Risk managers: make the board and c-suite listen

Most risk professionals and business leaders know companies are struggling to remain relevant in our highly turbulent and competitive environment.

Customers expect more for less, regulators keep raising the bar, and shareholders still expect growing returns. Organisations that are standing still could find long-term survival a serious concern as they must constantly embrace new technologies, evolve their business models and take risks amid the ever-burgeoning dangers of IT security, safety, natural catastrophes, economic volatility and the war for talent.

Enter the risk manager. Risk management is designed to help businesses achieve their goals by enabling informed decisions and challenging the status quo. Risk managers have the benefit of interacting across a whole business, which gives them a holistic vantage point that can help their stakeholders see the wood from the trees.

One would assume, therefore, that risk management is a flourishing profession – it is truly one of the most interesting and potentially rewarding professions. Yet many practitioners are left wondering why they don’t play a more substantial role in their corporation.

TIME FOR A REBRAND

Time and again, risk management is not used or understood by those who need it most. Whether you are a dedicated risk manager, you have risk as one of many hats, you’re a business person interested in risk management or a student of risk management, your biggest challenge is to get risk management methods and opinions heard, seen as relevant, respected, included and valued.

Some risk managers have access and opportunity to engage at senior levels, but their challenge is still to demonstrate value and sustain this access before the doors begin to shut or the agenda time dwindles.

We need to change the way our profession is perceived. I’m calling on all risk managers to form a coalition of change, one organisation at a time, one stakeholder at a time. The need for change is clear, the question is how?

GUIDING PRINCIPLES TO LIVE BY

Having conducted market research, interviews and working directly with some of the most successful and risk-mature organisations, I have learned that it doesn’t matter what risk management frameworks, processes, templates or systems are used, what the

strongest organisations share is a set of behaviours, capabilities and beliefs that have given rise to principles I believe are fundamental to effective risk management.

These are so powerful that by simply setting them out and being their champion (even before they are embedded), a risk manager can earn stakeholder trust and become recognised as a leader and courageous change agent.

I use these guiding principles in every slide deck, constantly reminding stakeholders this is what we are striving for, and always seek board/senior leadership commitment towards achieving them. My own actions and perspectives too are always inspired by these guiding principles:

• Empowerment
• Transparency
• Challenge the status quo
• Holistic thinking
• Embed risk management in decision-making
• Data-led risk management

An easy way to remember this is E-T-C-H-E-D:

• E – Empowerment of the risk owners

Risk owners should feel that they have the resources, authority and remit to do what is necessary to manage the risk. This is often the root of accountability issues faced by many organisations.

Risk managers need to understand that assigned risk owners do not always have the power to manage the risk – which is particularly true in large, complex organisations. We are well placed to help bring to light the real vulnerabilities, concerns and roadblocks.

This is a challenge for many businesses as it requires two-way information sharing, trust and listening with the widest staff audience possible. Organisations where front-line staff feel engaged, listened to and valued are more likely to report incidents, call out inappropriate behaviour or offer ideas on how best to serve customers. This is a larger cultural challenge, which risk managers can help unblock via risk awareness training and facilitating better communication and reporting.

• C – Challenge the status quo

Organisations that are continuously improving and embracing new ideas are often better able to deal with change, risk and business model threats. Creating such an organisation requires strong leadership from the very top but risk managers could enhance or promote the need to think innovatively to tackle risks.

• H – Holistic thinking

The benefits of holistic thinking are obvious – seeing wood from the trees allows a bigger perspective, which could help manage risks and issues. The challenge is that most businesses are built into silos. Risk managers are well placed for holistic thinking because this is usually the only department that serves the entire business, seeking out all the biggest risks and issues.

• E – Embedded risk management

While most risk managers’ remit is the risk management process and framework, it is not

a standalone process. Risk management is a capability that helps improve decision-making and should be embedded as far as possible. Doing this, however, requires a creative, flexible and partnering approach to bring about bespoke solutions one at a time. Strategic planning, capital allocation, procurement/vendor management and project governance are all areas that can benefit from a risk-based approach, risk assessment or risk consideration.

D – Data-led risk management

Introducing key risk indicators is not a new concept, but few organisations do it, or do it well enough to enable decision-making. Yet having data is the best way risk professionals will gain sustainable credibility in the boardroom, so this is a journey worth undertaking. Start from the biggest risks in the business seeking out available data or identify the challenges to getting the data.

 

THROW OUT WHAT YOU KNOW

Alongside introducing these guiding principles to our risk management, we may also need to dial down some other aspects of what we do.

Take a look at the flowchart on the previous page. A typical risk management process is shown under the risk manager’s perspective – yours may be slightly simpler (maybe you haven’t integrated risk appetite, for example) but it will mostly look similar. Now look at how a typical senior executive or board member might interpret these activities.

The executive’s perspective may sound cynical and your key sponsor or CEO might not be like that. From my experience, most senior executives and board members tend to have less time and less patience – particularly for jargon, bureaucracy, statements of the obvious and unsupported anecdotes. To ensure we satisfy governance requirements, they may follow the process flow with a tick-box mentality. In truth, it is unlikely this content will influence their decisions or running of the business. So let’s forget this approach.

Instead, we must remind the board or senior executive of the guiding principles that we are working towards. This will help them acknowledge the vulnerability that they can’t see everything in the business and see that a data-led risk process can be powerful.

We can prompt executives to think holistically about the business or the real issues we face, and we can combine the risk narrative with data extracted from within the business, which they may not have or certainly may not be contextualised as a risk.

We can discuss accountability and empowerment, engage the right stakeholders to brainstorm ideas and develop actions that challenge the status quo while continuously monitoring the data to inform whether these actions are having any effect on the risk.

To manage your expectations, for the first year you might find most discussions are around why the data is not available and actions tend to be around getting the systems and processes aligned so that the data and true picture can be extracted. When the systems are aligned, they may need to monitor the results for a longer period before making definitive plans to respond.

This is what progress looks like. It’s a long game, but with a consistent message I’m hopeful our value and that of risk management will become unquestioned. Indeed, it will be universally understood that risk management used in this way can be a powerful, strategic tool used to enable decision-making, drive actions and seek measurable outcomes.