Risk is an everyday hazard that faces banks, funds and insurers. It can usually be mitigated, but it is rarely eliminated completely. There are some cases where a positive “hazard” is a very good thing to have – each business faces a risk or probability of making profits. Millions of people buy lottery tickets each day facing the small risk that they will become instant multimillionaries. Business always encounters some form of risk.
It is good that we recognise that operational risks are present in our company. It is better when we can predict the risk event that will happen. It is best when we have reinforced the general resilience of our system through risk management countermeasures. The business operational risk shock is going to be absorbed by our company, so the company has to respond.
Not all banks have put operational risk firmly on their corporate radar. Few banks seem to have detailed an operational risk map by making provisions for expected operational risk. Basel surveyed 89 banks, and only 33 had designated expected operational risk loss measures.
Therefore, we need a management structure to plan the continuing and increasing system resilience of the company.
Doing risk management, rather than merely talking about it, will separate the banks from the boys for Basel II implementation. The measures of pricing, reserving and expensing for OpRisk are already one significant step ahead of risk managers simply answering:
We are risk-compliant because we have already submitted the Risk Compliance Report.
This reporting for the sake of reporting is a risk-ignorant form of control activity in a mindless ticking of boxes in a questionnaire. Will reporting and complying with the regulations catch out the next Enron?
The above techniques get us closer, may be, to a real-life model of risk management that we call ‘organic’. Basel II reaches for some risk silo integration, but real life is messier. Messy problems can be handled in a project management control structure, such as RAMP.
An investment company, with its people and processes, its clients and their investment needs and preferences, is like a living organism. It can encompass every type of business risk, instead
of just the ones we would like to handle. We see that there are many organic risk stakeholders at play in the market.

Risk management is a sequential series of tasks: analyse, forecast, investigate and mitigate against risk. Risk reporting alone is just fine for appearance – this is where many lax financial companies ran into trouble in recent years. Any reaction to a threat in such firms is likely to be ineffective because the risk management function will be underfunded and understaffed. Lack of training and proper risk management procedures result in a haphazard counter-attack against risk. Organic risk management takes the human and team factors into account to build a risk-managed corporation. This means an active risk outlook, not a passive one.
RAMP is a project methodology that has in-built self-checks to counter bias or project deviation. It should be considered for managing financial projects. This way we can have a real audit check that goes beyond simple numbers on the balance sheet, towards monitoring the fundamental sources of business risk. RAMP provides a design template for implementing a project.

Corporate cover up works most of the times. When it does not, it boosts the impact. Covering up transforms a high-probability low-impact risk into a low-probability high-impact risk. Accounting analysis is generally the prior step before making the investment. Other proposals are to invest where:
1. Accounting standards are strong enough to link reporting to reality. .2 Accounting statements from publicly quoted companies are accurate and timely, and a regulatory framework exists to enforce the accounting principles.
There are other tell-tale signs to spot within the increasing onslaught of corporate PR and white-wash:
Too optimistic sales forecasts – take your risk analytical Kalashknikov and shoot the balance  sheet apart. Does the overall balance sheet “feel” right – too rapid a turnaround?  If the balance sheet is that good – then why are directors dumping their shares?
Do we have a good balance of voices on the board, or are they all in unison trying to get into  some scam?  Were there a few too many “balancing items”?
Which period were the majority of revenues booked and received (no receipt means no  revenue).  What sort of products and services were called revenue-producing?  Are they disposing of a lot of assets from the group?
Is the auditor also employed in another fee-paying activity within the company? Another view for detecting cooked accounting books:
1) Record revenue too fast or too much. 2) Registering false revenue. 3) Increasing income with once-off gains. 4) Shifting expenses back or forwards into another period. 5) Reducing liabilities or completely omitting them.
6) Shifting current revenue forwards into a future period. 7) Shifting future expenses back or forwards into another period.
How long can this go on? It is not acceptable corporate behaviour, but if we are to believe the regulators, it will continue as long as companies grow or change.
In each of the cases involving banks, management seemed to be content with the loss of vigor in the process and the external auditor was apparently satisfied to simple collect a fee. This is totally unacceptable. Further, as the organization evolves by offering new products, changing processes, outsourcing services, complying with the new regulations, or growing through mergers, the controls need to be modified to reflect the changes in risks. In some case, the controls failed with respect to the newer risk exposures that were not identified, or growth put strains on existing control processes that were not suitable for a larger organization.
Risk management means not sleeping on the job.

