Tougher corporate governance standards have changed how risk managers work, says Neil Hodge. Why, they've even been known to change boardroom thinking...

Not so long ago, the term “risk” was a dirty word in boardrooms – an organisational problem that needed to be eradicated entirely from the business through a mixture of insurance cover and robust internal controls. As business risk began to be appreciated, so too did the function that was in charge of identifying it – risk management.

The profession has come on a long way in the past decade. While its rise in boardroom estimation is due in large part due to its own achievements in providing management assurance, other key drivers have contributed to the function’s success – namely, the slew of corporate governance standards and regulations that have come into force following high-profile corporate failures, as well as the severe penalties that accompany them for non-compliance.

As management demands for risk assurance became more varied, so too did the role of the risk manager. Paul Howard, head of insurance and risk management at retailer Sainsbury’s, and chairman of UK risk management association Airmic, says that risk managers are now involved in a much broader range of disciplines. “The role of risk manager has much more variety now than it did ten years ago. Risk is a key issue for the board to consider and effective risk management, as well as leveraging the business opportunities that strategic risk management presents, are high on the board’s agenda,” says Howard.

“Risk managers are now being asked to give much more assurance on the organisation’s business plans going forward and are regularly being asked to challenge the boardroom thinking by asking ‘what if’-type questions about strategic planning. Risk management is developing into an internal consultative function for executives to sound out their thinking. There is no doubt that the function is growing in boardroom estimation,” he adds.

Richard Walters, chief technology officer at IT security firm Overtis Group, also believes that the role of the risk manager is changing. “Three or four years ago organisations had risk managers working in very narrow roles examining very specialist aspects of the business’ risk profile,” he says. “For example, a retailer would have a risk manager working solely on fraud, another would be working on supply chain risks, and another would work on point of sale risks. Now, risk managers are moving from working in very narrow roles to working on a much wider understanding of business risk and are no longer working in ‘silos’, though there is still some resistance to this as people are reluctant to move out of their comfort zones.

“Organisations are also getting behind the concept of enterprise risk management, as well as the idea of appointing a chief risk officer to oversee, champion and co-ordinate the organisation’s risk management framework and how the risks to the business may impact strategy,” adds Walters. “Functions such as audit, risk and compliance are still very separate but there is greater movement to get them closer together. We are starting to see more people working together in these departments more frequently,” he says.

There is general agreement among risk managers that the profession is undergoing a transition and that its profile is being raised. But there is also some debate about how the function may develop. Phil Ellis, CEO of insurance broker Willis’ structured risk solutions practice, says that “up until recently risk managers have been left to take charge of the insurance cover that they needed to buy and have only really come into contact with the executive board if there was a huge loss that they needed to deal with.”

However, Ellis adds that one element of the transition taking place is that the executive board has now put risk at the top of the agenda and it wants more information and greater assurance on uninsurable risks to the business, such as what the organisation is doing to protect brand reputation, debt covenants, and the company’s credit rating, as well as evidence that insurance cover is being purchased competitively and underwritten more comprehensively. As a result, he says, risk managers are now under greater scrutiny and pressure from executives to drive down the costs of insurance while broadening the range of coverage.

“Organisations now want to manage more of their risk than before in an effort to cut premiums and improve their own risk understanding, and they are confident that they are able to do so, especially as enterprise risk management becomes embedded throughout all the organisation’s activities,” says Ellis. “Insurance is seen as a tool to manage risks that are too expensive to deal with in-house, or are too complicated or arcane to try to cover without it. All of these trends mean that the risk manager has become more visible to the board; there is much greater expectation around what the function needs to deliver, and the status of the profession has risen as a result.”

A key driver for the board’s interest in better risk management is due to the fact that corporate governance standards worldwide have pinned ultimate responsibility for risk management and corporate failure on executive management. Paul Taylor, board member of the Federation of European Risk Management Associations (FERMA), deputy chairman of Airmic, and director of risk assurance at Morgan Crucible, says that corporate governance standards and requirements all over the world have made organisations manage their risks in a much more structured way and have pushed risk management up the boardroom agenda. The onus on better governance has also created a broader role for risk management and has increased the profile of supporting functions like internal audit, he says.

