Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through.
A non-integrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:
Inefficient alignment. Organizations take a Band-Aid approach and manage risk disconnected from policies instead of thinking of their relationship and dependence upon each other. Every policy in the environment is a risk document; there would not be a policy if there was not a risk. When policy management is disconnected from risk management the organization ends up with policies that are not clearly aligned and are managed out of context of the risk they address.
Poor visibility across the enterprise. Separate risk management and policy initiatives result in an organization that does not see the big picture. It fails to measure policy in the course of business conduct and how it impacts risk exposure and management. The organization ends up with islands of policies that are not understood in the framework of risk.
Overwhelming complexity. Non-integrated risk management and policy management processes increases complexity. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently by introducing more points of failure, gaps and unacceptable risk. Inconsistent risk management and policy processes not only confuse the organization but also regulators, stakeholders and business partners.
Lack of business agility. The organization is constantly changing and therefore its risk profile is changing. The inability to have a view into the relationship of risk to current policy handicaps the business. The organization is incapable of agility in a demanding, dynamic and distributed business environment. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic.
Greater exposure to non-compliance and vulnerability. When policy is not written and enforced in the context of risk management, the focus is on what is immediately needed to get the job done. This leads to processes and individuals, who step out of line, take more risk than the organization wants, or violates policy. Most often organization’s policies are out of date to the current risk profile, non-existent or unenforced in accordance to risk.
A symbiotic relationship
Policies define acceptable and unacceptable risk by establishing boundaries for the behavior of individuals, operation of business processes, transactions and establishment of relationships. In policies the organization states what it will and will not accept and defines the adherence (compliance) it expects. Policies articulate boundaries for risk management and build the desired culture that drives individual and business conduct.
Policies articulate the governance culture. Policies address more than how to meet legal requirements; they drive the performance objectives of the organization. Without policies the organization has not made clear what people or business units may or may not do in seeking to meet those objectives. Individuals are left to make decisions and may take the organization where management does not want it to go. Without policy management true governance is not really taking place. Policies establish consistent business processes, behavior and transactions so the organization can reliably achieve objectives.
Policies articulate the risk culture. Policies are the cornerstone in documenting acceptable and unacceptable risk that guides corporate behavior. This includes establishment of responsibilities, communication, appetite, tolerance levels, boundaries and risk ownership. Every organization takes risk; it is a necessary part of business. Without clearly written guidance, risk governance will be ineffective and risk decisions will be made by each individual based on their personal individual appetite for risk.
Policies articulate the culture of compliance. Policies define what is acceptable and unacceptable—boundaries set through risk management at various levels. Policies are more than documents defining how to adhere to legal and regulatory requirements; they also communicate the organization’s values, ethics, commitments, as well as acceptable and unacceptable risks.
Think of policy management as the last mile of risk management. If risk management is not part of policy management an organization would spend time and resources on conducting risk assessments that have no impact or change on the business.Elena Kiristova is CFO Russia and CIS at Groupon. An expanded version of this article will appear in an upcoming issue of AFP Exchange .