Regional risks with local impact, the risk management conundrum

A spiders web of competing interests or a manipulated series of events, which ever way you choose to view events in the Middle East, many of the basic influences remain the same. Whilst we don't always see the many conflicts in the region as having a direct impact on business, the residual effects of the decades of conflict do trickle down and indirectly impact business in many areas. The question for business leaders, risk and compliance managers then becomes one of identifying how the risks across the region may impact their business and what is required to mitigate these risks.

Identification of risks is a critical question for all business processes. Past years in the region have seen a focus on physical security but this was still poorly addresses in many areas. Over the past decade however, regulatory requirements, the need for compliance and an influx of newer risk-professionals to the region has changed the outlook for risk management in the region. As with other developing functions there are a number of growing pains to these developments, mistakes to be made and learning points to grow from.

It is rare that a company's spread of risk will be contained within one single geographic market whether that is a country or an entire region. Clients, contracts, personnel, vendors, suppliers, assets and other resources will often have links to, or be sourced from other areas. As a result, these relationships and links bring residual risks to the business from outside of your immediate business environment. The problem then becomes clearly identifying your risk exposure considering these extended relationships. Even if your business is 'local' your risk portfolio is still likely to be regional!

There is a heavy reliance on expatriate personnel, many of whom may not fully understand the region and the history that has shaped current events, those being decades old not simply since September 2001, or the myriad of relationships, cultures, and religion that continue to influence the region and business alike. This in itself attracts concerns of perception of risks and of collating and analysis of often-bias media, analyst and 'expert' reporting that then influence risk assessment outputs.

A number of points are critical to the efficient implementation of a risk assessment. These include a detailed understanding of the business, internal and external relationships, and the operating environment. Whilst the first two may be well contained, the operating environment is an area where the influences can expand to region and global concerns that may not be clearly identifiable by those with less local experience.

The simplest thing for a risk manager to do is label everything a risk in some vane way of hoping to adequately address his liability. This may be as a result of inexperience, a lack of understanding, or a breakdown in the process but the sole result is the discrediting of the risk management function and the growth of a culture of uninformed risk taking as management elect to ignore future risk advisories. This can be said for all risk functions whether they are financially, physical, reputation or information risk focused in all businesses. A loss of credibility within the organisation simply detracts from the true value that a credible risk process can provide.

Where we have seen marked improvements is where clients have invested the time to provide risk specialists with grounded training including an in-depth understanding of the region and the many influencing factors that can be found within it. Whilst this alone doesn't make one a 'Middle East expert', a well-informed risk professional is much more likely to identify the factors that will effect their business and allow them to sift through the materials produced by the numerous Middle East experts located elsewhere with a context driven analysis that many of the more recent 'experts' on the region are lacking.

Understanding the business function within the context of the region's influences is likely to bring about a new outlook to the risks. Taking a look at the internal and external relationships, where risk may emanate from within and externally, what risks other organisations bring to the business, whether they are clients, vendors or associates, can all be analysed in the broader context of how the region functions, the risk trends that are present and the opportunity for these risks to be realised.

One of the greatest challenges for risk professionals, both in-house and consultants, has always been to show where the risk management process has benefited a business and avoided losses. Whilst losses of any kind are often vivid and can be quantified, the prevention of loss, crisis or disaster is more difficult. However, hypothetical scenarios can be modelled and run and the potential losses from a lack of action can be projected. Most importantly of all, the risk manager or consultants often need to change from a position of opting for a negative response to a business request changing their the mindset toward a positive facilitating response with the objective of supporting the business whilst advising on the necessary course of action required to adequately mitigate those risks without compromise to the business. It then becomes a business decision whether to proceed but with the confidence that the risks have been addressed proficiently and accurately.