While working for a Kuala Lumpur-based international banking organisation, Ramesh Pillai found himself and his management team in a dire situation when the bank’s employees were caught in the 1998 riots in Jakarta, Indonesia.
“We had to evacuate our staff in Jakarta and relocate them to Kuala Lumpur, which we did successfully. We turned the Renaissance Hotel into our ‘Jakarta office’, which meant whatever calls that were made to Jakarta were answered in Kuala Lumpur,” Pillai recalls.
However, the staff eventually moved back to Jakarta despite the dangerous circumstances — a bold decision that made the front page of The Jakarta Post. Later, when normalcy returned, the bank was given additional licences by the Indonesian government to expand its business in the country.
“We looked at the scenario and we spoke to the Indonesian government, which saw a foreign organisation that was willing to open its doors for business despite the riots,” Pillai says.
But how does all this relate to enterprise risk management (ERM)?
To tie this back to ERM, the term is defined as the process of planning, managing, leading, and controlling an organisation’s activities to increase its performance and achieve its objectives as well as to significantly enhance the success of its value-creation initiatives.
More specifically, ERM is a strategic management tool that helps an organisation achieve sustainability, resilience and agility by ensuring the goals set by the management are aligned with the company’s overall objectives, mission and vision and, at the same time, strategically dealing with risks.
Risks are an inevitable part of business. “People generally perceive risks as being bad when they can be good. Think of it this way — no risk no return, high risk high return and vice versa,” Pillai says. “We just need to accept and take risks with our eyes open, manipulate them to our advantage and learn to use them as a means of driving our organisation’s performance, strategy and value.”
Pillai is today the chairman of the International Institute of Enterprise Risk Practitioners’ (IERP) board of governors, with over 30 years of risk management experience under his belt.
He is also a Fellow of the Institute of Chartered Accountants in England and Wales as well as the Malaysian Institute of Accountants, and was instrumental in the creation of the Malaysian chapter of the Professional Risk Managers International Association.
As Pillai puts it, risk management is not just about creating remedial action but it is also about helping organisations craft a structured process to anticipate issues so they can react effectively to crises.
Nevertheless, ERM is still not readily accepted and practised across all industries, Pillai points out.
This is due to several factors, including the interference of internal auditors who lack proper understanding of the discipline as well as the lack of awareness of the various ERM tools and techniques.
According to Pillai, risk management is best left to an independent team of risk practitioners or managers, and not the internal auditors, audit consultants or accountants, due to a clash in ideologies and objectives.
“ERM is not about compliance but forming strategies, pushing performance and generating value and returns. A lot of companies in Malaysia have structured their risk management function as a unit under internal audit,” Pillai says.
The problem with this, he explains, is the conflict of interest that arises between the role of internal audit as a third line of defence function (providing independent assurance) and risk management as a second line of defence function (involved directly in the decision-making process).
“Auditors are generally risk-averse whereas risk management functions are involved in business and strategic issues where it’s about taking chances, exploiting opportunities and plotting your lines of defence,” he says.
The crux of the problem is the lack of understanding of what ERM does and how it helps an organisation grow.
“The lack of understanding is linked to insufficient capability and support from the upper management. Some CEOs insist they are the ‘ultimate risk managers’ but the whole point of ERM is to have an independent team analyse an idea and tell you if something is worth doing or not,” Pillai says.
And the consequences of poor risk management can be detrimental. “Bad risk management completely derails a company’s strategy. For example, the goal you planned to achieve from 10 years ago has not been met today. Your key performance indicators and objectives are not aligned,” Pillai warns. “Apart from damaging your company’s financial standing and reputation, it eventually causes people to have a bad perception of your company and its goodwill.”
This is why an organisation like IERP is determined to change how ERM is viewed and practised in Malaysia. In many ways, Pillai believes that Malaysia is somewhat of a regional leader where ERM is concerned. He would rate Malaysia as the best country practising good ERM, charging ahead of Indonesia, Thailand and Singapore.
“I believe the population in Malaysia is well educated. We also tend to be very knowledgeable in many areas. We are early adopters and our people are quick,” he says.
Among IERP’s initiatives to grow ERM is a recent collaboration with KDU University College to launch a Master of Business Administration programme that focuses on the discipline.
It is also organising the IERP Global Conference 2017 from May 22 to 25 at the Mandarin Oriental Hotel, centred on the theme of disruption. Among the highlights of the event are geopolitical risks, big data and predictive analytics, technology as well as cyber-security and fraud threats.
As originally printed in The Edge Malaysia Weekly, on May 8, 2017 – May 14, 2017.