Managing Risk Well
Former banker with a passion for governance and risk management, Nirmala Doraisamy explains what’s involved in taking a more structured approach to risk management
Nirmala Doraisamy sits on the boards of a few private and public listed companies. A former banker, she is also advisor to an established audit firm. Her background is unique in that it is the culmination of more than 28 years across banking, risk management, credit guarantee, consultancy as well as project management.
Through the years, she has been promoting a risk management culture within organisations, emphasising clearly how business strategies need to be supported, all the while, linking this to the need for a risk management process. This has led her to promote a culture of enterprise risk management wherever she worked. At the same time, she has also been a strong advocate for advancing women professionally, believing that nothing is impossible if you have the passion, optimism, diligence and commitment to follow through.
Due to her background, we spent some time with Nirmala to get this exclusive interview with her, exploring the issue of women and their risk appetite dovetailing into the wider issues associated with risk management as a business approach.
The general belief is that women are more risk averse. In what ways can women embrace more risk and tap more opportunities coming their way?
Nirmala : Risks are often thought of primarily as hazards and therefore, should always be avoided. But the fact remains that risks are not just hazards– they are also opportunities that can potentially propel growth. Therefore, we need to link our strategies and objectives to the risks we foresee, evaluating thereafter, the possibilities of what may hinder us from achieving our strategies and objectives. Once we’ve done that, we can then better manage these risks based on our risk appetite.
For example, if a female executive is given a big promotion, which comes with higher responsibilities and risks, she can either accept the offer or remain in the same position. She would accept the offer if it is within her risk appetite and if she is confident of managing the risks and challenges that come along with the role.
By embracing risk, we identify and analyse threats that might compromise our success. In this case, if the female executive manages the risk well, then her rewards would also be high such as recognition, a higher salary and perks. Hence, risk management does not mean that you must always be risk averse. It means you manage the risks, maximize your opportunities and push yourself into new territories, all the while dealing effectively with a variety of situations and handling any on-going surprises that may appear.
There seems to be fewer women applying for senior positions in finance. What are some things that can be tackled at an institutional level to get more women to go for top positions? What do you believe should be key elements in any talent strategy framework?
Nirmala : At an institutional level, there should be ongoing programmes to groom female executives via mentorship programmes, executive education and other types of professional development initiatives. For instance, identified female staff in the talent pool should be encouraged to attend C-Suite courses as well as participate in industry networking forums and activities to enhance their knowledge.
In terms of a talent strategy framework, there should be emphasis on gender diversity. This should ideally be monitored to ensure compliance. A good framework should include policies and practices to ensure equal pay and opportunity as well as provide a transparent pay scale. Other strategies should focus on work life balance, flexible hours and extending paternal and maternity leave. With regard to career breaks, women should be allowed to take breaks to attend to personal matters and family needs without losing seniority and career opportunities upon reentering the workforce.
What do people need to understand better about risk management and what that entails?
Nirmala : Effectively, risk management is a process of identifying and managing threats and risks (which could obstruct the achievement of goals and objectives) in a strategic manner.
What people need to understand is that risk management is value enhancing. But risk simply cannot be managed in isolation. It needs to be aligned with the organisation’s strategies and applied across the enterprise at every level. It is an important part of any organisation’s processes and procedures. Therefore, any decision made should bear in mind a review of the potential risks compared against the organisation’s risk appetite.
I’d also say that every person within an organisation should take it upon themselves and bear some responsibility for identifying and managing the risks in the products and activities they get involved in and within the scope of their work. Board level executives and senior leaders should take the lead, in establishing the tone ‘at the top’ and promote a culture of risk awareness within the organisation.
Everyone must be convinced that risk management can help the organisation to improve its bottom line and sustainability because when there is a healthy risk culture within, employees are far more alert to matters that have high impact to the organisation.
Some years ago, you were involved as an advisor to a foreign bank and helped to successfully establish their risk management department. Can you tell us how you did this?
Nirmala : Setting up a risk management department involves a few things. First, developing the framework. Second, enhancing risk awareness within the bank. Third, obtaining buy-in from management and business units.
