In the latest chapter of StrategicRISK’s editorial campaign, Andrew Keeling, IRM chairman, explains how risk managers can take advantage of the new focus on risk and governance

Face with unprecedented economic conditions and the latest round of post-Enron corporate failures, it is clear to us that the risk management profession is at a crossroads. Risk managers can either step-up, and fulfil their special role as informed corporate advisors at a strategic level, or accept that their task goes no further than signing off on internal systems and controls, which can ultimately be sidelined or simply ignored if the will is there. In theory, one path leads to strategic risk management nirvana, while the other is destined to be stuck in a compliance silo.

In recognition of this, StrategicRISK has initiated an editorial campaign designed to raise the profile of risk management and help individuals with some of the skills they need to function as we hope they might. In our first online exercise to this end, we spoke to the new chairman of the Institute of Risk Management (IRM), Andrew Keeling, about this issue and what risk managers need to do to raise their profile and face these challenges head on.

Recent disasters in the banking world have forced regulatory authorities to examine the role and effectiveness of corporate governance and risk management specifically. Many perceive the collapse of age-old and sophisticated financial firms to be the fault of weak risk management frameworks. Try as they might, those responsible for risk in many large banks were unable to steer their organisations clear of disaster, even if they could see it coming—as some of them surely did.

In the end this has forced regulators, who in the eyes of the public are equally as culpable, to step in and review the principals by which companies are meant to govern themselves. While, the sternest furrowed brows are being turned on the financial sector, it would be foolish to think other industries are not taking these issues equally as seriously.

At this time of reflection and re-evaluation, risk managers are faced with a golden opportunity. “If you look at the new regulation it is going to raise risk managers to a more senior level, so we need to make sure we are prepared for that and able to perform at that level,” says Keeling, who is also a director of risk at KPMG.

“If the whole role of the Chief Risk Officer (CRO) and the head of risk is going to be at the board and executive management level then risk managers have to take a good hard look at their own personal and commercial skills. They should review if they have the commercial acumen, business knowledge, strategic vision and information to act as this specialist advisor and the conscience of the business,” he says.

“If they feel they don’t have those skills they need to come up with a plan to develop themselves so they can maximise their value and effectiveness."

The recent regulations that Keeling refers to include the Walker review. Lord Walker’s recommendations include non-executive directors having more oversight and banks publishing the number of staff earning big sums. November’s final review also suggested that boards put all their directors up for annual election, including the chairman, and the appointment of a CRO who could be sacked only with the full board agreement.

As a result, risk managers should be prepared for boards becoming more active in the risk area. In the future, Keeling believes the board will take much more responsibility for assessing the major risks in the company. Risk managers should be in a position to help them do that. Successfully identifying the organisations risk appetite is another key criteria of effective risk management, but it is something that many organisations have “not done particularly well”, says Keeling.

“There is going to be a period of thoughtful reflection across many organisations about how they are going to meet these expectations in the most efficient manner,” warns Keeling. “The challenge is going to be applying the risk architecture in an effective manner that doesn’t create unnecessary overload on the business, so it provides an innovative and informed discussion on risk rather than a layer of control that adds little value and just increases cost."

“That takes some careful thinking about and there’s no easy answer. It is about the innovative and appropriate application of risk in a non bureaucratic value adding manner, that’s the key, obviously some organisations will do it well, perhaps others won’t do it quite as well.”

Risk managers need to be alert, if they don’t have sufficient skills and expertise to fulfil their role at the appropriate level they could find themselves marginalised. And the top spot could be taken by someone else.

“Some organisations, particularly financial ones, are starting to take a very experienced C-grade executive and then up skill them in the risk management area,” warns Keeling. “This is a slightly different approach to someone growing up through the enterprise risk management, or insurance, or any other form of risk, and then developing up to a C-grade level.”

Now is the time for risk management professionals to ask themselves some challenging questions. “It is a good time for risk managers to consider how they empirically and scientifically support their verbal and written statements on how effective their risk management systems are within their organisation,” notes Keeling.

“Have they implemented a consistent but scalable approach to risk management across their business? Does their organisation have an appropriate and informed debate at the right level on what risk management looks like for their unique business requirements? Can they identify potential opportunities for improving their risk management oversight without creating an additional layer of bureaucracy? There is a lot that organisations are going to have to reflect on now.”

In light of the financial crisis and subsequent regulatory reviews, several organisations will be in the process of re-evaluating their risk agenda. The heightened emphasis and increased regulatory focus on risk management could be a good thing for the profession—provided that it is prepared to meet the challenge. Individual risk managers are in a position to decide for themselves what the future holds. Either they will be prepared to occupy an important and strategic business function, which is forward thinking and business enabling. Or else they may be consigned to repeat the mistakes of the past.

key points

>The heightened regulatory focus on risk and governance presents risk managers with a golden opportunity, either they can step up to the challenge or be sidelined

>Risk managers need to make sure they are prepared for the increased importance of their role. Do they have the commercial acumen, business knowledge and strategic vision to act as a specialist advisor to the board?

>If risk managers aren't equipped with these skills they need to think how they can develop them

>The challenge is for the risk architecture to be appropriately applied in an effective manner that doesn't create unnecessary overload on the business

>Risk managers need to be alert, if they don't have sufficient skills and expertise to fulfil their role at the appropriate level they could find themselves marginalised.