Enterprise Risk Management (ERM): Gap Analysis for Kenya and the development of a niche service provider

Transcription

1 Enterprise Risk Management (ERM): Gap Analysis for Kenya and the development of a niche service provider Author: Jason Levitan, Warrior INSIGHT Introduction Risk in the corporate arena is an ever-present entity that can arise in a broad range of scenarios; from well-known factors through to obscure factors whose relevance has not been noted. Risk management is hardly a new concept in the business world, but it is a concept that many organisations fail to address adequately in the modern climate. Historically, risk management has entailed a post-event reaction whereby policies and frameworks are developed in lieu of an incident. The reactionary nature of this form of management has resulted in the failure of institutions to conduct business and provide services at a credible and successful level. The development of risk management, as a result of these failings, has led to the rise of Enterprise Risk Management (ERM) where organisations are encouraged to look at their business objectives (Table 1) and determine the level of risk they are willing to accept in pursuing value (risk appetite) in regards to specific assets (Table 1). Table 1: The key business objective areas and asset categories that ERM will focus on when developing a framework for any organisation Business Objective categories Asset categories Strategic Physical Operational Financial Compliance Customer Financial Employee/Supplier Organisational The ability for organisations to objectively view the services they provide in such a way that allows for work within their abilities to achieve best-practice, continually improve, and establish themselves as market leaders, whilst minimising the risks they take to achieve those goals is the aim of an ERM system (Protiviti 2006). ERM aspects and implementation ERM is a process that follows the mantra of Plan, Do, Check, Review utilising a number of components to achieve an organisation-wide management system that is suitable to changing economic climates and adaptable to all levels of expertise and employees within the organisation (Table 2). Table 2: Enterprise Risk Management components (adapted from COSO 2004) ERM Components Description Internal Environment How risk is viewed by an organisations entire work staff Objective Setting Management must have a process to set objectives that support the aims and are in sync with the risk appetite of the 1

2 organisation Event Identification All events (Internal and External) must be identified in regards to their likelihood and consequence against the organisations objectives Risk Assessment Risks posed by events should be analysed for determining how they should be managed Risk Response A hierarchy of control should be established to guide the response to all risks posed Avoid, Accept, Reduce, Share Control Activities Using the hierarchy of control, policies and frameworks should be developed for controlling the risks posed Information and Communication Information must be collected, analysed, and communicated in a consistent format throughout the organisation in a manner that is appropriate at all levels of expertise Monitoring The ERM must be continually monitored, audited, and reviewed to ensure progress and development Acknowledging future risks at a corporate level allows for the understanding of how risks can affect the core strategy of an organisation. Furthermore the mere fact that a risk is beyond the control of management within an organisation does not justify ignorance of the impact the risk may have on the organisation. In attending to these risks the organisation will develop and enhance consumer confidence, corporate governance, employee alignment and unity, reduction in poor performance levels, legislative compliance, and remain current to the new advances within the respective industries. Incorporating risk management into the strategies of an organisation enables the concept of risk appetite to be addressed. When implemented in the strategy of an organisation, this allows for the assessment of whether the risk is appropriate to occur at all employment levels corporate decisionmaking through to in-house personnel decisions. Once the protocol for addressing risk has been established, the decisions made in respect of risk follow a controlled, but unique to the organisation, process. This ultimately means that every employee approaches any organisational risk in the same manner and in a manner that is understood at all employee levels. Crucial to the success of ERM is a system that checks the policies and frameworks implemented and assesses their ability to ensure the risk appetite of the organisation is not being exceeded, and equally that the risk is not detrimental to provision of services and the organisations success rate. This is achieved through the periodic audit of the effectiveness and efficiency of the response to risk of all aspects of the organisation. 2

3 Finally in completion of the process, the key findings of the Check phase must be reviewed in regards to the re-setting of the organisational strategy. The strategic, operational, compliance, and financial aspects of the organisation should be reviewed in regards to the management of risk, and thus any refinements to the organisations risk appetite can be addressed at the highest possible level. This step is perhaps the most important as it ensures the continual improvement of an organisation, without which it is unlikely that a competitive advantage in any business circles will be achieved. The result of developing an ERM will ensure that all risks that could affect the development and success of an organisation are known, understood, and addressed. By incorporating the process at the strategy-setting level of an organisation, the physical assets, financial assets, customer assets, employee assets, and organisational assets are all considered. This has the effect of transferring the management of risk from one of avoiding occurrences/incidents to one of continual improvement and enhancing the value of the organisation. In the process this will ensure that the organisation is developing its ability to evaluate and manage future uncertainties. ERM in Kenya Risk management is not a new concept in Kenya, however the development to ERM, and addressing risk beyond the traditional financial aspects, is still considered weak (Yegon, Mouni and Wanjau 2014). The financial sector in Kenya is perhaps the leader in the development and introduction of ERM into company profiles. This is understandable given the high-risk posed by government debt, consumer spending, employment levels, fluctuating commodity prices, security threats (regional, national, and international), and reduced investments resulting from the global credit crisis. However what this list does highlight is the risk posed to the business community as a whole by these factors. Whilst it is the financial sector looking to the future, many industries are addressing the status quo without managing risks effectively and not looking to the future and how the geographical, political, and financial future of Kenya in the global market place may be affected (PWC 2012). A brief look at the security of Kenya s geographical region shows the insecurity that exists and the significant effect that acts of terrorism and crime can have on the economy. The Kenyan tourism sector is an example of an industry that has been directly affected by incidents that were not necessarily directed at the sector (security and terrorism). Traditional risk management processes would not have addressed this issue, as it is not an issue seen to directly affect the sector. However, the process of ERM would have allowed for the impacts of possible national security breaches to be highlighted and thus have allowed the industry to put in place a plan of action. Currently in Kenya, the concept of ERM is in its infancy and is dominated by multinational corporations and the financial industry (Deloitte 2012). Although the concept of Risk Management is present throughout most industries, the process is limited in most cases to just the financial aspects of organisations. This status quo has served the corporate sector well in the past economic climate, but the increase in globalisation has meant that even regional economies have to be aware of the far reaching effects posed by international events. Given this assessment, it is perhaps appropriate to consider the Kenyan economic climate to be split in two: 3

