Dealing with risk: How businesses can better deal with its integrated nature and volatility

EY business risk management specialist Brian Goudian says many things about corporate risk have changed in the last decade in ways that companies fail to appreciate or keep up with. EY is a global accounting and consultancy firm. Its Sri Lankan consultancy practice, where Goudian is a Principal, is over 300 strong.

The traditional risk management approach focused on operations and compliance, and he says companies now need to shift their focus because risks are emerging fast, interconnected, and quickly spread along supply chains. Companies must build a risk-aware culture and use data more effectively to deal with these. Excerpts of the interview are as follows.

What are the key challenges companies face in sustaining profitability and increasing shareholder value, and how can EY help clients address these challenges through a comprehensive risk management approach?

Companies face a range of risks and must effectively manage their risk landscape to achieve their primary objectives amongst others of earning profits and increasing shareholder value. In the current business context, sustaining profitability poses significant challenges for organizations. Some of these challenges include managing costs, accurately forecasting demand, and understanding customer behaviour.

When clients approach EY for assistance, they often seek help in creating a risk register or adopting a risk management framework. However, EY takes a broader perspective on risk management, recognizing that it has historically been more of a compliance function and implemented in silos. This traditional risk management approach falls short of providing sustainable value for business decision-making.

At EY, the focus is on guiding clients to embrace a comprehensive and sustainable risk management framework that aligns with their business objectives. This process is an ongoing journey. EY assists in developing customized risk management frameworks, policies, and procedures. Additionally, we invest time in fostering risk management awareness among employees of the client organizations.

Understanding the client’s risk management culture is another critical aspect of EY’s approach. We then aim to inculcate positive risk management behaviours while also addressing any detrimental ones.

In the last few years, risk management has been particularly challenging. How did your approach change based on that experience?

As experienced in the recent past, catastrophic events are expected to occur more frequently in the future whilst the approach to risk management primarily focused on many familiar risks.

Recent events, such as the C19 pandemic, the banking crises, and conflicts like the one between Ukraine and Russia, have demonstrated that certain risks can have a catastrophic impact on organizations. Such events may have seemed unlikely to happen before, but their occurrence has highlighted the need to pay greater attention to emerging risks.

Over the last three to four years, there has been a shift in thinking, emphasizing the importance of dedicating time and resources to understanding and managing emerging risks. Even if the probability of such risks materializing is low, their potential impact demands proactive risk management.

One significant concern that I would like to raise is the interconnectedness of risks today. For example, the ongoing digital revolution has led to a surge in data availability, connectivity, and the speed at which decisions are made based on data. This heightened reliance on digital assets presents new risks to organizations.

Social media is another aspect linked to the digital revolution that poses risks to organizations. The potential for rapid and widespread reputational damage is a genuine concern, given the speed at which information spreads in today’s interconnected world.

These challenges were not as prominent several years ago, but the rise of emerging risks which are overlapping and correlated has made them critical for organizations to proactively address and manage.

The third aspect is the strategic focus of risk management. Organizations now, more than ever need to shift their mindset to prioritize integration of risk management into strategy setting.

In light of the rapidly changing risk landscape, how should businesses adapt their risk management strategies to address the interconnected and volatile risks they face? How does EY’s approach differ in this context?

The key to effective risk management is in establishing consistent fundamentals throughout the organization. Each individual’s perception of risk may differ, making a unified view of risk appetite challenging. To address this, management needs to communicate and cascade their acceptable risk tolerance across the organization.

With clients, our focus is on fostering a consistent understanding, interpretation, and management of risks at every level. This involves setting up a framework, creating awareness, shaping mindsets, and instilling the appropriate behaviours.

The journey we embark on with our clients involves a hands-on approach, spending ample time to create awareness, shape mindsets, and cultivate behaviours that align with effective risk management.

In a nutshell, our approach emphasizes a systematic and consistent methodology rather than a solely compliance-based approach.

How does EY approach integrated risk management beyond operational and compliance aspects, and what specific contributions does it bring to the table?

