In the last article, we have discussed the main areas of concern when it comes to enterprise risk management framework in Vietnamese companies. Apparently, they can learn a lot from their Western counterparts where risk and performance reporting to the board are integrated. Now, we will go over the best practices or practical application of corporate risk management in Vietnam.
First and foremost, since risk management is still in its early stage, businesses should raise the awareness among employees and integrate it into the corporate mind set. Risks can come from any factor in a business, which is why the “risk culture” should be consistent enterprise-wide. Another crucial point, mentioned by CGMA in their 2012 research on European companies, defining a “risk appetite”, or the level of risk a company is willing to accept, remains a relatively rare practice. This point means: “designing risk management without defining your risk appetite is like designing a bridge without knowing which river it needs to span.”
Secondly, after defining the risk appetite, the next reasonable step would be to design a risk management strategy or framework. This will depend on the business model and requirements of each company. The design process, as much as the post-implementation monitoring should involve top management and the board of directors. Ideally, a risk management strategy should be:
- Consistent enterprise-wide
- Integrated into normal day-to-day operations
- Reviewed on a regular basis
The third point is ensuring corporate risk management is in the hands of competent employees. This initially involves identifying whether there is a need for a separate risk department.
- If yes, consider if there should be a Chief Risk Officer (CRO) working alongside the CFO
- If no, who in the company should be in charge or which departments will share the responsibility?
It is also a common practice to let internal auditors participate in the process of risk assessment and reporting, besides their traditional role of verifying financial data. In fact, CGMA (2012) also states that the integration between risk and performance is facilitated by internal auditors.
Fourthly, there should be methods to quantify risks and measure the performance of corporate risk management, just as the need to define KPIs in most businesses. Currently, one of the most popular methods to quantify operational risk is collecting operational loss data and storing it in the loss database. Another method – scenario analysis – is also gaining credibility.
Finally, a risk reporting system must be up and running so as everyone, especially the board, knows what risks are at hand. As CGMA noted in their 2012 study, companies establish both separate risk reporting to the board as well as integrated reporting that links risk with performance and strategy. However, integrated reporting is considered as a more superior approach, because it “provides risk information in the context of other types of information on performance, strategy and operations, adds to a more in-depth understanding of how the business is doing”.
Risk management is an enterprise-wide effort that needs to be led by the board of directors or top management. More often than not, companies are making themselves vulnerable by not deploying a structured approach towards risk management. Find out what European businesses have been doing with a focus on risk reporting in the aforementioned CGMA study.