I was also involved in facilitating the identification and prioritisation of financial risk and other key risks linked to strategic objectives. The risk management initiatives were carried out in a few phases as documented in the roadmap. We also ensured that the initiatives complied with regulatory requirements. The initiatives had the strong support of the senior management team as well as the Board of Directors. Consequently, I was able to develop and implement these initiatives which included developing the framework and structure as well as implementing the policies and procedures within the stipulated time frame. As part of the assignment, I was also involved in advising on resources, hand holding sessions and training and coaching the staff to implement bank-wide enterprise risk management.
What are some of the things organisations need to do to improve the quality of their risk management system? Where do things often go wrong?
Nirmala : In order to have a quality risk management system, an organisation needs to ensure that there is a risk management framework in place combined with the right tone ‘from the top’ i.e. strong support and leadership from the Board of Directors and management team. The management team must ensure that the policies, standard operating procedures (SOPs) and systems are in order and that the people have the skills and knowledge to carry out the activities needed to support all of this.
In most instances, things go wrong because there is not enough awareness coupled with the lack of a risk culture. Things can also go wrong when the risk management is not aligned with the strategies in place, and therefore, not embedded in the key areas of management processes.
How can organisations ensure that internal control practices are maintained consistently?
Nirmala : First, there should be a sound framework for risk management and internal control with clear emphasis on the accountabilities and responsibilities of the different lines of defense (e.g. business units, risk management department, finance department, internal audit department, senior management and the board).
Second, the management team should also periodically review and update the SOPs to ensure proper documentation of the processes and consistency of all the practices. This is also best aided by an independent review of the effectiveness of risk management and internal control as well as timely reporting to the Board on the critical risks and gaps in control measures. I cannot stress further the importance of the board of directors’ oversight role in terms of ensuring there is effective risk management and that the internal controls are in place and maintained consistently.
What are the key aspects that make any risk management process systematic?
Nirmala : First, best practice requires that an organisation have a risk management framework in place alongside a risk appetite statement, policies and the SOPs. Second, the context should be established and there should be clear procedures and systems for the process of identifying, analysing, assessing & treating, monitoring and reporting. Third, there must be continuous awareness programmes and training on the risk management systems and process. Finally, management must ensure adequate resources are allocated for the effective implementation of risk management and ensure there is clear succession planning in place.
In your opinion, how does one balance between the uncertainties presented by certain risks and the objectives to be met?
Nirmala : By having a clear definition and a sound understanding of your organisation’s risk appetite, you can balance between the uncertainties presented by certain risks and the objectives developed. For instance, an organisation with a high-risk appetite may have a strategy that involves venturing into a new business in order to reap high returns. In this case, appropriate and effective risk control measures should be applied to balance between the risks and business objectives. When you define your risk appetite, you can arrive at an appropriate balance which is aligned with your business strategies.
As a consultant, you were involved in the development of a stress test framework. It involved assessment of the impact on a corporation’s financial condition and capital requirements due to impact of adverse developments. Can you tell us what developing such a framework involves and the key issues to be resolved in developing such a framework?
Nirmala : Developing a stress test framework involves writing the policies, procedures and guidelines as well as the methodology. For my client, a team was set-up to develop the stress test – I led and coached the team. I ensured that the stress programme covered a range of perspectives and techniques and that there was sufficient and relevant data to develop various models used in the stress test. Developing a robust stress test involves choosing the variables that provide the greatest impact and which cover a range of scenarios including forward-looking scenarios and analyses. Some of the challenges involved in developing stress tests include limitations of the data, quality of the data, obtaining support and getting views from business units. After developing and presenting the stress test, we have to monitor and ensure that actions are taken by applying risk control measures. These include things like setting limits, reducing exposure to certain sectors and implementing contingency plans.
As this interview confirms, managing risks well is part and parcel of how we reduce negative impact while also exploring opportunities that come our way. Defining various risks should therefore be something reviewed when determining the scope, budget and schedule of various initiatives.
A Chartered Global Management Accountant, Nirmala Doraisamy is a former banker. Currently, she sits on a few boards of private and public listed companies. She is an advisor for an established audit firm. Her background is strengthened by 28 years of extensive work experience across banking, risk management, credit guarantee, consultancy and project management. Her passion in corporate governance and risk management led her to develop an enterprise risk management framework and policies for established organisations. She has invested time and resources to promote a risk management culture, emphasising that business strategies should be supported and linked to a risk management process