How to gather risk intelligence

How to gather risk intelligence

Risk management requires constant collection and assessment of internal and external information. Here’s how risk intelligence is collected and managed at Siemens Wind Power in Denmark.

By Mike Skorupski, CPA, CGMA

Siemens Wind Power is one of the world’s leading suppliers of wind power solutions, with annual revenues in excess of €5.5 billion ($6.9 billion) as of September 30th 2014. The company must maintain a dynamic risk-management programme that will capture, assess, respond to, and monitor risks and opportunities in a consistent and sustainable manner.

In addition to commonly known risks such as geopolitical instability and slowing rates of growth in target markets, the wind power sector faces additional challenges posed by changing government policies. Public subsidies for renewable energy projects are becoming less popular throughout the world and are being phased out in a number of countries, and wind turbine producers have had to adjust their business models accordingly.

Alongside the pre-defined framework of an enterprise risk management (ERM) programme, it is essential to draw on the collective intelligence of the organisation to ensure that a holistic view of the risk landscape can ultimately be provided to the board.

To gain a complete view of threats on the horizon, risk managers have to build their risk community within the organisation. To seek input, it is essential for the risk manager to establish communication channels and build trust with stakeholders and influencers throughout the business. These should include CEOs and CFOs of regions and sub-regions, sales, production, engineering, project execution, legal, and strategy, as well as other operation and support functions.

Establishing the right formal and informal networks, and then keeping those communication channels open, is essential to creating a well-functioning risk organisation. In addition to conversations on the phone or via video conferencing, regular face-to-face meetings help build lasting relationships and trust.

Step 1: Individual consultation

The first step in the process is to consult the members of the risk community individually to hear their ideas and opinions. Once the initial consultation has been conducted, the risk manager can collate and analyse the findings before presenting and testing them in formal risk workshops.

Steps 2 and 3: Workshops, assessments

The second step includes workshops that bring together all of the key functions mentioned above to discuss the initial findings. The sessions serve as a sense check as well as an opportunity to brainstorm additional risks. Sometimes the risk manager acts as a moderator and sometimes as a subject matter expert, depending on his or her background knowledge and the severity of the risk being discussed.

Risk workshops achieve better results when separate sessions are held for the risk community and the executive management. Members of the risk community tend to be more willing to contribute their opinions during brainstorming when their immediate superiors are not present, facilitating a more open and frank discussion.

The first steps help reveal some of the risk concerns to individual departments. Often, when you are working within your department or function, a certain degree of silo thinking is inevitable to maximise the benefit or minimize the risk for your own area of responsibility. This could lead to risks or opportunities being identified which relate to a specific area, rather than the enterprise as a whole, such as the effect any production delays might have on individual key performance indicators.

Step 4: The board provides a holistic view

Once the workshops have been conducted and the third stage — the bottom-up risk-assessment process — is complete, the findings are presented to the board, which will provide a final reality check. The holistic view provided by executive management and board members helps to eliminate topics identified in the earlier steps, from the organisational risk assessment.

At this stage, the board’s role is to assess whether they share the same understanding of the severity of each risk, the likelihood of occurrence, and the likely effectiveness of any countermeasures which are to be put in place.

You can never be absolutely certain that information brought forward from the bottom of the organisation to the top has captured all the important elements decision-makers need. However, by seeking input from key people embedded in every layer and function of the organisation, you reduce the possibility of missing something. In other words, the broader the risk community you have established, the less likely you will paint a skewed or incomplete risk picture for your management.

Ultimately, it is the responsibility of the executive management and board members to scrutinise and challenge the outcome of the risk consultation presented to them, drawing on their expertise, industry knowledge, and experience in the job to add valuable insights.

ALIGNING RISK CONSIDERATIONS WITH STRATEGY

It is vital that any measures taken to mitigate risk support the organisation’s overall strategy. Those that do not, such as over-reached informational campaigns or over-extended internal reporting requirements, should be discontinued.

At Siemens, there is a continuous dialogue between market units, divisions, and corporate risk managers as well as members of the executive management team to align all of the internal and external risk considerations. Of course, in a technology-driven company such as Siemens Wind Power, the ERM programme has to be flexible and agile to ensure the company keeps pace with the evolution of new technologies.

The focus of the business needs to be constantly verified, and any changes, such as entry into a new geographic market, could cause capacity constraints, or there may be legal or tax implications, for example. For each change in focus, a whole new set of risks may need to be assessed.


Ensuring the ERM programme has lasting impact

Here are three factors that ensure that risk awareness is embedded in the Siemens culture.

Vigilance

Employees are urged to be vigilant, and every member of the staff is encouraged to speak up about any problems they have identified or ideas they have. The challenge is to ensure that input is received and reflected upon. A number of risk-reporting protocols are available to employees, including software tools to categorise and describe risks as well as opportunities and to report the risks to internal and external third parties including auditors, lawyers, and various investigative bodies.

However, the most important element is that staff know who their risk manager is and are able to call or set up a meeting with that person to discuss any difficult topics. A crossfunctional open-door policy is a prerequisite for fostering an atmosphere of trust throughout the organisation.

Business acumen

The members of the risk community are the foundation of a successful ERM system. Everyone needs to understand the levers which drive profitability and move the company forward. Without the expertise and business knowledge of those actively and even passively involved in the programme, the results would be mediocre.

Ownership and empowerment

A mentality of ownership, empowerment, and accountability throughout the organisation is key to ensuring the ERM programme has a lasting impact. It is absolutely essential that people are empowered and held accountable for their actions down to the lowest level of the organisation.

Goal-setting processes must be realistic and cause and effect clearly established, with periodic follow-up reviews in place. Siemens Wind Power has revised its goal-setting programme to seek better alignment with the strategy of the wind business. There is still work to be done to eliminate conflicting goals being set across functions and inadvertently promoting a silo mentality.


Mike Skorupski, CPA, CGMA, is head of finance governance at Siemens Wind Power in Denmark.