BCCJ members manage risk

People, cyber security and natural disasters are the top concerns of firms in Japan, according to BCCJ members at the organisation’s business risks workshop on 14th June.

Building on the success of the BCCJ’s first hackathons, in May, the workshop was facilitated by risk management experts, who supported small group discussions and an interactive feedback and Q&A session.

The attendees were individuals who work for Japanese, British and international firms, as well as some who are involved with start-ups and non-profit organisations. They considered the challenges facing their respective enterprises, while sharing best practices within industries and possible solutions for the risks put forward.

Industry insights
Facilitator Minky Hwang, country chief risk officer for Standard Chartered Bank, began the session with an introduction to risk management. She defined risk as “the potential adverse impact on the interests of a company that can result in financial distress, or that can take a non-financial form that adversely affects the future interests of a company.”

The key to risk management, Minky said, is to balance risk and return, and ensure risk-taking is disciplined and focused. Moreover, as the practice is fundamental to managing material future risk, it should be top-level: approved by the board and driving the culture of the organisation.

“Depending on the nature of their business, all companies face different types of risk,” she explained. “Each principal type of risk has its own risk appetite, that is, the maximum degree of risk the company is willing to accept in the pursuit of its business.”

Moreover, regardless of industry, firms face operational risk day to day. This includes the potential for loss resulting from inadequate or failed processes, staff and systems, as well as from the impact of external risks.

“As long as people, systems and processes are imperfect, operational risk cannot be fully eliminated. However, it is manageable within some level of risk tolerance if a company determines to balance the cost of improvement against the expected benefit,” she said.

“Wider trends such as globalisation, expansion of the Internet, social media and greater corporate accountability reinforce the need for proper operational risk management,” she added.

The cost of ignoring business risks can be loss of client satisfaction, reputation, shareholder value and, ultimately, business quality. But, as no business endeavour is without risk, there is no reason to worry, provided controls are sufficient to keep the threat of risk low.

Minky called on firms to assign clear ownership of processes, identify all points at which those processes might break down, and assess the design and effectiveness of the critical controls. These activities can be assured by monitoring key control indicators. Meanwhile, risks that have been identified as high gross risks should be prescribed a “treatment to enhance the control” by a specific owner until the risk is sufficiently managed.

She closed by adding that an organizational effort to facilitate risk culture is key to success, along with a well-defined risk management framework and governance.

BCCJ member views
After identifying the three biggest risks to organisations in Japan as natural disasters, people and cyber security, attendees considered some solutions.

Natural disasters
Members agreed that planning and training are critical. Firms should have back-up and succession plans in place, with knowledge of their minimum operating level and systems to manage during a crisis.

Simple initiatives such as providing sanitizers and masks in the workplace, or offering vaccinations to staff, could help prevent a pandemic, while self-assessment of staff at home would help ensure it did not spread.

In the case of an earthquake, members pointed out that robust policies need to be backed up with rehearsals. Leaders should be appointed, assembly stations established and communication channels—such as phone trees or staff tracking apps—agreed.

By having an emergency plan, as well as a plan for remote working following a disaster, an organisation could reduce the fallout of any risks.

People
Prevention is better than cure when it comes to managing people and reputational risk, members agreed. While dealing carefully with difficult staff and scandals is key, creating an environment in which people do not misbehave is a more long-term solution.

On being hired, staff should be made aware of both the expectations placed on them and the firm’s culture. This understanding should be nurtured through constant training, ethical leadership, effective governance and an organisation’s code of conduct.

Moreover, firms should support staff to report issues of concern through a compliance function, open window, hotline or other whistle-blowing system, without fear of reprisal.

Members also noted that, increasingly, for global businesses, CSR initiatives are being seen as a way not only to boost business and attract talent, but also to help mitigate reputational risk caused by people-related scandals.

Cyber security
Though cyber threats are a comparatively new phenomenon, in recent years they have come to be of growing concern to organisations of all types and sizes.

Members suggested identifying and assessing all external and internal risks to establish the vulnerability of a system to cyber-attack. Drills based on realistic scenarios—and similar to drills for natural disasters—would allow firms to establish how they might handle staff, stakeholders, clients and the media in the event of a cyber-attack.

Further, as the technology used by firms and hackers continues to evolve, practice drills should be adapted accordingly.

Educating all staff about a firm’s systems and not penalising employees for mistakes will help ensure that roles and responsibilities are clear, and that all cyber breaches are reported.

Cultural and global considerations
In closing, facilitator Ben Fouracre, managing director and Japan representative of FTI Consulting, said it is important to understand that, even with a risk management plan, once something unexpected happens, the plan will and must change.

“No matter how good the plan looks like on paper, a firm’s culture will impact everything about the firm: its exposure to risk; compliance; strategy; as well as its people, operations and most importantly its reputation,” he said. “Having a proactive, risk-focused culture—that enables all employees to call out, address and mitigate or adapt—is key to being in the right place to successfully navigate these risks.”