4 1. Multinational and financial sector (Multinational) defined as those organisations with a global outreach beyond Kenya and the East African Region. Includes members of the financial sector. 2. Small to Medium enterprise sector () defined as those organisations that are solely providing services to Kenya and the East African Region. The organisations are established members and/or genuine competitors in the Kenyan economy. Given the research on ERM in similar economies, the greatest development of ERM is likely to be amongst the sector, as it is this sector that the traditional risk management processes dominate (Smit and Watkins 2012). Using the components of ERM as indicators, the following table offers a brief gap analysis of how effectively ERM is being employed in Kenya. Table 3: A Gap Analysis showing where Multinationals and s are meeting, partially meeting, or not meeting the requirements for ERM (developed from a number of sources) ERM Components Met Partially Met Not Met Internal Multinational Environment Objective Setting Multinational Event Multinational Identification Risk Assessment Multinational Risk Response Multinational Control Activities Multinational Information and Multinational Communication Monitoring Multinational A niche ERM provider Currently in Kenya there exist a number of global institutions that provide risk management solutions, and a number of these are active in regards to the provision of advisory services towards ERM. This advice is congruent with the needs of many companies to satisfy the demands of parent companies and legal compliance overseas where the organisations are based. Below these multinationals there are few organisations that provide risk management advice and solutions appropriate to the needs of Kenya, beyond the aspect of physical security of personnel and property. The financial decisions, operational aspects, and legal compliance issues are still generally dealt with in-house and on an as-is-required basis. Whilst a number of s may not appreciate the need for ERM with their current understanding of risk management, it is an aspect that should not be overlooked due to increasing impacts of international (global and regional) events on business in Kenya. 4

5 Provision of ERM services to these s is likely to need the research into and development of frameworks that allow for the unique business environment of Kenya to be analysed in regards to the risks associated with the key business objectives of ERM (Table 1). Presenting this information to management of an organisation is likely to highlight the inefficiencies of traditional risk management processes, and educate the management as to how a more secure future can be achieved. To achieve this level of advisory knowledge, expertise in the fields of research, analysis, local knowledge, and communication are necessary across the previously mentioned key aspects. Furthermore the research and analysis must be on-going to ensure that all advice and recommendations are current and appropriate to the conditions being experienced in Kenya at the time in question. The ability to provide objective and critical advice cannot be underestimated due to the need to be honest and transparent on presenting the best strategic advice in relation to the risk appetite of an organisation versus their actual risk threshold. The risks associated with any organisation aiming to provide these services, are dominated by the quality and efficiency in the provision of information. A lack of research, appropriate analysis, and poor communication is likely to lead to poor business reputation and customer retention. Given the investment in knowledge and expertise that providing this information will require, maintaining standards will be essential. The need to continually develop and advance the field is essential to maintain a market-leading service and this will require on-going investment in monitoring and modelling technology. Undoubtedly the benefits to any organisation that provide these services, is the ability to fast become a market-leader in the sector and become the benchmark for competitors to judge performance by. The lack of these services currently aiming at the small-medium sized enterprises in Kenya means that a competitive edge can be developed and improved well before significant competition arises. Summary ERM has the ability to significantly improve the strategy-setting and achieving objectives of any organisation; ERM is currently not a key feature of Kenyan organisations, especially those not in the financial sector or those multinationals who are following overseas protocol in enacting ERM; Provision of ERM services in Kenya is limited; To provide ERM services, baseline data and foundations of the current status quo amongst Kenyan enterprises need to be established. Service providers must ensure their employees have the appropriate skills to not only develop ERM frameworks, but to report and communicate with the customers to ensure they have a full understanding of the concept; Continual development of the services provided in regards to ERM management is essential. 5

6 References COSO (2004) Enterprise Risk Management Integrated Framework; Executive Summary. (accessed 20 November 2014) Deloitte (2012) Enterprise Risk Management Survey Report Deloitte & Touche. Nairobi, Kenya Pricewaterhousecoopers (PWC), (2012). Rising to the Next Flow. A Kenya perspective on 2012 state of the Internal Audit Profession Study. Nairobi: PWC Publication Protiviti (2006).Guide to Enterprise Risk Management, Frequently Asked questions. New York: Protiviti Inc. Smit, Y. and Watkins, J.A. (2012) A literature review of small and medium enterprises () risk management practices in South Africa. African Journal of Business Management. Vol. 6 (21), pp Yegon, C.K., Mouni, J.G. and Wanjau, K. (2014) Effects of firm size on enterprise risk management of listed firms in Kenya. Journal of Business and Management. Vol. 16 (5), pp