Businesses and the risks they face are changing. And so too is risk management. Airmic believes that the world has grown so complex that a new kind of corporate risk leadership is required for companies to respond to future risks in a way that achieves both resilience and commercial success. But for risk professionals to meet the challenge, they must broaden their capabilities to encompass leadership, business and strategic skills.
In February, Airmic members and industry experts sat around the table to debate exactly this. What will tomorrow’s risk leader look like? What skills and qualities will be required? And what can today’s aspiring risk managers do now to meet these raised expectations?
But first, some brief background to the debate. Airmic, in conjunction with think tank Tomorrow’s Company and other industry bodies, is currently undertaking research into the future of risk leadership. The broad message is that companies need to establish senior risk leadership that reports to the board and links risk to both the strategic and operational functioning of the business.
As became clear through the debate, the business world and risk community have started on this journey but have a long way to go.
The Panel
Amelia Stubbs– senior client partner, Korn Ferry
Andrew Cornish– partner, Lockton
John Ludlow– SVP and head of global risk management, IHG
Emmanuel Fabin– senior manager, insurable risk, TSB
Richard Park– risk manager, EMEA, MMC
Patrick Smith– CRO, Europe, The Warranty Group
Gary Marshall– group risk manager, Polestar
Chair: John Hurrell– CEO, Airmic
The status quo: how sophisticated is your company’s approach to risk?
The good news is that all agreed that risk management is far higher on the corporate agenda than it was ten years ago. Boards are starting to see risk as more than a compliance exercise. As John Ludlow commented, risk management is a completely different science today: “It has gone from reactive to proactive. Now it’s intelligence-led and about pre-empting changes.”
But the extent to which boards see risk management as a strategic role varies hugely, depending on sector, size and culture of an organisation.
Those in financial services tend to be ahead of the curve, in part because of the upheaval they have been through since the 2008 crash and in part because appointing a chief risk officer (CRO) is now expected and the norm. Patrick Smith summed up the change that has happened at The Warranty Group: “My company – a financial services company – has been through a journey from the CRO being seen as a necessity, driven by Solvency II readiness and regulatory requirement, to a trusted advisor. The key to the journey for me has been to gain an intimate understanding of the business strategy, so that risk governance and the risk framework are relevant to the business and business leadership.”
“The key to the journey for me, has been to gain an intimate understanding of the business strategy” – Patrick Smith
It takes time to achieve a sophisticated risk culture, however, and there are many barriers especially in a multinational company. Richard Park noted that risk is a very broad subject and there is a danger that some CROs over focus on regulatory requirements and may miss some of the more subtle diverse risk exposures. “It is therefore critical to keep the risk register fresh and circulated across various business and departmental silos to ensure that all critical risks are identified.”
If TSB are anything to go by, being a new brand can be a huge advantage in establishing a sophisticated risk culture as it doesn’t have to overhaul an out-of-date culture. Of TSB, Emmanuel Fabin said, “It helps that the board isn't fighting a reputation. It has a blank slate because it is new. They can – and are – setting their own agenda.” Risk is very important to the company, he says, and it recognises the importance of taking a holistic approach. “Accountability, including challenge from the board and executives is also seen as important.”
“It helps that the board isn't fighting a reputation. It has a blank slate because it is new” – Emmanuel Fabin
Ludlow believes that understanding the context of risk management is key to understanding the risk needs of your company. Is it a small or complex business? Is it in manufacturing or services? “The more complex the context, the more need there is for a risk leader. IHG, for example, has a whole matrix of people bringing the company together. The risk leader has to bring together all the different parts of the company to face today’s and tomorrow’s challenges and to coordinate the three lines of defence.”
As an executive search consultant, Amelia Stubbs benefits from a broad view on the status of risk in UK companies. The role of risk leaders is definitely evolving, she says. “Outside of financial services there is a change in the requirement. They want someone forward thinking with a strategic mind-set.”
And it’s not just empty rhetoric. “We are seeing a trend of increasingly senior hires across all sectors; new positions are being created that are elevating the risk role to clear engagement at board level,” she notes.
The challenges: what is stopping risk management growing in status?
From the chair, John Hurrell asked what obstacles the risk community needs to overcome in order to move this journey forward. The question produced some interesting answers that revealed the gap that can exist between the culture of a company and best practice.
It became clear that in some companies, there is a fear of the transparency that inevitably comes from a greater integration of risk management and strategy. After all, it is the job of the risk leader to ask probing questions and to challenge the status quo right at the top of the business.
“Companies don’t always want people going into their darkest places” – Gary Marshall
As Gary Marshall commented: “Companies don’t always want people going into their darkest places and saying they’re doing things wrong. Very senior people may have made very erroneous decisions and they want to stick to their guns. Their egos come to the fore. Take the recent example of HSBC – look what greater transparency opened up.”
Park agreed, saying it can be a delicate balance politically. “If senior managers have made poor risk decisions in the past, then tact and diplomacy is required when making corrective risk recommendations.”
He added that a more subtle and solution-driven approach is usually more productive than finger-pointing. “Also, confidentiality is essential when endeavouring to manage long-term risks which do not have a low-cost solution as it must be recognised that the board may have limited resources and other more demanding priorities.”
“Tact and diplomacy is required when making corrective risk recommendations.” – Richard Park
Stubbs agreed that despite all the progress there can be a “reputational lag” around risk management at the board level. “There is a perception that risk managers are people who will say ‘no’.” She said that risk leaders must navigate a very challenging tightrope between wise counsel and effective challenge.
