With the theme of this year’s FERMA forum being the future of risk management, Lee Coppack looks at how the risk manager’s role is evolving in Europe

Network with other risk managers online
Join StrategicRISKs exclusive LinkedIn group

As banks struggle with the sour fruits of financial risk management, corporate risk managers are reasserting the value of traditional approaches to managing risk.

Corporate risk management was traditionally linked with insurable risks, if not with insurance itself, and lacked the heady excitement of making lots of money and the intellectual challenge of higher mathematics that were the preserve of financial risk management. US economist Harry Markowitz, who developed the theory of the efficient frontier of risk and return in a portfolio of securities, for example, received a Nobel Prize.

Over the past 10 years, compliance has also become an important factor, as corporate governance measures, such as the UK’s Combined Code, Germany’s KonTrag and the US Sarbanes-Oxley Act have focused companies’ minds on their responsibility to avoid nasty surprises for investors. Pressure developed for a senior risk professional or even a chief risk officer (CRO) to sit on the board, or at least to report directly to it.

The more traditional role of risk and insurance manager was seen as somehow limited and unambitious. After all, who did not want a seat on the board, or at least the ear of the chief executive?

Veteran risk manager and one of the founders of the Federation of European Risk Management Associations (FERMA), François Settembrino, blames risk managers themselves for not fighting the seizure of their fledgling profession by financial people or quantitative modellers, because of their dependence on their insurers and brokers.

‘Why did the risk management community not react vigorously? I believe because they depend much too much on their service providers,’ he wrote in a letter to the July 2009 edition of InfoRM, the former publication of the Institute of Risk Management (IRM). ‘The risk management community lacks thinkers and writers,’ he added.

Commentator Felix Kloman in the opening essay of his 2008 collection, The Fantods of Risk, says the original use of the term risk management was ‘a euphemism for insurance buying’. He argues that risk management ought to be defined as ‘a discipline for dealing with uncertainty’, whose goal is ‘to build and maintain the confidence of the stakeholders in the organisation.’

Kloman’s definition implies that risk management should have enormous scope. It should certainly comprise strategic risks, such as competitive position and regulation, as well as financial, reputation and operational risks; indeed, anything that could damage the standing of the organisation.

This global role, says Peter den Dekker, current president of the Federation of European Risk Management Associations (FERMA) and corporate insurance risk manager at Dutch multinational Stork, belongs not to the company risk manager, but to the most senior executive who is responsible to the owners of the business. ‘The chief executive is the ultimate manager of risk,’ he says.

A similar view is to be found in the March 2009 report from the Economist Intelligence Unit (EIU), Managing risk in perilous times. It states: ‘Risk management must be defined as being the role of senior management, usually the chief executive. There should also be appropriate board oversight of risk, usually through the audit committee or a risk committee. The chief executive, as the owner of risk in the institution, must be seen to elevate the authority of risk management, and his or her focus on risk must filter through the organisation to build a robust, pervasive risk culture.’

The rise of the CRO

Hundreds of people, however, are called chief risk officer (CRO). The job title is credited to James Lam, a US analyst, and dates from 1993, when he joined the newly formed GE Capital with responsibility for all functions other than sales and trading, including risk management. At that time, Lam explained in an article published in ERisk in April 2000, companies had begun appointing chief information officers to integrate all their uses of technology, and he saw a parallel function in risk. His risk management role encompassed market, credit and operational risks.

The position of CRO became more common once the Basel Accord on banking security, the Sarbanes-Oxley Act and the UK’s Turnbull Report provided guidance on internal control. The first adopters were sectors whose business is actually risk: financial institutions, investment houses and insurers, where the role of the CRO is effectively an operational one, and also data-heavy industries, such as energy companies and utilities.

The C-suite seemed to beckon. For instance, in his 2003 book Enterprise Risk Management – From Incentives to Controls, James Lam comments: ‘The trend towards enterprise risk management (ERM) and the appointment of CROs has created an exciting career path and attractive compensation opportunities for risk professionals. However, this new career opportunity will only be available to risk professionals that continue to develop new skills and gain new experiences, while the others will be left behind.

