Risk management is one of the main challenges facing companies today. In any business, planning is the key not only to grow, but also to sustainability and, in many cases, to survival.
Understanding risks as a measure of the magnitude of damage in any specific circumstance will help us to prevent mishaps or, if they are unavoidable, to be able to react to them in order to mitigate their effects. Approaching risk management from a professionalized perspective will provide both our organization and our clients with security and guarantees.
Establishing structured business processes based on professional and tested standards is the only way to ensure the achievement of the proposed objectives. In this way, thanks to appropriate risk management, we will be able to guarantee the operation of the business, its operations and, therefore, its sustainability.
Risk management is a set of procedures, standards and methodologies implemented in the operations of an organization or business to deal with possible threats and eventualities arising from the development of its activities.
Regardless of the activity in which a business is engaged, as well as regardless of its size or industry, any company is exposed to risks in carrying out the operations that allow it to be active. Risk management is about identifying risks in order to monitor and evaluate them.
Also known as Enterprise Risk Management (ERM), this area is already in many companies an individual department or a sub-department integrated within the compliance/legal or operations departments.
Approaching this task from a professionalized perspective requires the establishment of specific and defined risk guidelines. In risk management systems, as a general rule, there are the following basic phases:
Although in each company, and according to the different professionals who develop risk management, a different number of phases are established or some are eliminated, we consider that these eight are those that result in a complete system with an integral perspective.
Using the right tools and agile optimization methodologies will make a more comprehensive and all-encompassing risk management strategy even simpler than a more traditional one with fewer phases. The fact that this management model includes a larger number of steps is not indicative of a more complex and burdensome outcome for the organization - on the contrary. Establishing these eight steps in the right way will help to achieve more agile and concrete management on a day-to-day basis thanks to the detailing of the processes.
Enterprise risk management in the BFSI (Banking, Financial Services and Insurance) industry must be even more comprehensive than in other sectors. While all areas of activity must establish controls and decisive risk policies, this industry is more sensitive given the amount of fraud and attempted wrongdoing by users.
If we talk about financial risk, many will associate this term with fluctuating economic value due to uncertainties in investment performance or asset and savings management. The most prominent in this regard are credit risk and market risk. The former, as mentioned above, is due to fluctuations in the markets in relation to exchange rates or interest rates, while the latter is due to the non-assumption of liabilities and obligations with regard to, for example, the payment of a mortgage.
However, in risk management, what we are really talking about is operational risk. This refers to losses or damages caused by inaction, failure to adapt or errors in processes, safety tasks performed by employees or internal systems and the way they are used in the face of external events. In other words, risks caused by non-compliance with the required safety standards and arising from the nature of the sector's operations and its way of being (dynamics of interaction with customers or relations with suppliers, for example).
The following are some of the risks that are most prevalent in the financial industry and banking today due to poor overall operational risk management of the various financial companies and institutions:
Thus, this type of financial risk is becoming a major part of companies' prevention strategies. The area of banking, finance and insurance is exposed to fraud attempts by those who use their products and services, something that has increased exponentially as these companies have moved into the digital environment. In any case, FinTech, WealthTech and InsurTech leaders are taking advantage of technology to mitigate them without complications and in an agile and simpler way than it might seem.
Regulations such as AML6 are responding to the risks of money laundering in the financial sector. In this sense, anti-money laundering directives are implemented in most states and oblige companies in the financial sector to establish risk management systems that mitigate or completely eliminate the possibility of committing this type of crime.
On the other hand, in relation to identity fraud, the eIDAS framework is protecting both users and companies from risks such as account theft and identity theft.
ISO 31000/2018 standards are standards intended to teach companies what general principles should be established to perform minimum risk management. This standard, together with the ERM Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has brought standardization to risk management successfully. The latter proposes integrated control frameworks and corporate responsibility in relation to risk management.
Risk management associated with projects is a recurring theme in any master's degree or specialized training in project management. Project risk management is not very different from the traditional conception we have defined of how companies approach it globally in terms of their activity and operations.
While it is true that in project management the objective is to prevent, mitigate and avoid events that may affect the company's activity, in project management risk is associated with everything that may affect the success and completion of the project.
The eight proposed phases can be perfectly applied and a risk management strategy for projects can be developed based on these steps, although adapting the analysis and context to the nature and characteristics of a project. Some examples of issues to be taken into account in projects and in which certain risks are involved may be:
As we have seen, fraud prevention is one of the main issues facing risk managers today. In the United States alone, between 2008 and 2020, eleven billion data thefts occurred, a figure that continues to rise. Identity fraud nearly doubled from 2019 to 2020 with losses approaching seventeen billion dollars that year alone according to a study by Javelin Strategy.
On the other hand, we can see how to account thefts increased by more than 72% in 2019 compared to 2018. With this data, we can dare to say without a doubt that identity fraud is the most pressing risk that companies must respond to through updated and powerful risk management systems.
In this sense, we can see how some companies are implementing fraud detection systems instead of those aimed at prevention. Thus, fraud prevention must be addressed before the illicit act is committed, not before or during, since the risk of the attempt becoming a reality is, in many cases, high.
Thanks to machine learning tools and best practices in their application, certain technology providers are offering companies solvent and scalable anti-fraud control systems that place the number of frauds and penalties derived from their commission at zero without the need for investment in large projects and with agile integration into business processes and operations.
Now, thanks to the best technology and innovation, the management of certain types of fraud, as we have seen, can be done with digital tools that take mitigation to the extreme, achieving the goal of zero risk, zero fraud. The important thing when choosing an application is to ensure that it is scalable and that it adapts to the use case of our business that presents an associated risk. Similarly, confirming that the supplier of this technology is specialized in our industry is crucial for this adaptation to happen without having to involve other teams or incur costly and time-consuming process transformations that slow down the pace of our business.
Occupational risk prevention (ORP) or job safety analysis (JSA) often appears alongside the overall risk management of companies. Although this area is usually led by human resources and talent management teams and departments, some companies choose to give this responsibility to those in charge of compliance or operations.
Just as the risks that can affect a company and its activity are important, those factors that can damage the safety or health of workers are equally monitored and must have a defined strategy and system to prevent them. However, the idiosyncrasy of the workers and the different ways of approaching business operations versus their tasks, make the methods different.
This area is heavily regulated and occupational risk prevention professionals must attend to and manage them in accordance with the laws that the states and regions have developed and implemented. For example, in Spain, Law 31/1995 on the prevention of occupational risks aims to promote the safety and health of workers by applying measures and implementing specific activities to prevent the risks associated with different jobs.
This ORP law was later modified and extended by Law 54/2003, which, however, urges companies to consider occupational risk prevention as a key point in the general risk management systems of the entire company. As a result, global risk management and ORP have converged in many circumstances, making use of similar tools for certain very specific cases.