Organisations face the challenge of changing their view of risk management

Over the past 10 to 15 years, risk management has evolved substantially in both theory and practice. Gone are the days when it was regarded as the domain of the insurance manager, or the days when it was seen, in the absence of transparency, as just what everybody did as part of their normal duties.

There have been a number of reasons for this change. These include regulatory initiatives, corporate collapses and changing attitudes of directors.

Organisations have responded by improving their risk management practices, clearing a number of hurdles in the process of developing risk management into a genuine discipline and a priority on the corporate agenda.

Most organisations that have successfully developed their risk management capabilities in response to the changing external environment now face a choice between two different options for further development. Both promise significant benefits in terms of efficiency, quality and business success.

While they could be taken as a single initiative, the substantial challenges that they pose probably makes it better to see them as separate, and to tackle them as separate initiatives.

The first option is to focus on hard changes by improving both quantitative and qualitative risk management techniques, to the point that they can provide a real support to strategic decision-making. The other is to focus on soft changes, consolidating the gains in risk management practice that have already been made by embedding them in management culture, making what is still something of a marginal activity part of normal management style and routine.(1)

Both options are a challenge, because they require a shift in the management mindset from seeing risk management primarily as a compliance activity to one which contributes to value and business success. This is made all the harder, since neither regulation nor external events are likely to provide the impetus. The momentum, therefore, must come from within, and chief risk officers and risk managers will have to play an important advocacy role to help their organisations understand the options and move forward successfully.

External drivers have helped

How organisations have perceived risk management in theory and applied it in practice has undoubtedly developed considerably in the last 15 years.

Regulation has been crucial in providing the impetus, itself driven to a degree by corporate collapses.

Across Europe, many countries have now adopted their own detailed corporate governance standards that include guidance on risk management. A Europe-wide framework may be on the way.(2) In the US frameworks such as COSO, ERM and the Sarbanes-Oxley compliance requirements are having a similar impact.

The result is that risk management is becoming a genuine agenda item for the the board to address. This is shown by the clear states of maturity or 'hurdles' that organisations have overcome. Each hurdle and each new state of risk management evolution has required businesses to shift not only their practices, but also their attitude to the management of risk and the benefit gained from it.

Beyond operational risk

Perhaps the first of these leaps in maturity was the expansion away from operational risk management silos linked to insurance(3). The emergence of the business risk management organisation has seen risk become associated with all aspects of business activity, from regulation and compliance to competition, reputation and communication with stakeholders.

The development of this business risk approach, linking different types and sources of risk, to the point that managers are able to take an integrated view of risk covering all aspects of the business and its activities, was a genuine step forward.

Omission from the boardroom

Building from the business risk approach, organisations have further matured their risk management practice to focus on providing confidence and assurance to the board on risk management issues.

No longer simply prepared to believe that risks are being managed, organisations have invested in reviews and challenges designed to assure the board that activities and processes for managing risk are actually in place and can be relied upon with confidence. This could be referred to as the development of the assurance risk management organisation.

In the UK, and increasingly in the US, this is particularly apparent, as risk management has seemingly developed in tandem with the independence of the board and the non-executive director, to a point where risk management information is increasingly seen as a unique source for the board to consider in the execution of its duty to review and challenge the execution of business strategy.

Dedication and commitment

More recently, these two developments have been joined by a third, relating to the degree of discipline and commitment underlying organisational approaches.

For many, risk management is becoming a core competency of the business, performed with discipline and consistency across the whole enterprise and with a high visibility on the corporate agenda.

This development of what could be called the disciplined risk management organisation has been accompanied by the recognition that to do risk management effectively requires a degree of in-house specialist expertise.

The majority of the FTSE 100 companies in the UK now have a risk management function, and many also have a chief risk officer (CRO) or similarly-titled senior leader to ensure quality and provide the organisation with an agenda for improving its approach. One research source in the US predicts that over 75% of major organisations there will have a CRO by 2007(4).

With the development of risk management as a specialism with its own best practice, theory and techniques, organisations have started to become more sophisticated in their approach. Many have adopted frameworks and models for risk management that look at all aspects of the organisation's approach to identifying, assessing, reporting and mitigating risk, and how the organisational culture, processes and structures are supporting the effort.

Developing beyond this

For organisations that have managed to come this far - and many have - there is now a real choice in terms of how to develop further.

The next hard step change in the range and sophistication of risk management techniques involves combining qualitative and quantitative risk analysis and applying it to strategic decision-making. The alternative option is to focus on the soft challenge of embedding the gains that have already been made in improving qualitative risk management processes within operations, in the sense of doing what they currently do by way of risk management, but doing it better and more naturally, as part of the accepted management process.

As risk management activities become more sophisticated, embedding becomes increasingly important. If it is put off in favour of continuing on the trajectory and going for an extension in the sophistication and application of risk management techniques, it will still need to be tackled at a later point in time.

The problem with both of these options is that regulation is not propelling organisations to take either of them. Organisations must take the next step as a leap of confidence, and this confidence can only come from a growing realisation that risk management can deliver value to the bottom line. Linking risk management to future business success

This is particularly vital for those organisations that want to take the hard step of applying a range of qualitative and quantitative risk management techniques to strategy setting and business planning, with a view to risk management supporting the top line as well as the bottom.

An evolution of the management mindset is vital for this to happen successfully.

Risk management has to become accepted as a discipline that has something to contribute to how strategy is chosen and set and not just to how it is executed and protected within operations.

For most organisations, the shift in mindset will need to be accompanied by a development in the range of risk management activities applied to decision-making. The specialist risk management function needs to move beyond developing and facilitating basic processes to focusing much more upon keeping pace with the changing business environment and new theories and techniques.

