Good risk management can open up opportunities. But too many controls can become costly, cumbersome, and create a false sense of security

London Stock Exchange

Risk management is often dismissed as ‘business prevention’. It doesn’t have to be that way.

Learning from banks isn’t fashionable at the moment. Yet banks have understood that sound risk management can expand choices rather than limit them. The result is a model that creates new value for the business and better processes for customers.

Controls in operational areas tend to become layered, one on top of the other, rather than adjusted in the light of changing conditions. Once a control is in place, people seldom ask whether it remains proportionate to the underlying risk. This can lead to an operation that is too slow and costly to be competitive. And it breeds a dangerously false sense of security.

Banks are alert to this problem of control layering and prefer to look at operational risk in the round - people, environment, technologies and processes.

They ask the key question: is spending on controls matched to underlying risk? In some financial service operations, up to half the control bill could be removed, which would also lower delays in customer service.

Here are five steps to eliminating control layering and add value via risk management:

1. Analyse repetitive high-volume, multi-locational processes

Be empirical before you get radical. Take a close look at a part of the organisation that informed participants believe is over-controlled. This can blaze a trail for other projects. Robust cost-capture techniques can be used to assess a process, the cost of controls and underlying risks. Don’t worry about ad hoc processes, or small ones; look out for the repetitive high-volume activities. Take time to understand both process and risk levels first; transparency and detailed knowledge are not
optional extras.

2. Relate risk to control costs

You’re likely to discover that some procedures that should be routine are bogged down in checks and counter-checks. As in an old overhead slide presentation, you need to lay the costs over the process, seeing how spending is matched to areas of serious, rather than residual, risk. Any inverse correlations will then be plain to see. This highlighting provides comfort to decision-makers that spending can be aligned with real risks.

3. Develop realistic options

A zero-tolerance approach to error breeds over-control. The point is to have controls that are really needed. Some are prescribed by law or regulation. But many others are self-imposed. Correctly engineering a process can reduce costs by removing counter-productive local measures. A word of warning: don’t make cost-cutting your primary goal. Aim instead for that rounded view of operational realities. It might be that effort needs to be redirected rather than reduced.

4. Involve and educate decision-makers from the start

You need their insights to scope the work, and their support to make changes. Make them aware that it’s impossible to eliminate risk entirely. The goal is to strike a reasoned balance by analysing investment and risk together. This approach erodes prejudices, notably the natural organisational bias towards fighting the last war rather than foreseeing new problems.

5. Look out for unintended consequences

Monitor the effectiveness of the changes you make. There must be a preliminary risk assessment to tease out anything that might go wrong with a new or revised process, especially if it involves taking out controls. Draw on everyday data from multiple locations as the new measures play out. You will need to consider the resilience of your control changes in stressed conditions. Now, as always, knowledge will make for real control instead of the illusion of control.