At a time when there is much talk about the role of the chief risk officer (CRO) and whether the profile of the risk manager is rising within the corporation, it is refreshing to talk to someone who believes these titles are largely irrelevant and sometimes even misleading. It is the processes and methodology which are important, according to Chris Lajtha, who stresses that these have to reflect and support a clearly articulated, and understood, business strategy.
When asked to identify the biggest strategic risk that publicly-quoted companies face, Lajtha says that it is not having a clear strategy in the first place. "That sounds glib, but it is not as obvious as one might think. The threat lies in a combination of not having a clear strategy in the first place and, secondly, not communicating it to the stakeholders properly. These are two critical issues, and too many organisations are still not focusing on them enough."
How should an organisation set about developing or revising its business strategy? Lajtha believes that it is the role of the executive management team to develop the strategy and then to submit it for approval to the board - and to be prepared to defend it. "The board will hopefully try to find weaknesses and, to the extent that board members can contribute to and enrich the strategy, so much the better. If I was a board member I would expect my executive management team to propose a business strategy with several options. I would attempt to stress-test each proposition for resilience."
He admits that the task of developing business strategies is not easy because of the significant rate of change in the business world. "Organisations may have to revisit and refresh their strategy relatively frequently.
But if they don't develop a clear strategy in the first place, they won't have a framework against which to make tactical decisions, or against which to make strategic revisions.
"If you don't have a clear business strategy, how do you allocate capital between the component business activities, or even know how much capital you need? What do you disclose in prospectuses? How do you measure the returns you are getting? Against what do you measure the performance of your senior management teams? But once that strategy has been discussed and developed, it needs to be communicated to the interested parties. That is often not done terribly well - certainly not as well as it could be - in many organisations."
He stresses too, that communicating with stakeholders does not just mean talking to shareholders, investors and analysts. "Companies sometimes forget that their employees and customers are stakeholders - they too have an interest in the business strategy and also in the way the company articulates and manages the related risk-return balances.
"The business strategy should be couched in terms of risk and return over various, specified, time periods, since there is very little that is certain in this world. Risk should be articulated in both positive and negative terms - not just in negative terms. Publicly quoted companies, in particular, should be prepared to remind their shareholders that they are mandated to take risk; it is disingenuous to pretend otherwise. A credible business strategy depends on the degree to which the interested stakeholders are convinced by the articulation of the risk-return profiles - and by their belief that the executive management team is willing and able to revise the business strategy quickly and effectively if there are material deviations from the range of expected outcomes in its business activities."
Lajtha says that in his experience the risk manager is unlikely to be involved in developing the strategy, although he might be asked for his input on strategic strengths and weaknesses. "Arguably, the pharmaceutical industry, which has had big issues associated with risk, may be an exception, depending on the calibre of the individual and his or her team. Risk has become a core strategic issue for the large pharmaceutical companies, but, more generally, you don't see risk managers being involved in developing strategy."
If the risk manager does not have a role at this stage, how about that much talked-about but still rare breed - the chief risk officer (CRO)?
This question triggers a very definite response from Lajtha.
"I don't really understand the term CRO. I think it emanated from the financial services and banking industry in response to the Basel I and II requirements to address operational risk. I find it very confusing. In fact, I think the title of risk manager is a bit of a misnomer, because the person concerned does not manage risk. Risk is a concept - a measure of deviation from a range of expected outcomes. And you cannot manage a measure. You manage people, a project, a company - but you can't manage risk. You react to risk and opportunity - you don't manage it. I think we are horribly betrayed by misuse of words and vocabulary in the risk area."
Lajtha also believes that the implications of the title 'risk manager' can be dangerous in a large, decentralised organisation. "There might be a feeling that people out in the field do not have to pay too much attention to risk because someone at headquarters is managing it. But risk and reward are entirely tied up with operations and with the people who have operational responsibilities to commit the company to contractual obligations, sell products, provide services, rent space or whatever. The notion that there is some person managing risk - probably working within a centralised business support function and with little decision-making authority - is a dangerous illusion. If there are so-called risk managers, they are the line managers in the field with binding operational authority, responsibilities and accountabilities.
"The title of CRO could be even more misleading. I've always thought that the only person who could possibly have anything like that sort of work scope and responsibility is the CEO. The existence of a multi-disciplinary risk oversight and compliance team or committee that provokes and coordinates information flows to the CEO - and also to the non-executive audit committee - makes more sense than focusing attention on the energy, foresight and wisdom of one person, especially if that person is someone other than the CEO."
