Risk managers have a golden opportunity to step up into a strategic board advisory role – if internal auditors and other finance professionals don’t get there first. But there are ways to fight back, as Alex Hindson, deputy chairman of the IRM, tells Nathan Skinner
Risk managers need to up their skills and professionalism, or they could lose out to audit or other finance professionals, warns Alex Hindson, an experienced risk manager and deputy chairman of the Institute of Risk Management (IRM).
“Risk managers who are focused on insurancebuying and health and safety are biting the dust, because the risk agenda is being picked up by heads of audit,” he tells StrategicRISK. “Risk managers need to be technically confident and qualified, but they also need to have some of those soft skills in terms of influencing stakeholders and communication. That’s where internal auditors may have stolen a march in some companies.”
The situation has been crystallised by the increased requirement for board-level risk management advisers in the wake of the financial crisis, he says. “In financial services firms, the role has grown and the focus has grown. It is very serious. A lot of organisations are putting in place chief risk officers (CROs) and heads of risk that have a close reporting line to the chief executive.” If traditional risk managers want to step up into that privileged position, they need to ensure that they have the necessary skills in place.
Hindson backs himself by drawing attention to the significant number of internal auditors pursuing IRM qualifications. “They’re the biggest group of people taking the IRM Certificate in Risk Management,” he says. “That tells you something. It might be because they are positioning themselves to take that risk role. How many risk managers have audit as their second qualification? How many risk managers are accountants? If you want that head of audit and risk role, you have to invest in having the audit skills.”
He thinks there is a “three to five-year” window for risk managers to benefit professionally from the increased emphasis that their job now has. “If we miss that opportunity, we will lose out to people who have an audit and finance background.” So what’s expected of this new risk profession?
Hindson thinks it is about financial awareness and the governance of risk. “It means stepping beyond just doing risk assessments and thinking about the structure of the risk management frameworks and policy,” he says. “You only have to look at the new governance codes that mention risk appetite. That’s an opportunity for the risk profession that we must grab hold of.
“We’re being given it on a plate. The UK corporate governance code requires the board to determine the nature and extent of the significant risks it is willing to take. That means setting a risk appetite.
“It then has two routes; it can can go to its risk manager or it can go to one of the big four. And if the risk manager is not well positioned, it will go elsewhere. So it’s a real opportunity.” Risk appetite, which means the total value of corporate resources that the board is willing to put at risk, is a new concept outside the financial sector. But it is a concept that risk managers need to come to terms with and understand, says Hindson.
This new breed of risk manager needs to speak the same language as the business he or she works in. “If you use jargon and make it hard for people, they will go elsewhere. The key is to be relevant, to listen and to adapt,” he says. “We as a profession can get wrapped up in technical risk language or insurance issues. But that’s not what the business is worrying about.”
Risk managers instead should concern themselves with strategic issues and how they can help the board achieve its commercial goals. It could mean looking at a potential acquisition and identifying the risks that should be factored in and putting in a process to manage them, says Hindson. It is those “big ticket decisions” that strategic risk managers should concern themselves with.
Risk managers also should be interested in how the rating agencies evaluate enterprise risk management programmes (ERM). If they can position their company to achieve a rating upgrade through a positive assessment of the ERM programme, they can achieve overnight success.
“What we’ve realised at the IRM is the only way you’re going to be treated like a professional is to act like one,” Hindson says. “It is in each person’s hands.
If a lot of auditors are taking risk qualifications and not many risk professionals are branching out to have broader skills – either soft skills or credibility in terms of financial skills – then your traditional insurance buyer will lose out to an auditor every time. Risk managers with an ERM background have more of a fighting chance. But that’s not to say someone with an insurance background can’t take on risk or audit skills.
“It is personal risk management. To manage the risk, you have to recognise the threat and put a contingency plan in place. Risk managers who don’t adapt will get swallowed up by auditors.”