Risky Business

To the uninitiated it may not seem to be one of the most glamorous or indeed essential elements of a commercial enterprise, but without risk management a company exposes itself to prosecution and possible corruption of its financial systems.

Risk management, in its truest form, is a structured approach to managing uncertainty within an organisation related to a system, process or person, which, unless mitigated, poses a threat to that organisation. The subject of risk covers a wide array of functions, but financial risk management remains one of the most high-profile in the business world, according to Charlie O'Rourke, director of market development for Solcara, an agency that works with clients on protecting information assets. He says: "Risk has become such an inherent part of doing business that companies must have safeguards in place when dealing with people, systems and other companies. If not, they are prey to a whole series of actions that can be catastrophic". Risk management is not just a luxury but a legal necessity, covering certain facets of business.

The Financial Services Authority is duty bound to ensure that it sets appropriate guidelines to ensure risk is minimised across organisations over which they have jurisdiction. For example, business continuity risk is one such area, focusing on a company's financial systems. The standards may be generic but it establishes a process that helps manage risks associated with the smooth running of an organisation or delivery of a service. O'Rourke says: "Companies that operate within a strong risk management culture are effectively implementing an insurance policy against something going wrong with critical functions while ensuring a quick recovery afterwards". All commercial and public sector organisations are required to reduce risk in operations at all levels, but given the ever increasing use of electronic systems for financial transactions, fraud remains one of the highest risk factors a company can face. This fact, according to O'Rourke, has never been more apparent, with the increasing number of individuals using lax system controls to defraud their employers of large sums of money. To make it worse, these events are often not recoverable under insurance policies because companies have not implemented sufficiently robust risk systems as per the terms of cover.

The recent case of France's Societe Generale bank being exposed to a loss of more than £6 billion due to the vulnerability of its internal systems has pushed many UK organisations into lobbying the government to look at the introduction of more stringent but simpler standards in respect of financial control procedures. "Implementing a financial risk management system can be complex, depending on the extent of a company's reliance on one or more systems", says O'Rourke. Taking account of all risk elements of a technical and human nature can mean, in some instances, full-time resources being dedicated to the function of assessing and addressing risk. For such a process to be fully effective, all aspects of a company's finances must be properly evaluated to fully understand processes and whether any parts represent a risk. This can include activities as innocuous as handling petty cash, because if sufficiently strong procedures are not in place, employees are free to abuse systems, often without their employer being any the wiser. Developing a risk management system should follow a step by step sequence, according to Business Control Solutions, a consultancy specialising in risk mitigation. Understanding the likelihood of a critical financial system or process failing will determine the associated level of risk, while fully establishing the interdependencies of such a failure will help with alternative solutions that need to be developed. Once these elements have been identified, business continuity planning needs to be high on the agenda. The development and maintenance of effective and up to date continuity plans are what is going to make any credible risk management programme stand on its own when the situation demands it. Where most organisations fail to plan properly and where risk management projects fall apart, according to O'Rourke, is when it comes to the issue of crisis management. He says: "Enabling an effective decision-making process during a crisis in order to minimise the impact on an organisation and its reputation presents a real test to even the most prepared of companies." Having a financial risk analysis undertaken may throw up no surprises for company bosses confident in the knowledge that their organisation is safe from anything going wrong. This is only part of the picture though; because risk is not just about putting plans in place should technology come unstuck. It should be focused on the biggest threat of all to risk - human beings.