Risk Management By LILIAN KAIVILU Recent national calamities have caught the government unprepared to handle.

The recent inferno at the Jomo Kenyatta International Airport displayed the inadequacy by Kenyan authorities to manage risks. According to Gilbert Mwalili, Managing Director Protecht Limited Africa, risk management is a fairly new practice that has not been adopted to the required extent. He spoke to Development Agenda.

What is risk management and why is it relevant for the Kenyan economy? Risk Management is simply managing the uncertainties an organization faces in order to ensure that the organization achieves its objectives. Risk Management involves identification, assessment, analysis, treatment, mitigation of risks and most importantly, monitoring of risks. Risk Mitigation is done by ensuring that there are proper and effective controls set up by an organization to reduce the likelihood of occurrence and the impact of risks in the event it occurs. Risk Management is incomplete without the continuous monitoring of risks, incidents and the effectiveness of controls. Risk Management is relevant for Kenyans, now more than ever, because of the current and future economic growth in Kenya. Economic growth has challenges and opportunities and Risk Management is necessary to deal with the challenges and take advantage of every opportunity that arises. With more and more SMEs coming up in Kenya, it is crucial that these enterprises adopt Risk Management practices to ensure achievement of their objectives thus leading to their growth and profitability. What's the state of risk management in Kenya? As such, many organizations see it as an overhead or tick-the-box exercise. While this is understandable as it is new, it does not make it acceptable. Businesses make risk based decisions daily and it is necessary to institutionalize risk management within businesses in order to gain all the benefits of risk management. The case of JKIA fire is a classic example to depict the status of Risk Management. Am sure, all the players at JKIA if asked, they would say they have institutionalized Risk Management. This is not new. First, the risk of fire would definitely be top level risk in any of their risk registers and as many organizations do, they will have a business continuity plan and take insurance cover (both being reactive controls) and put the usual controls such as smoke detectors, fire extinguishers and so on. Many would think that this is it, but this is not enough for good risk management. A good risk management system requires continuous monitoring and improvement. This would be such practices as confirming compliance with the controls in place such as confirming that smoke detectors are working, that there is sufficient water is in the extinguisher piping, that successful fire drills are conducted frequently and so on. The causes of fire would have been analysed in detail using a technique called bow-tie analysis. By understanding the causes, it becomes easier to implement proactive controls rather than being reactive. Where improvements are noted from such analysis, they would be tracked closely to ensure that people do not become complacent in implementing them. The fact that weeks later we still dont know the cause of the fire spells poor risk management as this is a vital aspect of risk management. Incident Management requires digging into the root causes and ensuring we learn from the mistakes. As it stands, the same could repeat in Mombasa, Kisumu or any other airport if Incident management is not in place. For how long have you been in this business? I have over 10 years experience in consulting and training in Risk Management with a substantial part of my experience having being gained in Australia. Australia is internationally recognised as having the best Risk Management practices. I am an expert in Enterprise Risk Management (ERM) advisory, a trainer recognised by professional bodies such as ICPAK and a specialist in ISO31000 Risk Management Standards, Enterprise Risk Management, Basel & Solvency II, Strategic Risk Management, Fraud & Financial Investigations, Data analytics, Security Risk Management, Compliance Risk Management, Anti-money laundering and Risk-based Internal Audit across a range of industries. I am currently finalising my Masters degree in Risk Management by research from Swinburne University of Australia. What challenges have you faced in Risk Management, especially in Kenya? The major challenge in Risk Management in Kenya is lack of clear understanding of what Risk Management entails and its importance. This significantly reduces its buy in and financial resources allocated to Risk Management within organizations. Business owners and Directors are not ready or willing to invest in what they do not clearly understand. There is also the challenge of misunderstanding Risk Management to be a fancy word for audit. The negative attitude of staff towards audit in various organizations is transferred to Risk Management with staff assuming that risk managers are out to get them for non-compliance with internal procedures and controls whereas risk management is about

understanding why staff may not be complying with laid down procedures and supporting them to do so thus making the organization shine by ensuring goals and objectives are achieved. Moreover, it is sad that the tertiary institutions have not realized the bright future risk management has in the market. There is acute shortage of risk professionals as there is no tertiary training available locally. Internal auditors are the ones converting to be risk managers but require a lot of training to lead organizations in implementing state-of-the-art risk management practices. How would you describe the uptake of risk management by Kenyans? While there is fear of the unknown that makes Kenyans apprehensive of Risk Management, the power of curiosity and wanting to learn is stronger and Kenyans are very inquisitive on what Risk Management is and co-operative in the Risk Management process once they understand its importance. The practice of risk management is new in Kenya and growing at a very fast rate. The Government has incorporated institutional risk management in the ongoing public financial management reforms. Public institutions are implementing Risk Management Practices as Treasury has recognized the necessity of risk management for effective running of public institutions. What is your advice to Kenyan businessmen on risk management? Any businessman who wants to see his business grow and achieve its objectives must run his business based on a culture of risk management. Implementation of risk management is not optional for any businessman who wants his organization to be among the best and leading businesses in the industry. It is important to embed risk management in the daily operations of the business. Those who realize the potential of risk management make it their right-hand man. What is the future of risk management in Kenya? The future of risk management in Kenya is very exciting. Risk Management is only just starting in Kenya and in the near future will be adopted in every area of business practice once businessmen see its benefits. Those who have already implemented risk management in their organizations have already seen its benefits. Their organizations are always ahead of any risks that might occur and the impact of risks is minimal since the necessary controls are already in place. Risk Management works and that is why every single businessman will soon be looking to implement it in his organization. As a profession, similar to the trend in Australia early 2000, we will see a lot more job opportunities for risk professionals with very attractive packages on offer. What are some of the commonest risks that businessmen are exposed to and how can they be avoided apart from through insurance? A businessman always has a strategy in place to achieve his goals. Every single business is exposed to strategic risk in the broad sense of not executing strategies successfully or not selecting the optimal strategy to achieve the organisations objectives. Further, many businesses fail to understand that on successful implementation of strategies over time, the business is exposed to what we refer to as delivered risk in that new risks emerge due to growth. By understanding strategic risks, businesses are able to ensure most optimal strategies are selected and executed successfully to achieve objectives and that the business remains sustainable by understanding its delivered risks. Further, operational risks are voted to be the biggest threat to many organizations. These are risks that arise from failures in processes, people, systems or events outside the organisations control. These risks are often difficult to manage due to the people element and requires a huge culture change in the organization. Effective management of operational risks requires detailed analysis of risks using bow-tie analysis, continous monitoring of key risk indicators, effective compliance management systems, incident management and tracking of improvement actions throughout the organization. What are some of the seemingly minor risks that could cost businesses a lot? Some of the seemingly minor risks are waste of resources, staff integrity and customer dissatisfaction. They are what we call the Known-knowns (things that we know that we know). They become a norm and our complacency increases hence they easily go unnoticed. These may go unnoticed or be ignored but could cost the business due to their impact.