To grow strong, manage risks right

Like the Titanic, which even when her captain was informed of the problems in time responded with "this ship can never sink", companies should not be careless and must take a holistic view of managing risk, a Deloitte Touche Tohmatsu Jaiyos Advisory executive said.

Nuttawut Kietchaiyakorn, Deloitte's enterprise risk-services manager, said risk taking is deeply rooted in the Thai culture and many of the country's companies tend to underestimate their business risks.

To overcome the challenges of today's business world, companies should first define the appropriate level of their "risk appetite". Though, Nuttawut said, it was not an easy task deciding on the acceptable level of risk because it varies based on each organisation's culture and business environment.

"You need to consider what the company's strategies are for moving ahead. What is its unacceptable risk level? [You have to] consider the organisation's culture to decide how much risk it can take. One must also consider the level of shareholder and regulator expectations.

"For example, if competition is fierce, you will have to accept higher risk in order to create more opportunities," he said.

The "risk-intelligent enterprise" should establish a clear link to shareholder value, encompass entire business' risk management (connect risk-management silos), formulate risk-management strategies that address the entire spectrum of risks and place significant importance on vulnerability, take into account risk scenarios and the interaction between multiple risks and finally, establish risk management as an integral part of the corporate culture.

"Risk avoidance alone does not create value for the organisation. Risk taking is equally important," the Deloitte executive said at an annual conference held by the Institute of Internal Auditors Thailand and the Stock Exchange of Thailand.

Silo thinking will sink the ship, Nuttawut said, citing the case of the Best Western Hotel whose customer credit-card database was hacked.

"Usually, we treat hacking as an IT risk but in fact, the owners of the information are the sales department and the company. It also involves compliance risk because it's unlawful [to reveal customer information]," he said.

In her keynote speech at the same seminar, Professor Khunying Suchada Kiranandana, a board member and audit-committee member at Kasikornbank, Thai Red Cross and Sermsuk, the local bottler for Pepsi, said organisations should first identify their own risks and risk-management process.

"Even educational institutions have risks that they have to take care of, such as their quality and reputation. In businesses, risks are enormous. Auditing is not only about compliance but also operations, management, IT and so on. Kasikorn has been subjected to a management audit by the Bank of Thailand. A management audit is [initiated] to make sure the management is taking the organisation in the right direction," she said.

Companies must ensure that risk management is integrated into the work processes and instilled into the mindset of the workers, Suchada said.

Because they have a wider scope, internal auditors may be unable to take care of all potential risks for the company themselves. Instead, they need to have the ability to manage audits that has been outsourced to outside companies. Auditing requires a lot of care. For example, IT auditing, which many companies have outsourced, becomes very important for some companies, such as credit-card issuers, where even a small error can have tremendous impact, she said.

Siam Commercial Bank's executive vice president Kannika Ngamsopee said auditing should not be viewed as a cost but a task that can generate value for the organisation.

"Auditing generates value because it boosts confidence among shareholders that the company is being managed well. This can drive up the price of the stock," she said.

Shin Corp vice president for internal audit and risk management Wichai Kittiwittayakul said outsourcing increases corporate risk by exposing the company to the other companies' processes and defects.

"A company must include a clause in the [outsourcing] contract that addresses this issue. Banks, for instance, have outsourced credit-card operations to external parties," he said.

pichaya@nationgroup.com