Law 4706 /2020 on Corporate Governance provides for the adoption and implementation of a Risk Management Strategy. It clearly provides for the existence of policies, procedures, roles and tools.
The Law does not explicitly provide for the existence of a Risk Management unit, but one question is whether the implementation of a Strategy is feasible without a responsible person and a support team. Also, some "traditional" consultants downplay and postpone the necessity of Tools! Let's see what exactly is happening.
The Risk Management Strategy is a structured approach to managing risk and can be used by companies of all sizes and in any industry.
Risk management is best understood not as a sequence of serial steps and tasks, but as a cyclical process in which "old" risks are redefined and new risks are identified and monitored continuously, by more and more stakeholders and with more in-depth analysis.
Can a Risk Management Strategy incorporating the cyclical nature of the process be implemented in practice without a software tool, without an "IT system"? The answer is no!
And the question is, can a Risk Management Strategy be implemented in practice exactly as it will be designed based on Law 4706/2020 and the well-known ISO 31000 or COSO standards, incorporating the cyclicality of the process without a software tool, without an "IT system"? The answer is no!
- First of all, the question arises, where (in which media) will what is being analysed be written? In a notebook or in excel?
- Then, during the processing of the results of the Risk analysis, questions of the "what if" type will arise, which will usually be posed by the Management of the Company or Organization that is conducting the analysis, which will lead to many (if not infinite) scenarios and models of investigation, until the process results in a final plan and strategy that will be submitted for approval by the Board of Directors or other bodies of the company or organization. How to make these scenarios, e.g. to find the balance point between acceptable level of risks in relation to the (available and feasible) cost of mitigation actions.
- Thirdly, how, by which way will the actions decided be monitored in the future? By what means? By e-mail? How will Mitigation actions be assigned to officers who will undertake to execute them, how will status reporting be generated and how will new risk levels be adjusted and reassessed in the evolving - ongoing strategy?
- Finally, how (by what method) will risks and mitigation actions be quantified? Without quantification the credibility of the analysis will be poor. On the other hand, quantification to 50-100-150 risks with 200-300 mitigation actions (averaged from our case experience) is NOT possible without an IT system, especially if there is a need to run what-if scenarios.
The time, cost and effort required if the above is done by pencil and paper or by eye will not be worth the result. Or the results will be unreliable and flawed the day after they are produced.
It should be understood that the software not only supports the methodology, it secures and automates it, making it operationally feasible.
Conclusion: Therefore, for the actual and successful implementation of a Risk Management Strategy, the following are required:
· Methodology
· Competent Executives
· Software
Each of these three "assets" has its own unique value and all three are necessary for each company.