Future of risk management: modern risk leaders

The risk management profession is splitting into two camps. On one side are traditional risk managers, often specialising in a specific area of risk and insurance purchasing. On the other, a new breed of enterprise-wide risk advisers is emerging, people who look horizontally across an organisation and beyond to identify risk and to advise decision-makers on potential consequences.

Risk professionals who want to remain relevant to their organisations will need to transition from the old camp to the new in the next few years. But how?

Old versus new

First, it’s useful to unpick the difference between traditional risk managers and these emerging new risk advisers.

Peter Hacker, chief executive of JLT’s global communications and technology practice, describes the traditional risk manager as based on physical, or tangible, risk. Typically, this means a risk such as property, health and safety; the solution for which is to purchase insurance.

“The traditional risk manager is more of an insurance purchasing manager, and then there is enterprise-wide risk management, people whom I call integrated risk managers. They are focusing on risk identification, quantification, treatment, including insurance, and control. This type of integrated risk management will increase in value in the next couple of years, because, traditionally, risk transfer has been about physical, or tangible, risks. Going forward, many risks are non-physical, or intangible, risks. These are risks related to data, intellectual property, content and perhaps related to mass liability for a corporation on its profit and loss account.”

Hacker estimates that, at the moment, about 20% of risk managers fulfil an “integrated risk manager” role, while the majority still focuses largely on buying insurance.

“These are high challenges for the future generation of risk managers,” Hacker says. “If we want to get away from risk management as a commodity and into a place where it’s a real added value, an asset, the risk manager needs to be multitasking; it’s not just risk transfer and insurance purchasing.”

The new generation of integrated risk manager thinks beyond existing narrow definitions of risk. They can raise awareness of risks across their organisation and they understand the potential financial consequences.

“Risk managers, at a more senior level, are pulling together issues across entire businesses,” says Elaine Heyworth, safety and assurance director at Heathrow Express. “That’s a very useful function, because they’re bringing a risk from one area of the business and highlighting it to another that may not have been aware that it was a risk for it.”

Looking to broader risks

In making the transition from the old camp to the new, the first step is to be more open to a wider field of risk, and to read, learn and get educated about it.

“You can start by looking at global risks,” says Heyworth. “Heathrow Express is very much a UK business, but my audience is international. So I look at a much wider perspective. There is globalisation of supply chain, globalisation of people, and the impact of climate change. You have to be willing to take that on.”

Heyworth also counsels risk managers to encourage diversity to raise the quality of their conversation about risk. “It’s about different people thinking in different ways. It’s male and female, but it’s also gay and straight, disabled, Asian, African, all kinds of different people. You really, really don’t see it in the risk space; it’s all white, middle-aged men, having the same debate all the time. A different point of view is absolutely critical for risk management.”

Get educated/understand the profit and loss

Next, risk managers need to take their new, broader knowledge of risk and to understand the potential effect on the entire organisation, including any possible financial consequences.

“Now more than ever, risk managers need to understand the risk landscape and to be able to quantify it from a financial point of view,” Hacker explains. “What could be the impact on the profit and loss account, on earnings per share?”

The new rules on company pensions are an example of where an integrated risk manager might add value in this way. “It’s a human resources risk, but our commercial team needs to know that from a revenue perspective; our revenue might be affected by the fact that more of our income is being spent on internal pension stuff, rather than going back into marketing,” says Heyworth.

Another opportunity to demonstrate value is when an organisation looks to expand into new territories, something Western European firms are increasingly doing in their quest for growth.

“I know about a case where people were ready, from a technical viewpoint, to acquire a piece of land, but nobody had noticed it was situated in a frequently flooded area,” says Carl Leeman, chief risk officer of Katoen Natie, global logistics company. “There is potentially a big added value from risk management, you can advise on issues such as ‘this is the type of country, these are the political risks, these are the natural risks, is it a flooding area, an earthquake area, a windstorm area etc’. You should maybe not forbid people to invest there, but they should obtain the correct information to take into account and, as such, be able to adapt to it. If you invest in that area, put the building on a higher elevation or build it earthquake-proof; people should be informed upfront about those risks and potential solution, so that can be taken into account in the budget.”

Communicate/influence

After identifying where they can add value, the challenge for enterprise-wide risk managers is to communicate it. This concerns less their job title and reporting line, but is more about developing networks of influence across an organisation.

Gaëtan Lefèvre, group risk and insurance manager at CMI, and chair of Belrim, the Belgian risk managers’ association, says: “Risk managers need to be close to the decision-makers. That doesn’t mean reporting directly to the chief executive, but the risk manager needs to be well informed to develop their function and to be involved in the decision process, or they will be lost in the coming years. It’s important to develop a way to advise the decision-makers. You have a hierarchy, but you also have an influence network. Risk managers become like an adviser to the important people of the company, but the risk remains with the manager.”

Personality goes a long way too, because the risk manager of the future needs to persuade senior management that their advice is worth taking.

Heyworth says: “A lot of it ties around personality. You have to be prepared with your elevator pitch. If you bump into your chief executive in the lift, what would you say?”

Sabrina Hartusch, global head of insurance at Triumph International, agrees, adding that personality is “equally as important” as organisational structure. “How does this person speak, communicate and engage with other people? Do they have the ability to make their voice heard, either by delivering good results or by taking opportunities to interact positively, so that others think well of risk managers, and naturally come back to them?”, she asks.

The ability to build a reputation for being a dynamic, responsive risk professional is vitally important in protecting the organisations of the future.

“The winners in the long run,” Hacker says, “are going to be the ones willing to develop all these skill sets, not just in theory but in practice, and I do believe that there’s a lot of upside if we do this right.” SR