As risk management becomes a boardroom issue, risk managers face new challenges, say Simon Perry and Geraldine Rutter
Pioneering companies are taking risk management out of the back office and into the boardroom. For risk managers, this presents unprecedented professional opportunities, as the focus of their role moves from compliance and risk mitigation to the far more strategic task of embedding risk awareness into the culture of their business.
Yet there are challenges for risk managers, too. In order to succeed in the future, chief risk officers (CROs) must attract the ear of the board, shift perceptions of risk management across their organisation, and gain a genuine influence over business strategy. It is clear that these challenges are formidable – not just for CROs, but for senior executives in general.
Over the last year, PricewaterhouseCoopers has conducted a series of interviews with finance directors and other senior management in a range of sectors about their approach to risk management and how it is embedded into overall business strategy. We discovered that while significant investment has been made into strengthening risk management, many organisations still find it difficult to shake off perceptions of the function as a compliance exercise rather than seeing it as a crucial component of front-line decision-making.
According to our research, companies are particularly struggling in the following areas:
Aligning performance and risk, in particular articulating a meaningful, explicit risk strategy and appetite that ensures potential gains, threats and compliance are viewed collectively when making decisions
Broadening the focus of risk management and integrating both the appetite for risk, and the management of it, into the culture of the business
Defining, measuring, and communicating changes in the nature of risk
Evolving the risk ‘function’ beyond compliance into a strategic process that actively shapes corporate objectives.
Challenge for risk managers
For risk managers, meeting the above set of challenges requires a fundamental shift in their relationship with the rest of the business. Crucially, they must move to a ‘business partner’ role, working closely with the finance director and senior executives to ensure that the risk management process influences the forward-looking corporate agenda.
This is a sizeable task. PricewaterhouseCoopers’ research and experience has shown that in many organisations, risk management remains a largely process-driven activity. The onus is on risk managers and senior management to break this trend, persuading the organisation that risk management is not a distraction from the front line of business activity, but is a fundamental component of it.
In order to achieve this, the successful risk managers of tomorrow will need an impressive set of skills and expertise, including deep commercial and strategic awareness. They will also need to consider carefully how best to communicate with a particular internal audience. For example, creating a high-level customer protection policy is one thing. Ensuring that all call centre staff adhere to such a policy on a day-to-day basis is quite another.
As well as spreading awareness of the importance of risk management throughout their business, CROs must also broaden the focus of the risk management process itself. Our research found that in many organisations, risk management remains focused on well-known, easily quantifiable risks. As a result, less visible yet highly important risks are not factored into crucial business decisions.
“Risk managers must move to a 'business partner' role, working closely with the finance director and other senior executives.
A look at the primary reasons for recent falls in shareholder value highlights just how important less visible risks can be. According to PricewaterhouseCoopers research, strategic failures, ranging from integration problems to an industry downturn, are the cause of 39% of share price falls.
The board has an important role to play in this area, in terms of giving over-arching direction to a company’s attitudes towards risk. Yet it is up to the CRO to help the business understand how intangible, often complex risks are best managed.
Risk managers who can meet these challenges, ensuring that awareness of all types of risks, and of their strategic impact, is instilled across the business, will enjoy a far more prominent role in their organisation. Indeed, with companies coming under ever-increasing moral and environmental scrutiny, the CRO could become an ‘independent ombudsman’ internally, and a risk ‘ambassador’ externally.
The CRO-CFO partnership
Risk managers and finance directors have a shared agenda in embedding a holistic risk management strategy across the business. After all, clear guidance on the risks a company faces, and on acceptable risk limits, are crucial for accurate forecasting and financial planning. In turn, accurate non-financial and financial indicators are essential components of a coherent risk management strategy. In short, it is in CROs’ and CFOs’ mutual interest to work closely together.
Risk as part of the business DNA
So how can CROs, CFOs and their colleagues go about embedding risk into the business culture? By focusing on four areas:
Leadership and strategy: Companies with effective risk management strategies promote awareness of risk from the very top of the organisation – with senior executives openly practising what they preach.
Accountability and reinforcement: Making awareness of, and responses to, risks a component of employee performance evaluation and incentives is a powerful way of ensuring that risk management runs through the business at all levels, in all areas.
