Managing risk, if only intuitively, has been around forever. "It's just become more formalised," says Jonathan Blackmore, Ernst & Young's business risk services partner.
The driving force is an unprecedented focus on corporate governance, precipitated by legislation such as the Sarbanes-Oxley Act in the US and principle-based, self-regulatory codes of conduct such SA's King 2 Report on Corporate Governance and the UK's Combined Code of Corporate Governance.
Risk management is now a central challenge for both CEOs and boards of directors. "Personal liability should be of huge concern," says Lester Botha, senior corporate affairs adviser at Alexander Forbes Risk Services. Existing and pending new laws "have turned day-to-day management decisions, as well as reactions to specific circumstances, into nightmares", he says.
Pointing to just one of the risks that today carries heavy penalties, Grant Thornton's director of business risk services, Anton Barnard, says that in the case of listed entities the responsibility to comply with the Occupational Health & Safety Act falls on business owners and CEOs . If found to be in contravention of the act, they face criminal prosecution and could face a fine of R50 000 or 12 months in prison.
For good reason the name of the game is now holistic enterprise risk management (ERM), says Steve Winks, president of the Institute of Risk Management SA (Irmsa).
Winks explains that risk management is no longer driven by the "pure risks" that can be covered by insurance. "It has reached a level of maturity, where it is fully integrated into mainstream business practices and concerns itself with all uncertainties enterprises face in achieving business objectives."
ERM is also finding its way into the formal assessment of credit risk by rating agencies. In the insurance industry, for instance, Standard & Poor's evaluates five components of an ERM strategy: strategic risk management, risk controls, extreme-event management, risk and capital models and risk-management culture.
Though awareness is growing, Blackmore bemoans the pedestrian grasp of the concept of risk management: "Many SA companies do not fully appreciate or understand the actual concept of risk." Failure to comprehend the nature of the problem makes it difficult for companies to formulate and put in place an effective, comprehensive risk management strategy, he says.
Echoing his view, Paul Mullon, marketing director of data management firm Metrofile, says: "Awareness of risk is increasing significantly, but many companies are fumbling in the dark."
And while listed companies must provide details of ERM strategies in annual reports, "when you drill down, the reality is often not quite what is in the glossy print", says Mark Dunn, head of risk assurance services at accounting firm BDO Spencer Steward. Similarly, Blackmore says: "Many companies pay lip-service only to risk management."
Despite these shortcomings, Winks says: "I believe the capabilities of SA's ERM professionals rank in the top 10 worldwide." As recently as 15 years ago, he says, SA was the recognised leader. At that time, he says, political and economic isolation limited access to world markets, and there were a number of large corporations with high-risk profiles in an overstretched local insurance market.
"It is not that SA has slipped in the ERM field, it is rather that other leading economies, because of new and different risk pressures, have developed a higher demand for risk management and have caught up with and overtaken us."
The King 2 report, which is recognised as a world-class model, bears witness to SA's high level of ERM professionalism, says Winks. Irmsa, which has 60 corporate and 400 individual members, has based its ERM code of practice on King 2 principles, he says.
King 2 prompts management to identify and evaluate actual and potential areas of risk and decide on a level of tolerance to specific risks and methods of eliminating or mitigating each risk. In many ways it's a game of probabilities, says Kris Budnick, a Deloitte security services group partner.
Risks can be classified as: physical and operational risks; human resource risks; technical risks; credit and market risks; compliance risks; and business continuity and disaster recovery.
At its worst, risk gone wrong can destroy a company. Here, one of the potentially most destructive risks companies face is loss of reputation among clients and business partners.
When the US company Enron collapsed it took with it one of the world's top five auditing firms, Arthur Andersen, which was convicted of obstructing justice for destroying Enron-related documents. "Twenty years ago the worst that would have happened is that a few of its partners would have been fired," says Wicks.
Notably, a survey of SA insurers by Ernst & Young this year revealed that just over half the respondents cited loss of reputation as an important risk area.
The firm's insurance partner Mike Kane said this was understandable, given the recent focus on financial services client rights, and the introduction of the Financial Advisory & Intermediary Services Act.
However, ERM does not begin and end with the board and senior management. The goal should be to create a risk awareness culture throughout an organisation, says Blackmore.
Wicks says the focus should be "on embedding risk management in all business activities and making all managers accountable for risk in their areas of operation". But middle management and staff are unlikely to embrace ERM if a hard-sell approach is used, says Riaan Bredell, head of risk management in four of Sasol's key divisions and winner this year of Santam's risk manager of the year award.
Says Bredell: "Don't underestimate the challenge. Many will see risk management as just another burdensome nuisance thrust on them by head office." To win minds over, "you must not try to sell risk management as something new but, rather, as an enhancement of an organisation's existing core values".
For companies that get ERM right, rewards can be many. In its most obvious form, a company effectively managing existing and potential risks will have a clear advantage over its competitors who do not, says Budnick.
More subtle is the positive impact on a company's reputation. Here one of the biggest benefits can be on its market rating, which in turn influences factors such as cost of capital, attracting top staff and an ability to cover insurable risks at the lowest cost.
One of the most telling studies in this regard was undertaken in 2002 by US management consulting firm McKinsey. In a survey of more than 200 global institutional investors, McKinsey found that 80% would pay a premium for a well-governed company. The size of the premium ranged from 11%, 12% and 14% for Canadian, UK and US companies, respectively, to 40% for companies in less well-regulated countries.
When assessing a company's insurability, "we look at its risk management history and measures in place to contain risk", says Santam head of corporate lines Mpumi Tyikwe. Even press comments on a company have a bearing. "Bad press casts doubt on management's integrity."
The need to get the corporate house ERM up to speed may well take on a new urgency in future. Many risk professionals view some form of legislated risk management based on King 2 as inevitable. The pending new Companies Act could well herald this, says Blackmore.
