(Conclusion)
The difference between an event we call an opportunity and one we call a disaster most often depends on which of the categories the event falls into. Even an event like the eruption of Mt. Pinatubo, despite the devastation to the surrounding towns and provinces, can be seen as an opportunity, an opportunity for those who were evacuated out of danger to continue their lives. The event also provides the province of Pampanga with revenues from quarrying lahar.
Ending business surprises doesn’t require a psychic. In fact no knowledge of the future is required. Turning risks into opportunities simply requires that managers receive a heads-up about the present – about what is happening right in their business and what can go wrong with their business objectives, goals and strategies. To win and compete in a global marketplace, companies need to develop the capacity to identify or capture the events, analyze and prioritize the risks to major earnings drivers and incorporate this learning into company strategy. This will help ensure that senior managers and directors receive critical and relevant information on an ‘early warning’ and ongoing basis. It will not only help senior management and the board avoid nasty ‘surprises,’ but it will also contribute to improved corporate performance and growth and ultimately, enhances shareholder value.
Given the growing array of external business challenges and surprises and heightened concerns regarding directors and officers accountability, corporate leaders the world over are placing a premium on corporate governance and enterprise risk management practices.
Corporate governance is an organization’s strategic response to risk
The definition of risk in AS/NZS 4360:2004 stating that risk is “the chance of something happening that will have an impact on objectives” indicates that risk should be treated as part of each corporate objective. Thus, risk treatment for the mitigation of risks becomes controls and strategies which provide reasonable assurance that corporate objectives will be achieved within an acceptable degree of residual risk. This is governance. Corporate governance is the way in which an organization is controlled and governed to achieve objectives.
Corporate governance holds the organization together in the pursuit of its objectives. Risk management provides the flexibility for an organization to respond to unexpected threats or business surprises and take advantage of opportunities. As such, risk management provides corporate resilience and with this resilience comes competitive advantage. The common factor linking risk management and corporate governance is the focus on achieving corporate objectives and enhancing shareholder value. So, we regard corporate governance and risk management as one and the same process.
Embedding risk thinking in the corporate culture
Risk thinking has to be made part of the company’s culture. In the 21st century, command, control and compartmentalization of organizations are no longer possible. Simply ‘preaching’ or issuing diktats to staff in an effort to raise awareness and bring people on board is not a viable strategy. All members of the staff need to understand the risks involved in doing business, the value of taking these risks in pursuit of opportunity and the way risks are being managed or mitigated.
Appointment of a Chief Risk Officer (CRO) can help greatly in nurturing a culture of risk awareness. The CRO can focus on reducing vulnerabilities, thus, limiting the likelihood of disruption, and on building resilience. Resilience depends on the kinds of risks and threats a company faces, something that differs for each company and industry. Many global companies are moving in this direction, and the trend will probably strengthen as insights into global and other systemic risks become more prevalent.
Building corporate resilience
Corporate resilience comes from planning, flexibility and the creative management of risk. As the global footprint of firms expands, so too do the risks they face on a daily basis. Extended supply chains, technology interdependencies, IT vulnerabilities, mutating viruses, and even weather phenomena all combine to make doing business a risky business. Resilience in the face of increasing risk is the ability to avoid, deter, protect, respond, and adapt to market, technology and operational disruptions. This is becoming the linchpin of profitability, shareholder value and competitiveness.
The challenge: Moving towards corporate resilience
Given the evolution of risk, from traditional risk management to enterprise risk management, businesses need a new lens to plan for market, technology, and operational disruptions. This is best defined as corporate resilience, the ability to anticipate and protect against risks, as well as manage, mitigate and recover rapidly.
Globalization, technological complexity, interdependencies, terrorism, climate and energy volatility, and pandemic potential are increasing the level of risk that societies and business organizations now face. Risks are also interrelated; disruptions in one area can cascade in multiple directions. The ability to manage emerging risks, anticipate the interactions between different types of risk, and bounce back from disruption will be a competitive differentiator for companies and countries alike in the 21st century.
The most important role in corporate governance may well be that of recognizing and monitoring the seductive nature of risk. In any competitive area, there are only a few ways to increase profitability. One is to establish a sustainable competitive advantage. Another is to become more resilient. The third, which often happens unconsciously, is to take greater risks. Risk, after all, isn’t risky until one is injured or ruined by it.
(Rolando C. Cabrera is a Director and Senior Risk Management Advisor of Manabat Sanagustin & Co., CPAs, a member firm of KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. This article is for general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com.ph or rcabrera@kpmg.com).