Risks are everywhere and we all engage with risks from the very moment we wake up each morning.  We usually plan ahead to manage risks in daily life that may emerge.  For examples, we set travel plan to avoid traffic congestion and flooded area, we adjust work mode to tackle rapid change of the pandemic situation from offline to online or hybrid, we prepare expenditure and investment plans to avoid financial turmoil amid hyperinflation environment.

          Many business organizations were adversely affected by a number of risks such as cybersecurity, FX volatility, COVID-19 outbreak, changes in demographic factor, social factor, consumers’ behaviors, environment, and weather condition.  Risk concerning climate change are gaining interests from many organizations and there have been orchestrated attempts to manage and prevent potential impact from this particular risk through business direction and strategy.    For instance, a coffee shop has a campaign that encourage consumers to bring their own cups to buy coffee by offering Bt5-10 discount.  This move will reduce plastic cup usage, produce less waste, enhance the shop’s brand image, and also save cost.  Another example is the usage of electric vehicles (EV) by 7-Eleven for delivery service in Bangkok and metropolitan area, which save fuel usage and reduce emission at the same time. On the other front, Epson’s paper recycle unit “PaperLab” can instantly turn used paper into new sheet of paper, which can also mitigate risk of information leakage.

          Each organization has different risk structure in accordance with type, size, business complexity, and relevant law.  In a small firm with simple structure, the Board usually acts as risk management committee as well.  Medium-sized enterprises normally assign exiting committee (such as audit committee) to oversee risk management.  Major corporations or companies that engage in fast-changing business environment usually appoint “Risk Management Committee” to directly oversee and manage risks of the organization.

          Risk Management Committee members should know the company’s business and industry, have vision and analytical skill, able to anticipate future events comprehensively and rationally, have leadership skill and be decisive, understand risk management methods to mitigate potential adverse effect on the organization and stakeholders or create new opportunities.

Key roles and duties of Risk Management Committee are as follow:

·       Screen corporate risk management policy and framework before presenting to the Board for approval.

·       Consider risk assessment outcome as well as plans to manage such risks.  Provide suggestions on ways to keep impact of each risk at acceptable level and ensure the company has sufficient and appropriate risk management system.

·       Provide guidance/recommendation to the company’s Board and management about risk management and promote continuous development of internal risk management framework/system.

·       See that risk management framework/policy are regularly audited to ensure they stay in alignment with the company’s context and business environment.

·       Report key risks, status of risks, risk management progress or result to the Board on a regular basis.

          To manage risks amid growing complexity of business context, Risk Management Committee should extend the scope of qualifications as well as roles and duties to oversee the Risk Management Working Group (management) effectively by employing the following concepts and principles:

          1. From hindsight to insight to foresight

          Managing risks based on historical data alone may be insufficient and inappropriate under current situation.   New techniques such as Data Analytics, Behavioral Science should also be employed while modern set of risk data (e.g. stakeholder sentiment and ESG factors in third parties) could pinpoint risk indicators, trends and patterns, and peer information.   The information gathered could help identifying threats, opportunities, and emerging risks.  These new methods are becoming more and more substantial along with rapid change in business circumstance nowadays.

          2. Commerciality: being a safety belt rather than handbrake

          Risk Averse method (managing risk after all information has been gathered) is probably not fit with the current situation that requires quick, appropriate, sufficient, and safe implementation.  The determination of risk management plan and direction must align with the company’s business goals.  Both Risk Management Committee and Risk Management Working Group should be agile and able to make timely decision from adequate information that may not be 100% complete.  In case they made a wrong call, they should quickly admit and fix it rather than wait until it derails business.  In addition, the Risk Management Committee and Risk Management Working Group should be evaluated regularly whether their performances support and promote the company’s strategies effectively under cost constraints and acceptable risk levels.  Issues to be discussed may include:

·       Is acceptable risk level considered appropriate for impact prevention and have criteria for low and high levels of acceptable risk been clearly stipulated?

·       Has there been an analysis to compare effectiveness of controls against cost and worthiness?

·       Has there been attempt to explore business opportunities from emerging risks?

·       Does the work process emphasize too much on conventional procedures and reporting that it prevents proactive management?

          3. Resilience: ‘when’ not ‘if’ events occur

          In a world where everything is connected, one event could generate negative consequences for numerous stakeholders.  Therefore, it probably is not enough to rely only internal controls to mitigate risks.  Speed and quality of interaction and corporate communication is another tool to manage inevitable situations, particularly those concerning cyber risks which have become more and more significant these days.  In the era of Social Media and Stakeholder Capitalism, it become more difficult to protect reputation and brand.  They could be threatened by comment posting, fake news, fraudulent web site, fabricated social media user account etc.  Thus, speedy interaction and communication could have a role in mitigating such risks and help the organization resolve the situation as it stand ready to tackle any event at all time.

          4. Tooling up

          It is essential and necessary to learn or update skills, dataset, and working tools to cope with what happened in the world with comprehension and in timely manner.  Many organizations employed modern technology and data to enhance risk management efficiency.  Some applied Robotic Process Automation (RPA), Data Analytics, and Artificial Intelligence (AI) to transform Unstructured Data (e.g. conversation with clients through social media) into Structured Data (e.g. number of transactions with customers, percentage of stock market movement). This will help the organization to quickly identify emerging risks.  They may also apply risk and compliance program (eGRC) that can compile trackable and reliable data linking database in IT, finance, operation, compliance, and internal control to accommodate more automatic risk management.

          These tools could facilitate continuous risk management monitoring by projecting real-time result that allow assessment of controls and immediate result reporting.  This means the organization can improve or develop risk management instantly.  Such tools could also enhance work efficiency by reducing time spent on finding, compiling, and analyzing data and providing more time to focus on other equally important and necessary tasks.

          5. Skills and mindset

          Risk Management Committee and Risk Management Working Group should consist of individuals with diverse skills and mindset as well as capability to support business operations amid digitalization context that emphasize more on stakeholders.  They should have the following qualifications:

·       Have better understanding about risks than general risk information or be a specialist that comprehend with the current risk profile.  This include expert that may not be in the organization’s industry but have superb knowledge about current emerging risks.

·       Work in other department (not part of the organization’s risk management team) and have clear understanding of business, culture, and changes within the organizations as well as capable to promote appropriate Risk Culture.

·       Know well about the business and able to identify, assess, and manage emerging risks as well as their impact on the organization appropriately.

·       Be flexible, ready to learn, and understand diversity of idea to gain new ways of working or fix the existing system.

          It is essential that Risk Management Committee, directly in charge of risk management oversight, keep updating skillset and work approach to cope with risks at all time.  This is meant to prevent business operation from being derailed or even collapsed.  Effective risk management could ensure viability of the organization and open new business opportunities from emerging risks as well as create long-term value for the organization. 

Ratanapat Yaowabut
Senior CG Specialist
Thai Institute of Directors Association

Source : developed from
1) Guideline on Board’s Oversight Role in Risk Management, Thai Institute of Directors Association
2) Risk 2.0: Rebooting for Modern Risk Management (part 2), The Risk Coalition, August 17, 2022