In addition to risk management, organizations face several major challenges that require conscious attention. These challenges encompass managing costs, predicting and forecasting demand and establishing appropriate pricing strategies.

Procurement transformation is a critical area where we offer valuable expertise. By leveraging our extensive experience across multiple markets, we implement tested methodologies to optimize procurement costs for our clients. For large projects, we collaborate with other EY offices, tapping into their expertise to deliver the best client outcomes.

Similarly, manufacturing transformation holds significant potential. While Sri Lanka’s manufacturing sector is still evolving, we have successfully worked with multinational companies to drive manufacturing excellence programmes. The insights from these assignments allow us to offer valuable guidance to other manufacturing plants to improve their operations.

What do you mean by manufacturing transformation?

Manufacturing transformation encompasses several aspects, including digitalization and Procter & Gamble’s Integrated Work Systems (IWS) methodology

Digitalization involves the transition from manual data management to a digital experience, allowing organizations to enhance decision-making by identifying trends more quickly using EY Catalyst. The IWS methodology complements existing manufacturing excellence programmes like TPM and Lean Six Sigma. It focuses on two principles: the power of zero defects and losses and the power of 100 per cent Total Employee Ownership. This leads to breaking down departmentalized approaches in manufacturing organizations and fostering a culture of responsibility and accountability among machine operators and driving servant leadership. One of the goals is to empower operators to manage and maintain machines efficiently, leading to lower downtime and higher overall equipment effectiveness (OEE).

Within the IWS methodology, there are 12 pillars, each addressing different elements of the transformation process. These pillars include Quality, Autonomous Maintenance, Progressive Maintenance, Leadership, Health, Safety & Environment etc.

By improving the OEE, most of our clients have been able to yield significant improvements in EBITA and output.

IWS implementation begins with Runto-Target (RTT) approach and then moves to Pillar implementation. It typically takes 1 to 2 years to implement IWS due to the nature and extent of transformation. It involves introducing new leadership approaches, practices, methods, tools and cultural shifts to maximize efficiency and continuous improvement.

How can internal audit lead the way in helping businesses navigate these complex risks?

Over the years, internal audit has evolved, and there is a consensus among the internal audit fraternity that it should be aligned with organizational risk management. The preferred approach for internal audit execution is risk-based, involving prioritizing audit areas based on their significance in managing risks and efficiently allocating resources for these audits.

Meeting the expectations of various stakeholders, including board members, audit committee members, management, and external stakeholders like regulators, has been a key challenge for internal auditors. These stakeholders often have specific areas they want examined during an audit and set higher expectations.

Executing a comprehensive audit plan that covers all operational areas of a company within a limited time frame and with limited resources can be daunting. To address this challenge, internal auditors are shifting their focus to concentrate on the critical risks identified in the organization’s risk register rather than cover every area within a single cycle.

By honing in on the most critical risks, internal auditors can add more value by providing deeper insights and analysis as opposed to superficially covering a wide range of areas.

The ability to identify and assess risks proactively is crucial for risk management, and data plays a critical role. Leveraging analytics is becoming increasingly important to internal auditors in assessing the effectiveness of controls and identifying potential uncertain events that may require management attention.

Analytics enables auditors to move away from the traditional sample-based approaches. By leveraging analytics, auditors can examine the entire data population and provide a more comprehensive assessment of risks and related controls. This approach enhances the audit process, making it more efficient and capable of independently assessing critical risks and the effectiveness of mitigation plans as well as potential areas for improvement.

How does the role of internal audit differ between consulting and assurance in firms like yours?

In our firm, internal audit is considered part of the consulting domain rather than assurance. This distinction arises from the focus of each function and domain knowledge required.

As internal auditors, our main clients are the board, audit committee members, and management. Our role involves assisting management in establishing sound risk-based control management practices and continuous process improvements. This function can be handled in-house by management or outsourced to consulting firms like ours.

The term “internal audit” is used because it aligns with the function of supporting and aiding management in their risk and control management efforts. When organizations outsource or co-source their internal audit, we come into play to provide resources and expertise to assist in the process as a trusted advisor and a partner