We surveyed risk managers from across the world for their views on what needs to change in risk management. Here’s a preview of the results
In the industrial era, a company’s business model didn’t change much. The way in which businesses developed, delivered and captured value would remain static for decades. But in today’s technologically advanced and globalised world, traditional business models are being disrupted and reinvented – at an exponential pace.
The velocity of change – and its breadth and sheer impact – is being felt in almost all countries, sectors and markets. Its impact extends to entire systems of production, supply chains, distribution and to areas of management and governance. And the risk landscape is changing like never before, posing new and complex risks for risk managers. To keep pace, remain relevant and add tangible value to business, risk management needs to change.
In our #ChangingRisk survey, we asked what you want to see changed. At the time of writing, more than 50 risk managers have taken part so far. Their views are a candid and passionate portrayal of the state of risk management and the challenges that need to be addressed to ensure a risk-mature future. There are some harsh truths – and not all that you’ll agree with.
And while we review these findings, let’s do so with thought to the innovative work of many risk managers. This isn’t about throwing out the old. It’s about enhancing the strength of risk management.
In three events this year (see page 10), we will place a microscope on some of the common themes that come out of our study to aid our #ChangingRisk manifesto, which we will launch at the end of this year.
So, while we continue collecting your views, we’ve downloaded the interim data to give you a snapshot. The full report will be available at the Ferma Forum in Berlin, 17-20 November.
WHAT WOULD YOU CHANGE TO IMPROVERISK MANAGEMENT?
Reduce time spent on risk frameworks
Yes, we need tools, but it is ridiculous when the development of frameworks, methodologies, and heatmaps consumes most of your role. Our role should be considered as risk/opportunity advisory services. We do not ‘manage’ risk, and nor are we solely focused on ‘risk’. Aren’t we also there to help from an opportunistic perspective, i.e helping business protect what they have, and helping them make informed decisions to maximise growth? Yes, we need a profile to understand where an organisation is – profiling is the cornerstone – but we need to be strategic advisors and a conduit to pull the right stakeholders together to help make informed decisions.
Change the role, responsibilities and job title
I would start at a higher level and transform the name, role and responsibilities of the risk manager. This requires a disruptive “start again” strategy. With the ever-increasing focus on risk and strategic achievement at board and executive levels, I would start from that perspective and answer the following question: “What role and/or function is required to assist the company in developing strategies that are achievable, resilient and flexible; mindful of the opportunities that are available and internal and external risks to strategic success?”
Then, “How does this role/function align to the current or future organisational structure?” Thereafter, the following can be considered
- what are the skills, attributes and experience required to deliver the role and responsibility
- what tools, structures and methodologies are required to be successful and to really add value to the organisation, Exec and Board; including the three topics above - tools, standards and risk model.
EXPLAIN WHAT YOU THINK IS SLOWING CHANGE IN RISK MANAGEMENT?
Get the risk story right
Auditors, insurance and consultants telling management different stories about what risk management is. All say they do it, all have different solutions and approaches and all have different underlying motives.
When we don’t help to make decisions that matter
Those who are deemed ‘risk managers’ or equivalent not having the ability and skills to create real value by helping the business make decisions that matter. I believe that an enhanced skill set, above and beyond what has been necessary for some of the traditional risk work, will be require but for which there is a considerable amount of content already available – decision science, psychology, risk analysis and modelling techniques.
WHAT ELEMENTS OF RISK MANAGEMENT ARE OUTDATED AND INEFFECTIVE?
A false sense of risk management
The preoccupation of catering to the board and audit and risk committees’ expectations of risk management – i.e. production of governance documents – gives a false sense that risk management is effective. I don’t mind if an organisation feels it must start the risk conversation with a flawed risk heat map and/or risk register, but it’s a real problem if that’s where risk management stops (which is often the case).
Over-complicated ERM
Many companies over complicate ERM and focus a lot on capturing risk data in a non-consistent fashion and in cumbersome risk registers. The information is not used to drive risk informed decisions.
One size does not fit all
The concept that one approach to risk management works for all organisations. Risk management needs to be bespoke to the business and consider the current stage in its business life-cycle, the strength of the company’s leadership and the maturity of governance by the board. Pedalling a ‘one size’ fits all approach is naive at best and damaging at worst.
Changing perceptions
Risk management is only considered a compliance requirement with no bearing in strategy-setting or decision making.
Our job title
The concept of ERM and titling most risk functions and individuals as ‘risk managers’ – particularly when we do not manage the risk as we do not own it.
The industry’s understanding – or lack thereof
The first thing that is slowing down change is the insurance industry (brokers, insurers, and reinsurers) not understanding that risk management is more than buying insurance. The second thing is when risk managers only concern themselves with downside risk instead of risk = uncertainty and includes upside (strategic) as well as downside (tactical).
No comments yet