How to set up a risk management department

The difference between good and exceptional business leaders who transform organizations is one: The latter first understand the kind of the industry they are

The difference between good and exceptional business leaders who transform organizations is one: The latter first understand the kind of the industry they are operating in before implementing any new developments. Some organizations are by law and required to have a fully-fledged risk management department. This is because risk is so critical to the business that if some events materialized, the organizations would collapse. These could be legal or technology related events if an entity is fully reliant on IT system, for example. If an IT system of a bank got any problem, of prologed downtime where by customers are unable to withdraw money from their accounts, the bank could collapse, as people who rush to get their money and or the regulator, BOU could intervene harshly.

A case in point, in Uganda the banking sector is one of the most sensitive sectors and it is regulated by the Central Bank; Bank Of Uganda (BOU). The Central Bank uses many interventions but mainly regulates through the Financial Institutions Act 2004. Since BOU aims at protecting the depositors’ money, it provides some minimum requirements for best governance. One of these minimums is a fully-fledged internal and risk management, (Section 61) of the FIA 2004.

In that case financial institutions have to ensure compliance; they are required to set up the risk management department.

What exactly should be in place to have effective risk management departments?

Most of the time, the law breaks down the requirements. The kind of people you need to run the departments, who the bearer of the office will report to and what kind of report they should produce. In that circumstance, work is pointed out for you.

But a situation comes where you asked to set-up a department in an area that is not well regulated – could be your private business, government entity like NSSF or NWSC. All these are mission critical to government to deliver her mandate and services. They must do things in line with best corporate governance practices. They really need a risk management department.

How do you go setting a risk management up?

The most important thing is to obtain the buy-in from the top. Risk management by nature requires high level involvement of top people especially the board, executive director, senior management and of course the owner. If these people appreciate that it is very important to set up the risk management department, they are able to commit resources and personal effort to ensure it succeeds.

Identifying the decision makers

It is very difficult for you to set up a risk management department if the managing director does not appreciate the department. Or the owners do not appreciate risk management.

As a risk champion, your first step is to get stakeholder involvement and buy-in. The buy-in is in a way that you want them to own the initiatives for risk management. If you are a consultant asked to set a risk management department how do you get stakeholder involvement?

Use the psychology of persuasion. Meet person by person and try to make ensure they appreciate risk management. Another alternative is to make sau a 10 minutes presentation during a board meeting or senior management team (SMT) meeting on the importance of risk management. Once you meet the board and make a case for setting up the risk management departments, you are trying to communicate to them that the Board is responsible for risk management and on-going concern of the business. Because of that, they should support the process to ensure there is effective risk management.

Once you do that, the Board will make it a key requirement for the Executive Director. Your interest is to ensure resources are committed. And once the board and top management buys-in, it becomes easy work for you.

Copyright Mustapha B Mugisa, CFE 2015. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *