Certification: a game changer for risk management?

A master of pithy sayings about investment, Warren Buffett also made a shrewd observation about risk management. “Risk comes from not knowing what you’re doing,” he once said. As a summary of the position of many companies floundering in a sea of risks, it is typically insightful.

Given the number and variety of potential threats and the problems many businesses are experiencing as they struggle with current problems and face new ones, their predicament is hardly surprising. Julia Graham, FERMA president, quotes Buffett’s observation in support of her commitment to professional-standard certification and continuous education for risk managers in Europe.

She sees FERMA’s development of ongoing courses as a game-changer that will reap dividends across Europe.

FERMA’s certification programme is likely to become international. In short, it could become the default standard outside Europe, particularly in the Middle East and Asia. “Possibly, it could become the standard,” she says. “However, it is important to start in your own backyard. Will other [regions] join in later? Probably, but FERMA must remember who it represents.”

In any case, the outcome will be the same. Companies with highly trained risk managers will be far more likely to know what they are doing.

Trial by YouTube

For some, that stage cannot come fast enough. The past two years show just how vulnerable the business world is to a multiplicity of threats: the chaotic process of globalisation, breakneck advances in technology and exposure to random, merciless 24/7 media. The last threat will probably turn out to be the most serious. “Even five years ago, it was hard for companies to get ahead of the media in a crisis,” explains John Hurrell, chief executive of Airmic. “Now, it’s practically impossible.”

In this round-the-clock environment, the future is just around the corner. “Things that will bite companies on the bottom are short-term issues,” warns Hurrell.

“The risks are immediate and boards must be prepared for short-term events.”

A chairman’s worst nightmare could become trial by YouTube, as an avalanche of information – much of it misinformed – pours into the digital world following a power outage, boardroom scandal or juicy news item.

Resilience

In an era of fast-approaching risks, the watchword will be resilience. Because it is impossible to protect against every threat, resilience will be built on the speed of response. “Do companies want to act like tortoises or shoals of fish?” Hurrell asks. “A crisis management plan must be in place before the crisis.” At the very least, the company should be in a position to move at the speed of the crisis, or preferably, be a move or two ahead.

In this scenario, the risk manager of the future will have an influential role. Tom Teixeira, a managing director of Alvarez & Marsal in London, predicts that the traditional, somewhat negative role of somebody who is preoccupied with prevention and avoidance will be transformed into that of guidance and recovery.

“Risk managers will be involved in crisis management to minimise business disruption,” he explains. “Business continuity [will also be essential]. The two roles cannot be separated these days; it’s the new, integrated approach.”

Also, the contemporary risk manager will be seen as a facilitator, an executive with the tools that enable the company to take risks rather than avoid them.

“Too often, risk managers are seen as blockers,” explains Jonathan Salter, director of global consulting at RSA, the division responsible for risk management and loss prevention. “Risk managers should have a can-do attitude. They should be able to go to the board and say, ‘Tell me what you want to do and we’ll find the solution.’ That’s probably of number-one importance for risk managers today.”

Positive rather than negative managers will gain the confidence of the board. In Salter’s experience, risk managers are most effective in such an environment.“The more influential risk managers have cracked that board and chief executive relationship,” he says.

The creative risk manager will deploy a range of tools to keep boards informed about the nature and depth of the risks a company is running. “Risk is not easily quantifiable,” adds Salter. “It’s more dynamic than, say, finance. RSA has invested heavily in tools that allow risk metrics to be measured and made more transparent.

However, the information must be robust and reliable. It must be joined up and correctly interpreted.” He thinks the use of these sophisticated tools will become standard practice.

Fundamental principles

Clearly, the need for formal training has never been as great. FERMA bases its programme on several fundamental principles. The resulting certification must be objective, consistent, based on continuous learning, recognisable across all EU nations and founded on a code of ethics. In short, a thoroughly professional qualification that produces trusted advisers. Just as in other professions, one organisation – in this case, FERMA – will be seen as the standard bearer in the development of risk management.

