Risk Management, the process that ensures controls are in place to mitigate losses, is a core function of business and a tool to enhance efficiency and productivity. This has become more challenging due to the drastic changes in the practice of setting up a risk management function. These changes, over the years, have helped accelerate business growth and identify opportunities in a much competitive environment. However, they also mean paper qualifications are no longer sufficient to qualify risk control personnel. Research orientation, business prudence, the skills to identify potential threats, experience in adapting to current environmental changes, cross-functional balancing capabilities to proactively meet challenging scenarios, etc., are now required to succeed in setting up a function to manage risks.
In this era of globalization, businesses face continuous challenges thrown at them by a volatile market environment. These challenges arise out of economic changes, competition from new entrants, political changes, and environmental demands. Due to these factors, every organization should view choosing a risk assessment and control partner as an important business decision.
Risk management requires an experienced team that can competently assess and evaluate even obscure or abstract business situations. However, the selection of qualified & experienced personnel for this practice is a near-to-impossible task and must be faced with multiple adaptive strategies depending on the organization’s capacity and commitment to achieving risk objectives.
The following are some of the options being utilized by many organizations:
- Develop an internal team of risk experts.
- Internally source personnel from the line function to manage and control risk.
- Outsource to audit and management consulting firms on an annual contract or concurrent review basis for a limited period or for a single round of risk review.
The first option is not a cost-effective strategy for small-to-medium enterprises but may be suitable for large groups with activities spread over multiple industries.
The second option could impair the objectivity and independence necessary for a successful execution.
The third option is suitable for SMEs and large organizations that may need to establish a strategy for managing risks, want to evaluate their risk governance model, or are open to adopt new perspectives to their established risk methodologies and outlooks.
Organizations that have chosen to outsource their risk management function must select a partner who is actively engaged in the practice of risk assessment and mitigation consultation across multiple industries.
Selecting a partner can be a tedious and time-consuming process. Thus, most of the time, organizations settle for choosing the least expensive option. However, selecting the right partner should never be based on pricing alone.
Evaluating Potential Risk Management Partners
There are six factors to consider when evaluating potential partners:
1. The structure of the team
Ideally, your partner’s team should be led by an experienced Director/Partner and consist of personnel with expertise in the business functions under review. There must also be an independent quality assurance process. This structure will provide an ideal leadership and guidance model backed by an independent verification process to validate effectiveness & efficiency, the quality of risk concerns raised, and the practicality of the recommendations made.
Responsible for the success of the function, the team’s Director/Partner must showcase skills, experience, and governance capabilities to ensure the quality & time-bound delivery of results during the assignment. Someone who has experience driving the risk management function or has experience in a consulting/advisory role within the industry is ideal. An assessment of a potential risk management partner’s past experience should provide an insight into that entity’s ability to provide value through recommendations derived from multi-industry exposure.
3. Stamp of success
Your partner should have a track record of success. It must be able to provide case studies (they must not impair NDA clauses) that showcase its ability to provide value to its clients.
4. Industry-specific scoping
When asked for a proposal, most risk consulting partners provide generic-scope proposals. It is up to the evaluating entity to either develop an RFP covering all the functional aspects or insist on conducting an Initial Risk Assessment to identify the scope of the areas to be covered. The Initial Risk Assessment will give organizations ample opportunity to assess the risk consulting partner’s approach, experience, and knowledge of their industry. It will also help identify specific process coverage, eliminating ambiguity for generalization of scope.
Furthermore, the scope should cover all perspectives of risk from the following structure:
- Accounting and Reporting
- Operational Technology Support from IT
- Human Resources Efficiency and Effectiveness, and
- Administrative Governance
5. Time invested by partner(s)
Ideally, the proposal should outline the activity’s time requirements and fee quantification. Further, onsite and offsite time allocations should be indicated as a percentage of the total time requirements to ensure that the partner will put a sufficient amount of time into ensuring output quality and successful delivery.
A short time consideration can indicate insufficient coverage of the organization’s functions and processes. A long duration, meanwhile, means cost escalation.
Hence, a balanced approach acceptable to the organization must be identified, and the risk management partner should provide a justified basis for its decisions.
6. Information for considering the proposal
Ideally, the partner’s proposal should cover the following aspects:
- Past experiences specific to the organization’s industry
- Experience in other industries (to identify and benefit from a synergic approach)
- Team profile
- Time requirements
- The risk management process to be followed in execution, etc.
- Scope limitations, if any
The proposal should contain sufficient information that the organization can use to select an ideal risk assessment and mitigation partner. Any proposal that does not include the team members’ profiles should be rejected. This may be an indication that the consulting firm intends to recruit its team members after the proposal has been accepted and signed. This can lead to the selection of low-cost resources to meet the consulting company’s profit aspirations from the project. Furthermore, an existing team will reveal the consulting firm’s successful working pattern and risk management process.
Risk consultants play a vital role in establishing a risk control infrastructure. They have made remarkable achievements in cost-cutting, detecting and preventing revenue identification failures & frauds, and providing corrective measures in such areas. The prudent use of risk consultants can support organizations in their efforts to combat the risks prevalent in their industry.