Many organisations do not have a risk manager or a Chief Risk Officer (CRO). They feel that they may not have a full time job for the person, or that recruiting a person with the right skill set and employing them at the right level may be too expensive. They are right. Others feel it's a good idea to assign responsibility for risk management to the internal auditor or the finance manager. This may be a step in the wrong direction. Is there another option to consider?

In my opinion, where work can be done more effectively, and more efficiently, by an outsider than an insider, the work should be given to the outsider. Engaging a part-time CRO, with the right knowledge, skills, and experience can add value and bring proper risk governance and risk management to an organisation. The services of a part-time CRO can range from a full end-to-end solution to almost anything in between. A full service solution typically comprises developing and implementing Enterprise Risk Management and the ongoing execution of the programme in the role of CRO on a retainer basis. A part-time outsourced solution is practical, flexible, scalable, and can be adapted to suit client requirements.

A part-time CRO works with the board, the executives, and the senior management team to develop and maintain the organisation’s overall Enterprise Risk Management programme. Typically the service will include:

• reviewing any existing risk management initiatives: charters, policies, plans, and other risk management documentation;
• performing a gap analysis against the applicable risk management regulations and guidelines and making recommendations to close important gaps identified;
• developing the required charter, policy, and risk management strategy;
• defining the risk universe and setting the risk appetite and tolerance;
• developing the terms of reference for a risk management committee and participating in it;
• reviewing the existing risk management methodology and defining an appropriate risk management framework for the client organisation, taking into consideration COSO ERM, ISO 31000 and, if applicable, the requirements of specific legislation such as the PFMA and MFMA;
• reviewing the current risk assessment process and the current risk register;
• conducting an enterprise-wide risk identification process;
• preparing and facilitating risk assessment workshops;
• developing mitigating strategies for the top risks, assigning a risk owner, and setting implementation timeframes;
• developing a monitoring and reporting process for the top risks; and
• participating in the ongoing risk management process.

The Retlaw Fox offering is unique in that we can integrate risk management training, to meet your organisation’s specific requirements, into the offering. For further information or to obtain a quotation for part-time CRO services please visit www.retlawfox.co.za or email info@retlawfox.co.za.

We’re excited about our radio ads...take a listen! The ads feature two friends playing chess. The ad opens with ‘Matthew’ placing his friend ‘Karl’ in ‘Check!’. After the announcer explains the benefits of RiskFox risk management courses, ‘Karl’ makes the smart move of placing ‘Matthew’ in ‘Check Mate!’”

One of my favourite French sayings is ‘pourquoi faire simple quand on peu faire complique?’ Translated to English it means ‘why make things simple when one can make them complicated?’ In the world of risk management there is sometimes a tendency to overcomplicate things.

Whilst I do appreciate that determining the risk tolerance for a complex investment fund is a lot more taxing than determining the risk tolerance of say a manufacturing or a sales and distribution company, I can’t help thinking that an unnecessary level of complexity is often brought to bear by ‘academic gymnasts’ more comfortable operating in an environment of complexity, controversy, and uncertainty.

Let’s face it; no matter how you go about determining risk tolerance, the output remains a quantifiable amount, usually expressed in monetary terms, which reflects the amount of risk an enterprise is able to take. This output is an essential input to the entire risk management effort but its determination should not consume more time and effort than managing the risks themselves.

Risk appetite can only be considered after the risk tolerance has been determined. Risk appetite is simply the amount of risk an organisation is willing to take. It is based on qualitative and quantitative factors but is equally, and often decisively, based on the risk culture, the risk attitude, and the ‘gut feel’ of an organisation’s executives.

What is certain is that an enterprise should not take risk in excess of its ability to absorb that risk or combination of risks. Don’t let your appetite lead you to bite off more than you can digest!

A well governed enterprise that successfully practices Enterprise Risk Management ensures that its risk tolerance is effectively and transparently calculated and that the risk appetite, within which the executive team must manage the organisation, is formally set by the board.

The distinction is clear: risk tolerance reflects the amount of risk you are able to take and risk appetite the amount of risk you are willing to take.