The panellists agreed that the culture of an organisation is crucial and can be the biggest obstacle or the biggest enabler for risk management, depending on the company’s evolution.
Fabin, for example, argued that understanding your company’s cultural environment – and specifically what is motivating the board – is important to understanding why they may not be taking a more sophisticated approach to risk. “Do they aim simply to make money and therefore see risk management as a barrier? Or is it a family owned business in which case individuals may have too much control?”
“How will a risk leader both fit into the culture of an organisation while also changing that culture for the better?” – Andrew Cornish
As Andrew Cornish explained, trying to change a culture from within is a complex task, and there’s a tension inherent in the role of the risk leader: “The big challenge is how will a risk leader both fit into the culture of an organisation while also changing that culture for the better? It’s a difficult task.”
Tomorrow’s risk leader: what qualities will they need?
While there is no one-size-fits-all answer to the question of what tomorrow’s risk leaders will look like, two related themes clearly emerged from the discussion: first, the need for risk professionals to shift from technical knowledge to business knowledge; and second, a strong focus on personal qualities.
In order to be a true risk leader, one that can give strategic guidance, risk professionals must ask themselves what their company will look like in the future, Marshall said. “Understanding your business and how you can extract value it critical. It is key that people align themselves with what tomorrow’s company looks like.”
“Understanding your business and how you can extract value it critical.” – Gary Marshall
Smith agreed, saying that the role will not have any credibility if you don’t know the business and can’t talk the right language. Technical knowledge is always important but you have to be relevant and aligned to be listened to.
The need to develop more than just a technical understanding of risk came up time and again throughout the discussion. “You need a broader base of skills,” Cornish said. “In particular, risk professionals need to develop their technical skills into leadership skills. It’s no easy task.”
Often, it is personal qualities that decide whether a person can successfully make this transition.
“It’s an immensely difficult job. There are very few people who can do everything.” – Amelia Stubbs
“Whatever you name the role, its characteristics are key,” Fabin argued. “These include: media savviness, an ability to respond to multifaceted impacts on your company, accountability, and an ability to translate a technical message to the board.”
Does that sound like a tall order? Stubbs, who has recruited for a range of senior roles thinks the CRO is the most complex role in the c-suite. “They must balance navigating multiple stakeholders with complex processes. They need to be able to speak broadly on issues, simplify complexity and get the board and executives to understand their risk responsibilities. It’s an immensely difficult job. There are very few people who can do everything.”
Today’s actions: what should the risk community be doing now?
Given the challenge facing risk professionals, both in terms of developing their own skills and the “reputational lag” that can still exist around risk management, Hurrell asked what Airmic members should be doing now.
The first task is to promote conversations at the board level, Stubbs said. “Show them that there is a different way of thinking about risk leadership; it's not about giving something up, it's about enhancing the business and its resilience.”
“Often the best people to be risk leaders have moved into risk as a second careers” – John Ludlow
Smith agreed, citing his own personal experience. For him, the crucial point came when he insisted on risk assessing his company’s strategy – not with the aim of inhibiting their behaviour, but to demonstrate that failure isn’t unthinkable. He led the process of stress and reverse stress testing the strategy to get them thinking about what can go wrong. “The process flushed out lots of important points and led to changes in processes, which ultimately increased our opportunity to successfully execute the strategic objectives.”
But getting the ear of the board can be difficult if risk is not yet high on their agenda, Hurrell noted. So then what?
“Think differently,” Smith said. “Don’t think in terms of organisational structure. Broaden your radar and work out how to get the ear of someone you need onside.”
All agreed that organisational savviness is important – knowing who to speak to and how to get their attention is a skill in itself. If you can’t get the attention of your senior, move horizontally or even down a level to speak to people that might have different channels which you can influence.
“Strategic thinking may be a skill not sufficiently addressed at the moment.” – Patrick Smith
And find out about people and what buttons to push, Marshall advised. “Remember that the CEO is interested when things go wrong.”
On an individual level, the most important step for risk managers at all stages of their career is to align themselves as strategically as possible. Most agreed upon the importance of developing the ability to make balanced business decisions and to learn to cut though ambiguity.
And if you are fairly new in your career, take the opportunity to get a breadth of skills, perhaps by working in audit or learning leadership skills, Stubbs suggested. “You definitely need a broad background to succeed today,” Ludlow agreed. “Often the best people to be risk leaders have moved into risk as a second career and may have a background in, for example, law, HR or marketing.”
Smith, who is also Airmic’s deputy chair and founded the association’s learning and development committee, said that Airmic has a responsibility as well. “We must make sure learning opportunities match the skills map and recognise that non-technical expertise is at least as important to organisations these days. Risk leaders must have a combination of technical and leadership competencies to be credible. For example, I think that strategic thinking may be a skill not sufficiently addressed at the moment.”
Final thoughts
And so the discussion concluded, having painted a varied picture of risk leadership in UK companies. There is no doubt it raised some significant challenges to companies and risk managers at all levels, but none of which are insurmountable.
One of the key positives to take away from the debate was that risk is undoubtedly moving up the corporate agenda. “Risk continues to be a greater part of how boards view their business,” Cornish said. “In part because of the work Airmic and risk managers have done to raise awareness, they realise that they need to be more involved in risk.”
And for those risk professionals that do successfully make the transition from risk manager to risk leader, the reward is clear: the chance to play a truly influential and genuinely positive role in the strategic success of your company.
Amelia Stubbs
Andrew Cornish
John Ludlow
Emmanuel Fabin
Richard Park
Patrick Smith
Gary Marshall
John Hurrell