Two of the striking advances in governance theory and practice are the establishment of risk management as a full-fledged discipline and risk management practitioners as risk management professionals. These advances come none too soon, expectations for good governance are increasing and transformational change driven by in technology advances, have unleashed a flood of emerging, increasingly complex and often connected risks on top of the many more familiar ones.
Organisations are still learning how to organise their approach to managing risk and how to handle a changing landscape of risks and opportunities. It’s common, even from companies with well-established risk management practices, to describe their state as “we’re on a journey.” The issues is to ensure the journey is progressing rapidly enough, especially in the context of business transformation in this Digital Age.
So, the challenge is, if the business environment is becoming more complex, and connected and the pace of change is increasing with greater demands for risk disclosure, why would the board or C-Suite not want to share the corporate risk load with a person who would be charged with uniting business silos and achieving a view of risks across the business? If organisations are serious about managing risk, Airmic believes they should consider a dedicated senior leadership role to spearhead the risk management programme. However, if this is the most appropriate way to ensure that risk management is fully embraced, why has the role of Chief Risk Officer (CRO) been slow to develop outside the world of financial institutions? With the UK Financial Reporting Council (FRC) proposing a revised Corporate Governance Code, it is timely to stimulate discussion on this important question.
The questions we address in this paper are
The concept that risk management is on a journey might be better phrased as “risk management is evolving into something new”. That new perspective is still in the process of being articulated, but it begins with accepting the fact that humans are not very good at assessing risks and often are not particularly interested in doing so. This is not a criticism; line managers need to be optimistic and focused on the tasks at hand - it’s only natural they’ll need help attending to, assessing, and mitigating risk.
Risk can be seen as a kind of shadow entity that sits beside everything we do. Just as we need marketing to look after customers, finance to look after money, and human resources to look after people; we need a risk leader to look after this strange entity of risk. In the absence of a risk leader, no one else has the time, inclination or skill set to develop a holist view of risk and how to manage it.
When we start seeing risk through this lens we see that it’s an essential element of resilience and sustainability. This is where risk management gets exciting and we begin to wonder whether it could become a new type of competitive advantage for organisations as we move deeper into a turbulent century.
This leads us to a forward-looking view of risk, one that considers risk as a tool for executing strategy, and to a forward-looking view of the risk leadership capability we need to build.
Would anyone on your board be excited by this view of risk? Is there anyone who is beginning to see how risk management might be evolving into an important discipline that is more akin to strategy than audit?What’s the consensus on how to approach risk management?
“The approach to managing risk should be fluid. The CRO could be a project role. It should not be perfunctory, but focus on driving change and inter-departmental collaboration. Supported by metrics, an objective of the CRO should be to consider how good or bad the organisation is. Following the project stage will come a process of fine-tuning by business leaders - probably deconstructing much of what has been built by the project”. Nick Hedley, Partner, Hedley May
Given the complexity of a comprehensive approach to risk management the natural step is to look for what is working well in other organisations. Unfortunately, there is no consensus on best practice. Risk is organised in many different ways, moreover some risk departments have such a narrow mandate that they are hardly comparable to those where risk management is charged with providing strategic insights.
This implies that each organisation will have to critically assess if the structure and approach it currently has to risk management is in fact working. Who will do that assessment? Ultimately the board and CEO, but they will probably need help—just possibly, help from a CRO.
What is clear is that it’s hard to imagine a large organisation without a central risk leader (whether or not they are a CRO) supported by a small team of risk specialists. There are many people involved in risk and the board needs someone pulling it all together
How much does the lack of established best practices concern you? Does this mean that organisations are stumbling along with poor practices or does it simply mean that there are many reasonable approaches to handling risk?
“Carrying out traditional risk management well is no longer enough. New risks have swung into view, senior-level demands are changing, and new capabilities are forming. It’s an exciting time for risk leaders to reframe the function for the new era”. Richard Smith-Bingham, Director, Global Risk Center, Marsh & McLennan Companies
Before we look further at what a risk leader does, and if that leader should be a CRO, let’s consider why there might be a need to enhance risk management capability. Organisations can assess where the gaps are in their risk management practice by considering the following elements:
Take a moment to consider which of these elements is weakest in your organisation. This may be harder than it first appears. The brevity of the list is misleading. Each element extends across the breadth and depth of the organisation. The exercise of identifying major gaps in risk management is difficult but make a note of what springs to mind.
