Challenging misconceptions, articulating value, and getting to a decision before it is made – these are the steps that will really advance our efforts in #ChangingRisk for the future, says Jo Willaert, Ferma president
What needs to change to help the risk community move up the risk maturity curve?
I don’t like the word ‘change’. I believe, based on my experiences over the last four years, that risk managers have the skills that they need, but the next step is to challenge the perception of risk management, so that everyone in a company understands its value.
Risk managers are often seen by the chief executive and the board as ‘insurance managers’, who are only responsible for premiums. But insurance is just one of the solutions at a risk manager’s fingertips. The industry needs to get better at demonstrating the importance and breadth of risk management.
If you could start from scratch and re-launch risk management, what operating model would you adopt?
We must adapt to a changing world. A lot of the existing risk managers come from other disciplines –accounting or legal, for example. And if that is the case, they will need specific knowledge and skills of risk management and therefore they need education. This is important because when decision-makers hire a risk manager, they will at least know that they are hiring a certified professional.
Second, the role of the risk manager must be clearly defined, which is why, for me, the three lines of defence is important. Risk management has grown in importance over the last 20 years, and part of this is thanks to the three lines of defence. It has been proven to work. It clarifies the position for all the players in the process from risk manager to internal audit and decision-makers.
It is also worth talking about methodology. ERM has been very successful but it is probably a little bit too static. We must make ERM much more flexible and interlink it with governance. And then of course, there is the importance of data. For the time being, I’m convinced that risk managers do not have all the data that they should. One reason is because data is marked as confidential and risk managers are not considered to be part of the group that should be given access. We must work with the board and the decision-makers to change this and to demonstrate that the value-add of risk management can only be realised if the risk manager has all the data.
What’s your elevator pitch for convincing the board and C-suite of the value of risk management?
The board will never make a decision that has legal consequences without discussing it with the legal team. The board will never do anything without a financial expert, treasurer etc. Risk management is similar in that you cannot make strategic decisions without knowing exactly what the consequences and risks are. To effectively manage your targets and strategy, you must understand the threats that you face. That way you can make a decision in respect of the risks. The risk manager must explain to the board what the risks are, what the actions and possible solutions are, and what the costs are.
Then it’s up to the board to make these decisions. Without this advice, they cannot make an informed decision. But oftentimes, risk managers are so consulted after board decisions have been made. The risk manager must be involved in the decision-making process much earlier so that managers can make decisions in possession of all the facts.