Effective counter-measures have to be put in place and tested. We have outlined some of the Basel II guidelines for effective risk management. The trouble is: “Do you have the corporate influence and the budget to get the proper risk management in place?”
Where advice and plans fall on deaf management ears, nothing concrete is likely to be done. Budgetary constraint, as an opponent, is no stranger to the champion of risk management.
The financial world is set on cutting costs and automating business processes; risk management systems are just one facet of this drive. Yet, the quest for lower costs and automation can blind us to the fundamental areas for error. Human intervention and room for exercise of staff initiative can become stifled.
This is partly why human error is cited as the source of most operational failures. However, this is often just an excuse for poor management and badly designed systems and processes that remove checks and controls in an effort to improve efficiency by lowering costs.
Much of this corporate culture against disclosing the truth stems from the top of the financial institutions. Switzerland, for example, makes whistle-blowing a crime. Therefore, unfavourable financial assessments can remain hidden from the investors. Whistle-blowing really saves investors money in the long run. It pinpoints the perpetrators of economic crimes and reduces the period during which they could be removing or destroying economic capital of the company and its shareholders. Whistle-blowing reduces the time-lag after which auditors and investigators can look for relevant evidence.
Whistle-blowing works on a raising series of red flags. When there is no visible recourse, or for major crimes, resort to an escalation of whistle-blowing. Alert the press and media, then report to regulators, police and other supervisory authorities. A proper whistle-blowing methodology can be set within the staff contract to lift the lid on fraud and crime. For minor transgressions: keep the dissent internal initially and keep an account of all errors, crimes and relevant data. Consult the ombudsman or newspaper if the company refuses to act.
Whistle-blowers must be protected and encouraged. Right now, the downside risk is being fired or shunned in the professional for “squealing” on the company or colleagues, while the upside potential is not much. Immediate risk is being questioned for technical competence, political competence, sanity, naivete ́; onus is on the whistle-blower to understand the
whole of the story; first managerial reaction is often “you do not have a view on the whole picture”.
Many corporations do not encourage whistle-blowing. Certainly, discouraging the leaks of information is an overt attempt to block all events that present a corporate reputation risk. Enron did not support whistle-blowing, but preferred to hide or shred the facts. Fraud and concealment of the truth were deep-rooted in the structure of the company. Worse, the fraud was perpetrated at the top. A company has to have a structure that is rooted in business and risk management.
Risk ignorance does not work, especially if the top management is ignorant or crooked. What an open risk-managed structure does is to open the corporation to the control function of the risk managers. They actively let the company be open to the idea that “squealers” can inform on the company if something wrong or fraudulent is suspected.
An internal company “fraud hotline” should be set up, where anonymous whistle-blowing can be channelled and processed for action. Nowadays, whistle-blowing is possibly anonymously through setting up temporary email accounts that access the regulatory website.

Risk management has suffered from various forms of opposition from top management. Something along the lines of:
Expensive – the IT systems and the rocket-scientists are all too much to pay.  Slow – risk groups will never deliver on time.  Naive expectations – the risks will never hit us.  Weak management – let’s talk about this sometime (procrastination).
Unrealistic – we’ll get the insurers and lawyers to get us out of the jam. Once we convince top management that there is a justifiable business case for risk management, then we can deploy a full range of countermeasures. We still have to be alert to market
changes, but risk management gives us a safety buffer. Everyone is trying to move ahead of the investment pack. Given so much ego and PR, there is a crying need to compare performance. There are various forms of benchmark, e.g. against the previous year’s performance, whole industry or the top rival in the sector, etc.
Benchmarks are used to handle trickier points of detecting operational risk within a company. Fine corporate PR and good-looking financial statements could have been ripped apart by organic risk red flags. One of the problems may be that the risk management reports sent to the board do not have the right information, a suitable format to understand, or the board may not have the skills to understand.
We have already detailed the Barings, Enron–Andersen, Worldcom incidents of the ships that sank. What can we say of the boats that stay afloat? MCI floats on, after its previous incarnation, WorldCom, sank.
What we need to do is to examine the living corpse that is the company CEO before they cause damage. This process may reduce or even prevent financial losses that have caused major shareholder grief in recent years. We have to conduct an adequate due diligence before the company falls apart with us locked into the investment. Part of this process comes under the investigation comprising forensic accounting.