate information.
The consequence of a risk is determined in light of the risk appetite. Similarly, you do the same with the likelihood of the consequence occurring. This will derive the risk level so that you can prioritise the allocation of resources.
The monitoring element lets you know if the existing treatments are providing the level of mitigation or augmentation of opportunity that you expected. The monitoring and key performance indicators are attached to the treatments and the risks so that your internal reporting processes don’t fall into the trap of reporting for reporting’s sake. They are lead and lag indicators that show if the treatments are working and how the risk may be moving over time.
Well thought through measures are a great indicator of whether things are coming off the rails, but remember lag indicators are more rear-vision mirrors that help identify where you came off the rails. Coupled with the treatments and the risks, they provide the context that can be far more informative as to how problems should be addressed, such as targeted training as opposed to taking an expensive blanket approach.
It is the action plan from this point that determines what we need to do in order to manage the risks to an acceptable level. This establishes your forecast risk or target position and where you want to be and how you will go about getting there (Table 1). Another key benefit is that capturing the information contributes to the reasons for the risk assessment.
In taking the same approach in assessing what else you would like to do to further mange your risks, you are able to make solid commercial decisions. Will the costs involved in taking further action outweigh the potential downside or provide you a sufficient return? This will help avoid using lots of resources for very little gain when the more daunting risks remain or the potentially greater opportunities go unrealised.
Too often managers fall into the trap of managing the things they have always managed or the things they are comfortable managing. Prioritising management not only promotes getting the best bang for the corporate buck, but the information also supports due diligence. The net result is that both compliance and governance are improved.
Capturing reasons behind decisions not only facilitates review of the assessments and risk profiles, it enables the business to gain the benefit of contemporaneous thinking. If the time comes to defend a decision, well-constructed and documented risk assessments can show reasonableness.
You build your knowledge and you are able to learn from your own experience. Whether you are a one-person operation or a major corporate, you are able to stand on the shoulders of giants even if the giant is your own experience within your business and what you have learnt along the way.