Future of risk management: new risk culture

In the history of risk management as a practice and a profession, the financial crisis of 2008 marks a significant turning point.

“Without the shadow of a doubt the financial crisis helped risk managers to take a more serious role in business,” says Elaine Heyworth, safety and assurance director at Heathrow Express. 

Before the banks failed, risk managers were mostly concerned with a narrow field of risk and with buying insurance. Afterwards, suddenly, company executives wanted to talk about risk at a senior level. Moreover, regulators went into overdrive.

“What is changing dramatically in many companies now, driven partly by the 2008 banking crisis, is that there is a lot more board-level focus on what risk management really means,” says John Scott, chief risk officer at Zurich Global Corporate.

Managing Risks: A New Framework, a Harvard Business Review paper written by Robert Kaplan and Anette Mikes in the aftermath of the crisis reviewed why risk management had failed. Scott explains that the paper concluded that “the people involved in risk management were looking at very detailed aspects of risk… and were not in a broader role looking at a whole lot of other things”. He adds that senior risk professionals now consider a “360-degree” view of risk or enterprise risk management to be more relevant and effective than more narrow-focused, traditional risk management activity.

One way to understand the shift is through Kaplan and Mikes’ concept of the three buckets of risk. First is the hygiene factor bucket, in which sits operational risk or property or business continuity-type risk, or, in financial services, mark-to-
market activity. This is day-to-day risk that should be managed as a matter of course.

The next bucket is business and strategic risk, which is where risk and strategy begin to align; it may concern competitive strategy, allocation of resources, new products or new geographies and acquisitions. The third and final bucket is risks in the environment within which an organisation operates. A global corporate trades in global macro-economic, environmental and socio-political environments, and this bucket is about understanding how such global risks interact with each other and change over time.

“A senior risk manager really has to be doing all those three buckets of activity, but often most risk managers are down in the hygiene factor stuff,” says Scott.

If the crisis made senior executives sit up with regard to risk, the task for a risk manager of determining what is in each of their three buckets and how to respond has become harder. This is where enterprise risk management comes in, because it tries to match risk activity specifically to the complex, changing risk profile of each organisation.

“There is no single answer for different types of company,” says Carl Leeman, chief risk officer of global logistics company Katoen Natie, based in Belgium. “The situation is so different in an SME, than in a large, financial company, than a publicly traded company, than a production facility. One thing of use everywhere is that risk culture should be embedded into every company’s philosophy, which today is certainly not the case everywhere. So you have to change the mentality of the people in that perspective.”

Globalisation

The process of globalisation is also contributing to the rise of enterprise risk management, because it introduces a level of complexity into running a business that did not exist a generation ago and that cries out for an enterprise-wide approach to risk.

“Risk management is getting more and more complex,” says Leeman. “In the past, many risk managers came out of insurance, which can be useful, but risk management is now much more than this.”

Overseas expansion, increasingly common for companies of all sizes in the West’s low-growth economies, brings numerous new global risks, from macro-economic, to socio-political, to environmental. “Corporates are expanding into environments that are more hostile from a political and environmental point of view. You go into regions where the same information is not available as in the West. In some parts of the world, there are no statistics on flooding, earthquake or wind velocity,” Leeman says.

Such expansion into new territories, which may have “under-developed insurance environments”, according to Bruce Wineman, Aon Global Consulting Network senior managing director of US and Canada, means that corporates “can benefit from having a seasoned risk manager who understands the dynamic nature of global risk, can keep pace with the changing options, and to implement risk programmes that support the company’s international business objectives.”

Wineman adds that “tax is an increasingly important part of how companies operate and will have a significant effect on risk management programmes. Risk managers need to improve their knowledge of tax and transfer pricing, to ensure that any risk financing programmes support the company’s business objectives from a holistic perspective.”

Neither are the consequences of globalisation a one-way street. Corporates based outside the West are discovering that the incoming global business community brings with it closer scrutiny of local business practices. 

Risk and business continuity manager at the global utilities company Veolia Environnement, Lenny-Baptiste Conil, says:
“In Asia, I see a development of media-related crises. If you look at China, the press is — and it’s a good thing — more and more free to criticise, to challenge, to investigate… although it’s not yet like in the West. However, we were not used to that before, so a lot of attention needs to be given now to external communication and public relations, even in more remote areas, and even in more niche markets.”

Cloud computing

The adoption of cloud-based, enterprise-wide software solutions is perhaps the third biggest contributor to the rise of enterprise risk management, together with globalisation and the post-crisis mentality. Companies using these sophisticated data capture and management technologies are exposed to a new tranche of data- and content-related risk.

“You really need to understand technology trends, cloud computing, outsourced data management,” says Peter Hacker, chief executive of JLT’s global communications and technology practice. “What does the EU Data Protection Directive mean from a liability point of view for a corporation? Technical understanding is very important.”

“For intangible risks relating to intellectual property, data
or content, it is not a product that you want, it’s a tailored, bespoke solution,” says Hacker. 

“The more the end result is required to be bespoke, the
more value enterprise risk management is, because there are multiple stakeholders.”

Referencing the “sheer weight of regulation”, with which companies must now comply, Julian James, president of Allied World Assurance Company (Europe), adds that “higher standards for corporate governance and anti-corruption, a flow of directives from Brussels — data privacy being a prime example — is increasing the focus of risk management. Risk managers need to keep on top of that.”

Into the future

The next significant waypoint for the profession, most senior risk managers agree, is to attract the next generation, young people from a diverse range of backgrounds, with the talent and skills to develop a robust, technologically savvy and business-relevant risk culture for the future.

“Young people think about risk in a different way from old people,” says Scott.

James throws down the gauntlet to the profession, saying that “risk management and insurance share the biggest challenge : talent. Do we have enough and where will the next generation come from? We can all debate standards and training from dawn to dusk, but if we can’t attract young people, that will be a sterile debate.” SR