“Risk management is helping the executive committees and the board to make better informed decisions about strategic opportunities for the business,” says Taylor. “The function is helping to improve the predictability of business planning so that when organisations set an objective that they want to achieve, risk management is able to clarify what the potential impacts – positive and negative – may be on the business and on the projects themselves and may prevent any unwanted surprises from occurring. This kind of management information is vitally important as it can help ensure the planned return on investments, research and development as well as supporting business decisions related to strategy and business objectives,” he adds.

Bill Rann, UK head of practice and global head of strategy at telecoms services provider BT Global Services, says that the recent developments in corporate governance standards means that investors and stakeholders – not just executive management – also need much greater assurance on risks to the business, particularly in the wake of the current financial crisis.

“Boards want their stakeholders to know their business is compliant, and that compliance and risk teams collaborate with their business units rather than simply police them,” says Rann. “The executive wants to know how advantage is fashioned from excellence in risk management. The link between performance, compliance and risk management places a premium on the selection and management of controls. Continuous risk management can support better decision making and create competitive advantage through sustainable performance improvement. The vital link between performance and operational risk management places a premium on making the right technology and infrastructure choices which must be informed by the mantra of business benefits,” he adds.

Some experts believe that the current wave of corporate governance regulations attempts to clarify responsibility for monitoring an organisation's strategic risk – the regulations define risk appetites and tolerances for major initiatives and elements of the business model so that the level of acceptable risk is understood. Furthermore, they believe that the regulations help oversee the management of risk through more appropriately resourced risk committees and risk managers. Mike Morley-Fletcher, director in the risk practice for professional services firm Ernst & Young, believes that one of the key opportunities for risk management going forward is to step up and show the board and senior management how it can decipher these new regulatory demands and demonstrate how it can add value to the business.

“What is needed is an individual who is independent of mind, comfortable to operate at a senior level and willing to roam throughout the organisation, to generate a holistic view of what could go wrong and what must go right,” says Morley-Fletcher. He believes that this “risk assessor” will act as a facilitator to assist, coach, challenge and cajole people from board members downwards into understanding risk, controlling it to protect the business, and leveraging it to add value. He also believes that these people must be prepared to challenge management, forcefully and persistently, again and again.

“Whatever the title – chief risk officer or head of risk management – with more and more corporate governance regulations coming into effect, this is a great opportunity for risk managers to bring their skills and expertises to the benefit of the organisation on the same footing as other senior functions and board members,” he says.

But if risk managers are going to take on this strategic role and increased responsibility, they need to have the skills, expertise and experience to rise to the challenge. Sainsbury’s Howard says that the board’s growing reliance on risk management means that risk managers need to ensure that they have the range of skills required to meet executive expectations. “Risk managers need to be able to think a lot more widely about the nature of the organisation and its strategy and they need to be able to demonstrate to management and the board that they have a handle on the key issues. To do this, risk management departments need to invest in more training and ensuring that their staff go out into the business more than was perhaps previously the case.

“For example, I did a Master of Business Administration (MBA) so that I could think more widely about the business and gain a greater appreciation of the risks facing it and understand what the key challenges are,” he adds. “Risk managers need to get more involved in developing and implementing projects and providing advice about how they should be carried out. There should not be an area of the business that we cannot get involved in. But there is a real need to appreciate the strategic significance of what the business is trying to achieve, and how we can help management achieve those objectives.”

Yet despite all the plaudits about the role of the risk function and its place in the assurance and risk management framework, not everyone is convinced that its heightened profile will be matched with increased resources. Willis’ Ellis believes that while the profile of the risk management profession is growing, this does not necessarily mean that risk managers themselves are regarded any better than before. “The attitude at the moment is for risk management to do more with less. Furthermore, greater demands from regulators to provide greater levels of assurance to the board and make risk management a key issue has added to the burden that risk managers are under. I don’t know of any risk manager that is getting the support he needs to take the pressure off himself,” he says.