‘The salary gap that has developed over the past several years will continue to widen in the next 10 years. On the one hand, the compensation for risk professionals with cross-functional skills will increase faster than other professions, due to rising demand for their services. On the other hand, risk professionals with narrow skills, or serving limited intermediary roles, will not enjoy above average raises, and may in fact see their job security decline as their jobs become less relevant in the new world of risk management.’

“Insurance buying is a medium through which the true risk manager can break down the barriers to communication

CRO positions, however, remain concentrated in their original industries, and den Dekker is rather sceptical of their value, especially outside financial services. ‘The CRO is not a specialist in risk management, but is basically the person on the board who holds that title for two main reasons. One is to satisfy the shareholders that the company is taking risk management seriously. Second, it is the position that oversees all risk management activities below the board of management, but this is not a guarantee that the company has enterprise wide risk management. For that, it is essential to have a team that works together; otherwise the company will work in silos and continue to do so.’

Value of insurance

Rather than dismissing insurance buying as an administrative job, den Dekker says that insurance is a medium through which the true risk manager can break down the barriers to communication about risks in the organisation. ‘In my view, if the risk manager is doing the job properly, he or she will already be involved in many risk areas of the company, so their thinking is going to be well grounded, and they will grow into a broader enterprise risk management position. They are usually good communicators and because they need to be aware of operational risks, they visit everyone and everyone knows them.’

John Drzik, president and chief executive of Oliver Wyman, also highlights the limits of quantitative modelling. ‘You can build much more sophisticated models where there's lots of data to work with. That doesn't mean you're focusing on the biggest problems that firms face, because those are where you have thin data sets and often have to make judgment calls,’ he said during the Wharton School of Business round table. (Its report, The new role of risk management: Rebuilding the model, was published in June 2009.)

Modelling commodity prices, for example, for which there is plenty of data, may be less useful than monitoring political risks, which are often insurable, such as the seizure by the Venezuelan government of a rice processing plant belonging to the US giant Cargill in March 2009.

Den Dekker is sceptical of the value of a boardroom position. He makes the point that if a CRO is a member of the board, he or she will be part of the decision-making process for the whole company and so part of the strategic risk-taking process. In a public company, the board may feel under pressure to perform from quarter to quarter and from day to day in its trading results. ‘The risk manager needs to be an independent thinker, someone who is able to express themselves independently.’

Professionalism is key

The diverse and diffuse nature of general risk management may make its value more difficult to grasp. Harry Daugird, a member of the board of the German risk management association BFV, and president of Komposit Risk Consultants and Insurance Brokers, a unit of the engineering giant ABB, also serves as president of the Insurance Commission of the Federation of German Industries. He says risk management is still not clearly defined and so it has not been able to make the impact its advocates would like.

‘Our core competence is the management of insurable risk. It is very important to the business, and we should be satisfied if we do this job in a successful way,’ he states.

The way the IRM has developed its educational offerings in the last few years is an indication of how companies see risk management. First, IRM has been very successful with its basic course in the principles of risk management, suitable for managers and specialists in other disciplines, the Certificate in Risk Management. Second, more recently it has made the syllabus of the Certificate and its post-graduate qualification, the Diploma in Risk Management, more international.

Steve Fowler, the institute’s CEO argues that risk management needs to be a profession in its own right with an over-arching body of knowledge about the subject. ‘I believe professionalism to be really important for risk management and risk managers to have a future. There is no other option. Otherwise, it becomes vague and applies to all sorts of jobs. My current concern is where we have a lot of people who call themselves risk managers, but have no education in the subject to differentiate themselves.’

In the same way as there are corporate, criminal and family lawyers within the legal profession, so Fowler believes there will be a number of different jobs within risk management. ‘Some risk managers will have a broad perspective and ability, while we will also have people who specialise in different areas of risk, such as insurance managers, corporate responsibility or IT security.’

The CRO role will not disappear. Prudent regimes like Solvency II make it almost essential for financial companies, according to den Dekker but, depending on the type of company, he sees the risk manager as someone who understands operational risk, an intelligent person who can get the operating companies to talk to each other and come up with a report for senior management.

‘I see the natural progression of a risk or risk and insurance manager toward an enterprise risk management role, more than one of a chief risk officer.’ How effective the person is, he says, depends on the ways they sell themselves within the company.

‘The person needs to be a facilitator, rather than a frustrator,’ he says.