Unpleasant surprises can be most devastating; COVID-19 is a case in point. Since unknowns cannot be managed, one who wants to avoid unpleasant surprises need to firstly recognize the fact that uncertainty exists, observe what is going on, and be alert to potential events that may affect one’s pursuits. Risk is thus identified and becomes better managed.

If such a process is carried out systematically throughout an organization, not only can risks be known but located specifically so that possible impacts can be addressed more quickly with solutions more relevant to those affected.

How can one identify and locate risks in an organization?

Discovering areas at risk

The following diagrams are representations of models showing areas at risk from possible impact: one is the international space station (from Wikipedia); the other a somewhat simplified enterprise structure (from JFU Digital Tool RMS). While the space station is a very sophisticated and complex engineering construct, the structure of a modern enterprise is no less sophisticated and complex. An enterprise, as we see it, is a value adding system involving complex human collaboration in the pursuit of common interests amidst great uncertainty. The challenge of designing and running a successful enterprise attracts and excites the best, in that only those best directed, managed and controlled can succeed.

Solution – extensive integration

An enterprise is a system of interrelated components working in tandem. An enterprise’s risk management system can be compared to its financial system for the effects of uncertainty, like financial effects, that permeate the entire organization and both have to be captured in time and fairly represented in order for the organization’s wellbeing or problems to be timely identified, assessed, and managed.

To achieve this, the only sensible solution is complete integration – let risk management be broadly and deeply integrated into the structure and operation of the organization so that respective stakeholders can “own” the risks, along with the support of a specialty group that we may refer to as the risk management committee or its administrative arm and risk managers.

Digitalization

Please also see JFU Notes on Risk Management and Control Practice that we published in 2015, following the introduction of code provisions on this subject by the Hong Kong Stock Exchange. When preparing the notes, we did not have in mind the need for extensive automation in the risk management process. Experience gained in ensuing years suggests that without extensive digitalization and training, it is difficult for staff members to “own” the risks and effectively and efficiently run a highly integrated risk management system.