Lajtha admits, however, that it is not easy to think up an alternative to the title 'risk manager'. "I suppose some possibilities are 'director of risk management', 'risk management coordinator', 'risk management adviser' or 'risk management team leader'. Clearly, there is a risk management coordination role. And if we do rename risk managers, I'd like the new title to suggest the notion of return and reward, to act as a counterbalance to the notion of risk where it is so often viewed only negatively."
This element of being a coordinator, messenger and communicator rather than a manager, again emerges strongly when discussing whether risk managers have all the skills they need, bearing in mind the very many different functions and processes that occur in a large organisation today. "What CEO has got expertise in all areas?" asks Lajtha. "How much less has the so-called risk manager got! In any case, the risk manager doesn't need this comprehensive expertise, because many people inside and outside the organisation are risk management practitioners. They may possess different skills and experience, but in various ways they all contribute to the risk management processes or compliance with the risk management policy.
"For example, people in the treasury team are risk management practitioners to the extent that they are monitoring and managing volatility in areas such as credit, liquidity, interest rates, commodity and currency movements. The same goes for safety managers holding safety meetings and ensuring the correct safety equipment and procedures are used; environmental managers looking at land use; the legal department looking at the terms of legal obligations to customers; the regulatory compliance or trade practices team, the IT security experts ... They are all risk management practitioners."
Lajtha explains that, in his previous position as corporate risk and insurance manager at Schlumberger, he tried to disassociate his team from ownership of much of the risk management process - risk identification, assessment, and risk control, risk financing and risk management communication - and to put ownership of the first three with the line management. He made sure they knew that they had considerable risk management support from a number of 'pockets of risk management expertise' within the company, not just within his team. "My team's focus was concentrating on centralised risk financing, risk management coordination - making sure that the operations managers knew of the existence of these pockets of risk management practitioners - and risk management communication"
"Risk management is a process or practice that can be applied in many different areas. The notion that a single person, however brilliant, should stay abreast of all the exposures facing the company, not least the mushrooming exposures relating to regulatory compliance requirements around the world, is totally unrealistic."
He stresses that risk management is about the processes and how they help to support the attainment of the business objectives - which in turn are set to support the business strategies. "The business case for risk-reward management is to facilitate better decision-making in the face of uncertainty. Some of these decisions involve taking or assuming risk - perhaps more risk than in the past - to seize business opportunities which have been previously avoided because of innate risk aversion or fear of sanction."
Lajtha also sees another important part of the communication and coordination role as involving external contacts. "When I was working at Schlumberger, I considered that a critical part of my role involved investigation outside the group, networking to find out what risk management meant for other organisations, how they were addressing different issues, what worked and what failed. Then I could bring that information and new ideas back into the group."
"Risk management is part of general management," says Lajtha. "It is a historical accident that people have seen it as a separate function. It is getting much wider attention from senior management teams today. People are more knowledgeable about risk and uncertainty. They can carry out risk mapping exercises and undertake both qualitative and quantitative risk analysis in addressing possible project or business activity exposure profiles. Since the early 1990s, many powerful analytical tools have been developed that run on PCs - enabling access to many more users. Also business schools are now offering high-quality, mature risk management courses."
He wonders whether in 25 years time, general management teams will be as knowledgeable on risk management as the risk manager is today. And this concept of course begs the question of whether companies will need to have a designated risk manager at all.
Despite his dislike of the title, Lajtha has not consigned the role of risk manager to the recycle bin. "If I'm right and operations managers become skilled in risk management, just as they are in areas like customer relations and project management, I think that will be an excellent development. But the big danger is that these managers are very busy people. They won't have the time to look outside the organisation or spot what risks might be emerging in the next five or 10 years. You need people who can look ahead and try to stress-test different models, take note of the signals and identify emerging opportunities. That 'ideas' role will always be necessary at the corporate centre - someone who is paid to be outside the mainstream of group think"
Lajtha concludes: "In my opinion, there's too much talk and there are too many workshops that spend time looking at who is going to do what and who is going to own risk management. I'm much more interested in what we are asking people to do and how they might contribute to the organisation. The most important thing is to look at the spectrum of risk management practices and how to improve risk management tools and techniques. I'd rather focus on processes, tools and techniques for delivering performance than on who does it".
- Chris Lajtha is the founder/owner of ADAGEO - a risk management consulting company, based just outside Paris, Tel: +33 (6) 16 32 11 38, E-mail: firstname.lastname@example.org.