We need to create two distinct and defined roles in risk management to drive new solutions in a changing world, writes John Ludlow, chief executive for Airmic
Four words – New world. New solutions – and the theme of this year’s Airmic annual conference sums up, succinctly, the state of business, the state of riskmanagement and, crucially, our role within it.
The new world is perpetuated by several trends. Most notably, the advancement of new technology, which underpins the depth and velocity of the business transformation that is so prolific today. Then the acceleration in globalisation – which, as author Thomas Friedman described it, is “further, faster, cheaper, and deeper” – connecting businesses from the Atlantic to the Pacific and every location in between into a global ecosystem of trade, distribution, and supply chains.
There are also new economies in the on-demand, sharing and intangible markets, initiated by so-called unicorn start-ups, which are driving competition and change faster than we have ever witnessed before.
And new solutions. This incapsulates the risk community’s ambition to pioneer new thinking in risk so that we can ensure the success and resiliency of our businesses in the face of this brave new world.
As business continues to shift and evolve, risk management will need to adapt and play a more significant role in helping the board of directors and c-suite develop a more risk-intelligent organisation. So, from a risk perspective, what does this need to look like?
Risk management, by and large, operates on two or three main levels – operational, tactical and strategic. In other words, bottom-up (operational) and top down (strategic and tactical).
Operational is all about optimising the efficiency and effectiveness of an organisation. At the strategic level, risk management is about creating a defined model for identifying, assessing and managing risk and uncertainties.
It is the ‘what’ – what is your business model? ‘Why’ – your purpose and value; ‘when’ – your priorities; ‘where’ – the internal and external contexts; and ‘who’ – the capabilities. Tactical risk management drives the delivery of this strategy, this relates to change management – anticipating the internal blockages and resistance to risk management and unblocking them.
It is about taking stakeholders on a journey and helping them recognise the true value of risk, as well as its business enablement potential, and its capability to support intelligent risk-taking.
It is about getting into the same mindsets of the board and using this to drive change.
And within these two pillars – strategic and tactical – is where we need to effect the biggest change so that we can drive risk management further up the risk maturity curve and respond to the risks of the new world.
Indeed, the concept and theoretical parts of risk management are in good shape – we are very good at working bottom up. We are the experts in compliance and operation risk. And we have a healthy community of professionals who drive strategic and tactical risk management. But change is a question of elevating the number of professionals who can confidently lead – who can shape and enhance strategic and tactical risk management – an area that Airmic is working hard to support its members to do.
So, my vision for #ChangingRisk is to create distinct roles of the risk management function – splitting out the strategic and tactical from the operational. These functions – equally as important as the other – are different mindsets and would not be combined into one meeting or one role in larger teams, as is the case in many organisations. They should, instead, be considered as two distinct jobs.
Take the finance profession as one example. In a large company we would not expect a financial accountant, who conducts general financial management, to also be the management accountant, forecasting the financial health of the company’s future. These are two different disciplines – so, why should one risk manager always be expected to be able to conduct all three disciplines of risk management?
Combining these job roles confuses the risk conversation and the understanding of risk management among the c-suite and board. Strategic and tactical; and operational risk management are two different occasions to talk to the business. And when approaching the board, we must be clear on what perspective we are giving – the operational or the strategic and tactical? These disciplines within business are simply referred to as ‘risk management’, and technically they are. But one is bottom-up and the other is top down. Yes, they are both risk management, but they must to be orientated differently, so the value of each is clear.
Finally, we need to support risk managers to develop the competencies that they need to help their organisations become risk intelligent. We are well-versed in the theory. The next step is to build on the knowledge – strategic-influencing skills, change management, and team building.
For me, #ChangingRisk is about developing capability and capacity within the risk management community so we can respond to the new world with new solutions