The ever changing economic and regulatory landscape increases the pressure on boardrooms and particularly non-executives directors. The cost of regulation is expensive and, particularly in the financial services, jargon filled. The regulators are requesting ever more information about the health of businesses worried that the credit crunch will lead to more of them suffering in the way that Northern Rock did in 2007.

It is important that risk managers do not over engineer risk management – it needs to be proportionate and, most importantly, understandable. Put yourself in the shoes of a typical financial services non-executive discussing TCF, SREP visits, Pillars 1, 2 & 3, LGS, PD, LPD, stress testing, IFRS 17. This is mindboggling even for those working with these acronyms day-to-day.

On top of this they need to consider the FSA, the Banking Code, the Information Commissioner, and the Competition Commission to name just a few. Is it little wonder that they are constantly asking for easy to read clear papers explaining to them what the key risks are and what needs to be done?

The amount of management information being produced is staggering. Organisations, concerned at where the next request for evidence will come from, are measuring almost every activity, not only measuring it but reporting on it. This means that key information is over-looked, hidden on page 20 of informative dashboards.

The trick here is to filter out the key risks. It is of no value to inundate your directors with hundreds of key risks. They will be overwhelmed, and if you have too many there must be serious questions raised either about the materiality of the risks being reported or the viability of the business itself.

The regulators are essentially interested in how organisations manage risk, or put more simply how organisations are managed. For risks managers the skill is ensuring that there is an appropriate framework in place, and that the risk appetite is clearly articulated and understood. Equally important is that there are clear principles in place, that roles and responsibilities are defined and that everyone in the organisation understands these.

One of the current big challenges is to integrate and aggregate different categories of risk. At present many organisations look at risk in what are known as silos, where in reality there are interlinks between the types. For example, Northern Rock exposed real concern about the credit of many of the mortgage assets on financial institutions books, but its real problem was a liquidity crisis. Organisations need to ensure that they have holistic risk departments closely aligned to the business, and to ensure that the central disciplines are embedded in the business lines as quickly as possible.

All businesses and most managers practice risk management throughout the working day. As individuals we all perform risk management activities all the time; the difference is that as individuals we do it subconsciously as part of another “management” activity.

When we cross the road we check to see if there are any cars coming – that is risk management. When you get in the shower you check that the water is not too hot – that is risk management. We just don’t call it that, or recognise it as such, because it is a natural part of our everyday activities.

This is where risk management activities need to sit within business. Too many management meetings spend time discussing such things as new ventures and day-to-day activities before coming to the last item on the agenda – risk management.

In reality they have been considering risk in all of their conversations, but because of the formalised approach they end up looking at it as an additional task; a bureaucratic burden imposed from the centre. This detracts from the great value and leads to concerns expressed by the regulator that their risk management activities are not linked to business decisions. The key to allowing this to happen is to take key risk indicators directly from core systems, rather than create a separate parallel system for the recording of risks.

So, if risk management is really that simple why use an interim manager? Many risk departments have been developed from internal resources with little awareness of best practice across the industry, or indeed from other industries. While this has some benefits, it also means that businesses are missing out on the latest thinking.

Good interims can provide challenge at the highest levels within organisations; making integrated risk management come alive and really mean something to the board and executives. Good interims can also inject real urgency, challenged as they are to deliver on each assignment.

All risk disciplines need to be embedded in day-to-day management practice. They should not be seen as discreet exercises to be performed at the end of meetings. Risk management equals good management, and is there to benefit all; businesses and regulators alike.

Patrick Girling of Corporate Governance Assurance Services (www.cgas.co.uk) is an experienced practitioner in risk, compliance and audit.

Copyright 2008 Plato’s People Ltd.

This article is the intellectual property of the author and Plato’s People Ltd and must not be reproduced in full or in part without our express permission. This article represents the personal view and opinion of the author and does not constitute advice, you should seek appropriate professional advice before taking any suggested course of action.