Risk management is at a turning point, pivoting from an operational to a strategic role. Corporate culture – the way risk is treated and the way we treat those involved in loss events – is critical to that change.
Risk management is changing. Historically, risk management was all about managing physical and operational risks – fire and explosions, equipment malfunctions, system breakdowns. But today’s risk professionals are now more likely to be kept awake with concerns over business model threats from start-ups, the changing demographics of customers and employees, and emerging risks that could damage a new portfolio of intangible assets.
The risk landscape is volatile, uncertain and complex, and wrapped up in strategic disruption. And with this new environment comes a critical period for risk management as a practice and a profession.
New opportunities are being created for risk managers to take a more strategic role – helping management and the board make decisions on strategy as well as risk managing the threats to these plans. Risk managers need to elevate their positions from operational risk management to strategic risk management.
However, while several organisations have embraced strategic risk management as an integral part of their enterprise risk management framework, many risk professionals are struggling to get the airtime with the top table to make a positive impact on strategy.
This challenge formed the focal discussion point at StrategicRISK’s Dubai roundtable, held during the Dubai World Insurance Congress in February.
Attended by senior risk managers from stock-listed companies across the EMEA region, the discussion, held under Chatham House Rule, focused on overcoming barriers to gaining greater strategic footing within an organisation, including board and C-suite engagement, cultural change and risk communication.
Being heard by leadership
The biggest hurdle is board and C-suite engagement. Few risk managers are actively involved in management conversations about creating strategy and defining corporate objectives.
“How many of us are involved in any discussion about strategy and setting corporate objectives?” asked one risk manager from an oil and gas company.
He added: “Executive management create the strategy, define the objective and then ask risk managers to identify and manage the risks. Strategy and risk management should go in tandem and should be a process embedded at the point of creating strategy and defining corporate objectives.”
This sentiment was echoed by a risk manager from a construction company. His message was that a corporate cultural shift is needed to ensure that risk management is recognised as a strategic-making tool across the company. But to achieve this, risk managers must have a seat at the top table.
“Risk managers must have exposure at the very top of an organisation and across the company to inform the highest level of leadership. Without this, risks cannot successfully be embedded and discussions about strategic risk management will not take place.”
He added: “In some organisations that I worked for, I found it difficult to make risk management work because I was seen by colleagues as middle management, where my role was to administer processes.
“When I moved to a different organisation, where I reported to the CEO, I was able to influence more parts of the organisation around risk thinking and strategic decision-making. Risk management had greater buy-in from executive management and from all departments across the company.”
Talk their language
This is only part of the answer. Engaging colleagues from other departments is equally as important as getting buy-in from the very top. But this challenge is more about changing the perception of risk management from a function that “prevents business opportunities” to one that “enables business development”.
How to make this happen? Risk managers need to articulate their value by adopting their company’s ‘corporate language’, explained one risk manager who works for a utilities company.
“We don’t talk about risk management or use terms such as ‘risk tolerance’ and ‘risk appetite’. We talk about performance and how it is related to the delivery of our corporate and strategic objectives.
“We measure and monitor performance, and think about risk management in terms of how we can increase the chances of successfully delivering each of the objectives. Corporate language and communication was key to this.”
Another risk manager emphasised the importance of applying different approaches to different internal stakeholders. “When I first rolled out a risk management process, the CEO went absolutely crazy. He went down to all the department directors and asked: ‘Why have we got risks in the organisation?’ It became known as The Red List.
“Business units didn’t want to talk to me, so I had to come up with a new way of redeploying risk management. I came up with different clock speeds: with the C-suite, I took a slow-burn approach to risk management. With the business unit directors, I took a fast-burn approach, and with the project directors I rolled out risk management. I then filtered the risks that went up to the C-suite.
“By doing so, the maturity level improved and ultimately, the fear of risk management slowly disappeared.”
This is a good case in point: challenges abound, but risk managers can have influence and can affect the cultural change needed in some organisations. The evolving risk environment suggests that the demand for risk management is generally growing. Change is propelling shifts in risk management and risk professionals must step confidently into this strategic role.