Finally, in the interests of maintaining standards, the providers of the learning programmes must be licensed. “The benchmarks must be the same, wherever risk managers are,” says Graham.

However, nothing can replace experience and Salter believes today’s risk experts – risk managers, brokers and insurers – have a duty to pass on their knowledge. “We need to educate the next generation,” he says.

Revolution in Asia

A growing number of those risk managers will be in Asia as the philosophy and practice of risk management fast moves up several notches. Because tariff walls are collapsing and markets are opening up, particularly in rapidly developing Association of Southeast Asian Nations (ASEAN) countries, risk managers are expecting an onslaught of unfamiliar challenges.

Many manufacturers are facing Western-style product liability litigation for the first time and believe the trend will only increase. They will be forced to become familiar with often wildly differing liability laws as they export to nations across the region. The era of free – or freer – trade will also affect them. Not only will they be forced to deal with different governments and contradictory regulations, but they will face new competitors.

“Things are moving fast,” says Gabriel Chew, head of insurance programmes and training at Singapore’s Continental Oils and Fats Pte Ltd. “There’s an opportunity of risk coming for some industries.”

Ginger groups

In the wake of highly publicised campaigns, Asia’s risk managers are also being forced into the public arena on environmental issues, a relatively new phenomenon in a region where economic growth has sometimes come at an ecological cost. Companies will be required to become good environmental citizens as highly politicised ginger (internal) groups learn how to publicise their grievances. Pressure is also coming from governments.

“The regulatory authorities are more concerned now,” adds Chew, a regional standard bearer for improved risk management practices. “The level of scrutiny varies across the region, but the pressure is on companies to ensure good environmental practices are in place.”

Ear of the board

In Asia as elsewhere, the fast-rising prevalence and diversity of commercial threats have fuelled a call for risk managers to be given higher status and authority within companies, including a seat on the board.

However, this may be unnecessary, says Graham: “Each organisation has to decide for itself. There’s no single blueprint. Usually, chief executives have overall responsibility for risk management, and they are on the board. However, if risk management is not on the board, it’s more often co-opted. Certainly though, risk management is taking a more strategic position in companies. That means the bar is rising.”

Others see a convergence of risk management functions. For one, the Brussels-based European Confederation of Institutes of Internal Auditing (ECIAA) believes the link between risk managers and internal auditors will strengthen. Indeed, it sees this as inevitable in the wake of EU legislation designed to enforce better corporate behaviour and governance.

The ECIAA and FERMA have produced a joint guide on the eight Company Law Directive. Its purpose is to help risk managers and auditors work through the onerous requirements. As the guide points out: “Co-operation between the audit committee and the risk committee is crucial to ensure a common risk management approach.”

Some companies are expected to comply with the directive by imitating the financial sector, where the risk management function is now enshrined in regulation. If so, they will establish dedicated risk committees with a firm grip on information of vital commercial importance. Armed with this data, the risk management function will be in a position to challenge management and even the board.

Last bastions

The gold-plating of the risk management function will likely occur first in the utilities and other sectors with a public presence. Hurrell says this is already happening in much of the oil and gas, water and telecommunications industries, each of which has a natural exposure to reputational damage. Other sectors with strong brand values, such as high-street retailers, are also following the trend.

Eventually, risk management will invade what Hurrell describes as “the last bastions – obscure business-tobusiness companies with little or no brand values”. He sees this happening in the next five years or so.

The China conference

By then, Asia may be teaching the West a few lessons in risk management. For example, China’s knowledge of the function is increasing fast. StrategicRISK organized groundbreaking roundtables on risk management in 2014, and the fast-growing Pan-Asia Risk and Insurance Management Association will host China’s first full-scale risk management conference later this year. It is a sign of the times that, together with a strong international contingent, some 60 Chinese companies had already signed up by early 2015.