“Ideally, within organisations there should be some separation between operational and strategic risks. Personally, I don’t think organisations, including board and risk and internal audit functions spend sufficient time focusing on strategic risks. After all those risks are the ones most likely to bring the organisation to its knees and impact the bottom line. Interestingly, there was some research done by CEB showing that something like 66% of loss of share value was caused by the materialization of strategic risk; whereas in general internal audit spends less than 6% of its time focussed on strategic risks. Having some kind of risk leader at the board level might bring more attention to strategic risk and mitigate the impact of strategic risks materialising.” Elizabeth Sandwith, Chief Professional Practice Advisor, Chartered Institute of Internal Auditors
“The CRO should be seen as a role with a mission to be accomplished, not a job with responsibility for a set of tasks.” Michael H McInerney, President, Executive and Board Services Consulting Group
Assuming that there are some gaps in risk management capability it would be natural for the board to ask the risk leader to advise on a way to close those gaps. If they are to have the capability to close the gap they have to have the right mandate—and this is a topic with some competing perspectives.
Despite the title, risk managers never manage risk, they facilitate the management of risk. It’s operating managers who make the actual day-to-day decisions about risk and it’s important the accountability for managing risk lies with them. That leads to the question of how risk managers facilitate risk management. There are two main answers:
To add some colour to this we might consider the two views of risk management on these dimensions:
No one doubts the necessity of the compliance-oriented focus on diligence and expertise; however, if the gaps in risk management capability lean towards more strategic or cultural issues then it’s hard to imagine closing those gaps without a strategic-insight orientation towards risk management.
Furthermore, there is a real tension between a compliance mind-set and the strategic insights mind-set. If the risk leader gets stuck in the compliance box, then the role can easily devolve into an unloved tick-the-box function. However, a risk leader can’t get immersed in the evolving strategic side of the work until compliance is under control.
Does your board emphasize the “strategic insight” view of risk management? No one would say that they don’t emphasize compliance, so the better question is whether the board also emphasizes the strategic insights on risk that a free ranging risk manager might bring to light.
“The risk leader must be able to challenge the board on how well it is handling the oversight of risk and challenge the executive team on how well they are handling risk as part of day to day management.” Jamie Lyon, Portfolio Head, ACCA
It’s a simplification, but one can see the compliance side of risk as deft management of a series of processes such as a risk identification process, preparation of risk registers, reporting and so on. The strategic side is better seen as a series of conversations.
If a risk manager is talking to the right people at the right time about the right things, then they—along with the managers they are talking to—will uncover risks and appropriate ways to deal with them. Unlike processes which follow a clear structure, this kind of conversation is built around having an ear to the ground and a wide set of trusting relationships.
In this intelligence gathering mode the risk manager is working across boundaries, they are part of conversations that might be relevant to risk and in which they might be able to add insight. Also, they may have nothing to add to the conversation, but it may play a role in helping them eventually connect the dots and bring insights that couldn’t be seen from within any one silo.
These two sides to the role are quite different: one nicely structured, the other highly fluid. When we think about the kind of person we need as risk leader and what they will do when they are there, we need to keep these two different roles in mind.
Is your organisation’s culture amenable to a free-ranging risk manager? If an organisation likes to keep things in clearly defined boxes or doesn’t have high trust, then it will be difficult for a risk manager to play the intelligence gathering role unless they have the authority that comes from being in the C-suite.
“As a risk leader, even where we have specialist functions overseeing particular risks, I need a good understanding of the area – it’s not just about facilitation.” Andre Katz, Director, Enterprise Risk Management, BT Group
Given what’s required of risk management, it’s likely that organisations will want a risk leader with a small risk team which acts as the hub for risk management. Presuming that this leader needs to encompass both the compliance and strategic insight view of risk, what skills do they need to have?
Here are some of the elements commonly identified as important:
What trade-offs would you accept in choosing someone for this role? For example, if someone had really good soft and hard skills would you accept lack of knowledge about the business? If someone had really good soft skills and knew the business would you accept lack of hard skills in risk management?
Considering the skills that a risk leader should have it’s clearly a big job. Can the risk leader sit a few levels down in the organisation or is it better if they are a CRO? Let’s review the main pros and cons.
To date that has been little appetite for creating a CRO role for corporations that are not financial institutions. This is likely a result of seeing risk management as mainly a compliance function - and who wants more of that? All the pros and cons seem to revolve around these two factors:
Is there clarity about which pro or con is driving your view about the CRO? Often having many pros and cons muddies the water when at heart there are just one or two factors that are really driving someone’s intuition on a controversial issue. Which factor is most salient to you?
“A potential danger for a CRO is that they are seen to become the risk owner and that the business operators walk away from their accountability to manage the risk.” Group risk leader, FTSE 100 Company
Clearly there is more than one acceptable approach to risk management and whether an organisation needs a CRO will depend on the situation. Here are various conditions where it’s likely that the organisation should elevate the risk leader job to being a CRO:
Do you have any of these conditions? Are they pressing enough that you need someone in the C-suite to address them? There is no question that there are many ways to address risk management and the CRO is only one option, the issue to consider is whether the situation in your organisation causes you to lean towards or against having a CRO.