The three maxims of risk management

Briefly, risk management stands on three legs:

• The identification and analysis of various risks.

• The design and implementation of risk mitigants. 

• The monitoring and evaluation of the effectiveness of the designed risk mitigants. 

The foundation of risk management is strong support (nay, even insistence) from the board and leadership for a robust risk management platform. The sky is the ceiling, with the effectiveness dependent upon whether the leadership permits an opaque system or evinces strong reliance on the risk management processes. The extent and strength of governance and leadership support to the risk management framework of the entity, will ultimately determine the entity’s success in using risk management as a valuable business and governance mechanism or cause the risk management framework to itself risk failure.

The need for RCM

Risks attendant to an entity are diverse—business, financial, operations, structure, people, compliance, environment, technology, fraud, and many others. A Risk Control Matrix (RCM) is the key reference document for an entity’s risk management efforts. Unfortunately, it seldom (or at least inconsistently) covers the third leg of risk management, i.e. the aspect of monitoring and evaluating the effectiveness of risk mitigants that have been adopted. A simple example is: how many hotels have properly designed SOPs for each aspect of the operations? How many of these have been adapted to the specific business situations of the hotel or market characteristics, as distinct from global standard practices of hotel chains? What is the degree of monitoring for the actual implementation and effectiveness of the prescribed control processes? How much weightage is attached to these in the context of high attrition levels and staffing controls? In the bargain, how much attention is paid to operational, fraud, and compliance risks when shortcomings in SOP implementations are observed and highlighted?

As a net result, does this render the corporate RCM somewhat theoretical about the on-ground scenario? This is not due to any inappropriate or malicious intent; it is largely the outcome of the lack of sufficient attention to performance evaluation and monitoring of the risk mitigants, and the softness in recognising the impact of inadequacies and shortcomings. In hotels, the potential to underscore the risk is exacerbated by the limited relative value of individual transactions (or even samples) and thereby an under-appreciation of the shortcomings noticed through sample review. Seldom are the results truly projected to the entire relevant data set to reflect the real/potential risk. And more seldom does one see an assessment of the impact of silent or soft tolerance of system or risk mitigant failures on the totality of the framework; the extra slack is cut before reporting failures of design or implementation of risk mitigants. This is different from the risk tolerance levels approved by the entity by the risk committee and board.

Key aspects that hotel owners are advised to consider in their risk management process include:

• Understanding the risk implication of the contracted scope of work and responsibility of hotel operators, particularly in the context of (i) the hotel employees being employees of the owner and (ii) the indemnification provisions under hotel management agreements.

• Understanding the risk assessments of the operator and how these compare with the RCM at the ownership entity level—in content, and also in terms of design, implementation, and monitoring of remediation measures. This understanding will also provide greater insight into asset management needs and risk mitigation steps that the owner needs to initiate or implement. This is particularly important because several mitigation measures for the RCM are dependent upon processes and controls at the hotel.

• Identifying the risk management responsibilities between owner and operator so that key matters do not fall in between and remain unattended due to differences in perceptions.

• Assessing hotel performance not merely from the viewpoint of financial results but also in terms of the attendant risk management factors for the asset, and long-term operations, competitiveness, and profitability.

• Clear identification and allocation of responsibilities on compliance matters so that compliance risk aspects are fully and appropriately addressed.

• Franchise arrangements are less complex, but need a proper understanding and assessment of risks, risk mitigation responsibilities, and resultant liabilities.

Owner-managed hotels (and portfolios) need an equally holistic risk management approach at the ownership level—the assessment scope should largely remain the same, but the responsibilities for mitigation in all its elements (design, implementation, and evaluation) rest entirely with the owning company.

My experience shows that hotel-owning and operating entities would do well to pay more attention to the following aspects:

• The aspect that risk management is an ongoing exercise and not a one-time exercise. Business, and its underlying conditions and competitiveness, are dynamic, and it is therefore necessary to address the subject of risk management regularly—to believe that this is a one-time exercise, with moderately evaluated updates to the RCM in subsequent years, is an approach that is deeply fraught with risk.

• Lack of systematic performance evaluation of the identified risk mitigation measures—seldom is there a clear evaluation and assessment of the actual outcome and the ultimate impact, with multiple reasons (mainly resource constraints) explaining away the errors noticed or the lack of implementation or absence of effectiveness of risk mitigants.

• Unawareness or substantially inadequate attention to three key risks that have emerged in the current operating environment—third-party risk, cyber risk, and data security risk. These are new-age risks but of substantial magnitude and impact. Largely, these risks are not sufficiently understood, identified, addressed, and monitored particularly given the dynamic nature of modern business and its operating structures.

Governance is the third key leg of ESG

Risk management is an essential element of governance. It does carry a negative fundamental connotation. By its very nature, risk is not a word people like to hear, talk about, or even admit. Yet, risk management is a ‘scrub’ that helps the business and the company in the long term; the more open (and detached) the acceptance and discussion around it, the better the beneficial value. Thus, risk management must be rigorously institutionalised. The gains from risk management:

• It helps minimise governance failure, particularly when the company’s system is robust and not considered as a ‘have to do’ for regulatory compliance.

• It establishes better standards for the company, its management, and its counterparties.

• It helps create larger valuations because smart investors recognise the value of good risk-based governance.