How to protect your company against risk

How to protect your company against risk

 John Crawley, an esteemed international trainer in risk management, speaks to the GCC BDI about companies can steel themselves against risk

What are the main corporate risks facing GCC firms currently?

Boards and CEOs often ask me about what their main risks are. I always start by reminding them of the definition of risk (ISO31000), which is “the effect of uncertainty on the achievement of their objectives”. This helps anchor the question back to their business objectives and therefore narrow the universe of risks that they are exposed to.

A deep dive into the business objectives will identify the key internal risks, which will usually revolve around ‘People, Process and Place of business’.

External risks need a deeper understanding of external market forces – many of which the business has little control over so their risk mitigation options are more limited. As well as general political, economic and social influences, the GCC area is currently dealing with some specific risks such as reducing dependency on oil revenues and geopolitical issues.

 What are your top line corporate governance suggestions for risk-proofing companies?

There is a simple mantra I use in organisations: “Deviating from the expected – See it, Say it, Sort it”. To make this work there needs to be a governance regime in place. That regime needs the following:

  1. Board buy-in to risk management – Tone from the Top
  2. The appointment of a CRO – with a reporting line to the Board or Audit/Risk Sub-Committee
  3. A risk policy statement
  4. A risk register
  5. Clear roles and responsibilities
  6. A way for the board to seek risk assurance about the level of risk in their organisation.

Are there any aspects of GCC culture or legalisation that should be considered when managing risk in GCC firms?

All the GCC regulators place great emphasis on risk management. Risk management depends on a sound organisation culture of positive attitudes and professional behaviours which lead to a strong culture. This transcends regions.

Risk management is influenced by local legislation (which is usually general), local regulation (which will be industry-specific and usually focused) and international best practice (the most popular is ISO31000 on Risk).

Given the recent GCC conflict and standoffs, how does one factor in geopolitical risk in companies?

Geopolitical risks are prevalent worldwide. Organisations should focus on how these risks impact their business objectives. From this position they can then assess the magnitude of the geopolitical risk. They will usually find that they have very little control over these risks in advance so tend to focus on what they would do if afterwards if they seriously impact them.

How are corporate governance and risk management related?

Corporate governance is about “doing things right and doing the right thing”. Risk is about seeing the deviations from what is expected in an organisation (the “right”) and then saying it and sorting it.


More about John Crawley:

John Crawley (FCCA CIRM CMC) is an energetic leader with a proven track record in driving business growth, leading edge risk-management training and business turnaround.
Crawley is currently the financial advisor to a number of public and private sector organisations in several jurisdictions and an international expert risk trainer for the Institute of Risk Management.
An accountant by trade, Crawley has run and advised businesses in both the private and public sector since 2003. Prior to that John spent 23 years, in various executive positions, with the Ulster Bank/NatWest Group.