It will also need to provide leadership in the application of risk analysis to business decisions. This means bringing a range of quantitative and qualitative risk management techniques to bear upon the way in which strategy is set, from value-at-risk and scenario planning to extending and improving the qualitative process of risk identification and analysis to include opportunity analysis as well as the analysis of potential threats.

Embedding risk management

The other option for the more mature organisations is to consolidate the current approach and focus on embedding it within operations. Embedding represents a real challenge and is not a simple and automatic development that will come with time.

Achieving an embedded state of risk management activities does not particularly require a change in practice; it is not about introducing new types of risk management technique or requiring management to do new tasks.

It does, however, require a change in the mindset that thinks of it it as a compliance requirement. It is necessary to overcome the attitude that risk management is something that is forced upon management and is internally performed to comply with external standards and expectations and to replace it with a mindset in which all employees see it as a natural part of their role and responsibility within the business.

This is about real integration of risk management practices and techniques into the management culture, supported by rewards for acceptance and adaptation.

The signs of embedded risk management having been achieved include management resistance to risk management requirements dissipating, risk analysis integrating into management decision-making and reporting cycle, risk management becoming an accepted personal performance measure and the need for frameworks becoming less apparent as the various elements of the framework become part of the normal business structure.

Structural implications and business benefits

Leaping the performance hurdle and integrating risk management into strategy setting and business planning is not appropriate for all organisations.

Clearly, if they are not already in a disciplined state then it would be inappropriate to attempt to make these changes. But for those that are, there are some significant structural implications that should be considered.

CEOs need to start asking themselves what relationship they want with their chief risk officer and what types of risk management activity they want to apply in their strategic and business planning and execution.

Does the CEO want a trusted adviser who has substantial experience and skill to coordinate the business response to risk at all stages in the business cycle? Or does he or she want an auditor who oversees a number of processes and business activities and provides a narrower set of information at more limited points in the business cycle?

The business is likely to require a greater degree of alignment and integration of risk management responsibility with the CRO, not necessarily in a functional sense, but in a reporting sense, having formal responsibility over all employees in respect of risk management techniques, activities and processes.

It is also likely to mean further integration of processes and techniques in order to enable them to contribute consistently and provide a single view of risk, both opportunity and threat, to support strategic decisions.

For CROs and risk managers, this poses some challenges in terms of skills and capabilities. In order to make the step successfully, an infusion of new skill and expertise into the industry may be required. Senior leaders with expertise from business management, and from the risk sciences (financial and engineering), will be needed to complement the focus on audit and operational risk skills that currently dominates the profession.

The benefits from making this step change are still somewhat uncertain, but they are becoming clearer:

- improved clarity over the amount of risk relating to different strategic options
- greater consistency in the application of risk management to all business decisions and therefore much greater confidence for boards and shareholders in the likelihood of future success
- enabling the whole organisation to contribute to understanding the threats to, and opportunities for, business success and the risk relating to each
- fewer surprises emerging from within the business to throw it off course.

The implications of pursuing an embedding agenda are somewhat different.

As this is about addressing softer issues of attitudes and behaviours, it is unlikely to require a leap in terms of skills and expertise beyond those that are currently available within risk management functions. But it does require serious and clear commitment from the executive if it is to be achieved, as shifting an organisational mindset is rarely possible without it. Another prerequisite is that the business already demonstrates a number of characteristics of the disciplined risk management organisation, such as consistency in approach across the entire business, in-house leadership and dedicated, specialist resources for providing the energy for change.

The benefits to be gained from embedding risk management are clear. By becoming part of the management culture, the inefficiency that can be generated from imposing practices where they are not naturally embraced will disappear. The idea of risk management costing the business and absorbing management time will also disappear, leading to a much more efficient process of managing risk within operations.

Impetus from within

The choice for those organisations that are at the forefront of current risk management practice is clear - embed the current state or go for a performance risk management approach, returning to embedding later.

In both cases, the management mindset needs to shift from one that sees risk as a compliance-driven activity to one that is driven by its potential contribution to current and future business success.

What is less clear is where the impetus will come from. Events are not pushing organisations towards a performance agenda for risk management, nor are they necessarily requiring them to properly embed their current risk management approach and practices. Nor is regulation, which currently seems to be largely focused on setting up processes and providing evidence that they are effective. This means that organisations will need to create their own momentum from within. It is therefore an opportunity for the CRO to take the lead, and an invitation to talented managers and leaders to see this profession as ripe for a major leap forward, and to rise to the challenge.

If CROs do not rise to the challenge, and talented senior leaders from other disciplines are not enticed to develop their risk management credentials, there is a real danger of stagnation. With no vision or pressure for change, organisations may stall and even start to go backwards. Whether they can take the next leap, based on their own internal drivers alone, or not, is perhaps the biggest test of maturity that they will ever face.

- Paul Green is executive adviser, KPMG Enterprise Risk Management, Tel: 020 7694 3434, E-mail:


1) This is referred to as 'hard' in the sense that it entails introducing new tools and techniques and applying them in new ways to decision-making. Embedding, by distinction, is defined as 'soft', as it is less about introducing new techniques and more about focusing on behaviour.
2) For a summary of European responses to the European Commission's proposed plan for European corporate governance, see 'Synthesis of the responses to the Communication of the Commission to the Council and the European Parliament "Modernising Company Law and Enhancing Corporate Governance in the European Union - A Plan to Move Forward"' -COM (2003) 284 final, published 15 November 2003
3) Operational in this sense refers to operational risk management functions such as health and safety, environmental risk management and insurance.
4) 'Send In The Chief Risk Officer', Sandra Pundmann and Bill Kobel, Optimize, Issue 22, September 2003. See also 'A Hot New Job - Chief Risk Officers', Suzanne McGee, CareerJournal, May 09, 2005.