People and communication: Incorporating awareness of risk into staff training, and into communications between staff and management, is also crucial.
Risk management and infrastructure: Of course, ensuring that risk monitoring and mitigation processes are in place is key to ensuring that emerging risks are identified and acted upon on an on-going basis.
Leading companies are already putting these processes into practice. For example, one utility firm holds annual risk management workshops to explain individuals’ responsibilities for monitoring and reporting risks. Managers at the company also routinely discuss risks at monthly business unit meetings. Details of the risks identified, and of recommended responses to those risks, are then reported up to group-level management.
Dealing with emerging risks
Our research also found that many companies need to improve their levels of preparedness for unforeseen events, such as product recalls or sudden changes in the market environment. The fallout from the sub-prime crisis in the US is an all too prominent reminder of how significant emerging risks can be.
“Risk management is seen purely as a matter of avoiding risks, rather than balancing risks with returns.
A robust strategy for preparing for unforeseen risks covers three areas:
Detection: For example, one company operates a ‘risk radar’ that systematically examines external data, evaluates potential business impacts, and feeds the results through to the board. Another firm has a ‘regulatory pipe’, which constantly monitors information about forthcoming regulations that may affect the business across its international operations. Such proactive risk management processes allow organisations to identify risks ahead of their rivals and use this fact to their competitive advantage. Meanwhile, some industries have set up collaborative risk detection processes. The insurance sector, for example, has set up the Operational Risk Insurance Consortium in order to improve risk management across the industry.
Escalation: It is also important to develop a simple, transparent escalation process that is understood throughout the company. Operating a ‘no blame’ culture is crucial to ensuring that employees are open to escalating risks to their superiors. A well thought-out escalation process is also vital for managing communications during a crisis.
At one company, for example, a process is in place that ensures that all senior managers and media relations contacts are kept informed at all times during a crisis – and that at least three contacts are available for media interviews, 24 hours a day.
Response: Responding to risks is a collaborative effort, in which the skills of the finance, compliance and risk management teams are combined. One company, for example, has provided risk management training to operational managers to help them determine appropriate responses to day-to-day risks. Managers are encouraged to consult with the risk management and finance departments in order to quantify the potential business impact of a particular risk, and to evaluate who should respond to it, and how.
Defining the risk appetite
None of the above can be achieved, however, if an organisation has not adequately defined its risk appetite. After all, while too much risk can jeopardise a business, too little risk can also put companies at a serious commercial disadvantage.
Our research highlighted the fact that companies can find defining their risk appetite a difficult business. Most organisations have an innate sense of how much risk they are ready to accept. Yet many find this hard to articulate in terms of making real-world business decisions, and guiding staff behaviour on the ground.
In many organisations, this problem is compounded by the fact that risk management is seen purely as a matter of avoiding risks, rather than balancing risks with returns. Leading companies ensure that an analysis of risk is balanced with an analysis of potential rewards by addressing both factors during the annual business planning process. In this way, risk limits and controls can be set at the highest level of the business.
Here, it is important for senior executives to ensure that the perceptions of, and appetite for, risk held by all stakeholders – including investors, customers and regulators – are taken into account.
How does this work in practice? One leading technology company has a risk committee, which formulates an integrated risk strategy, policy and appetite based on a systematic scoring system that rates the impact and probability of risks.
One media company has gone a step further, defining its risk appetite in terms of profits not made or losses incurred. Another company has gone further still, shifting its risk appetite up or down as appropriate whenever there is a 10% change in earnings per share.
Once risk appetite has been properly defined, it can be used to inform all strategic decisions. One global financial institution, for example, has built a new assessment of its risk appetite based on the views of its external stakeholders and its own strategy. This new definition of risk appetite will then be used as a key determinant in the allocation of capital across the business.
While leadership for such initiatives has to come from the very top of the organisation, it is the CRO who needs to ensure effective execution. Those who are up to the challenge will enjoy not only the ear of the board – but also, perhaps, a seat on it.
Simon Perry is a partner and Geraldine Rutter is a director in the risk assurance services practice of PricewaterhouseCoopers LLP, E-mail: simon.perr