The risk manager's role is fundamentally changing. Paul McDonald discusses the new language of risk with Sue Copeman.
At its last two annual conferences, the Institute of Risk Management (IRM) started mapping the diversity of risk management. This year's conference on 21-22 September will be no exception. Explains Paul McDonald: "The old guard of risk managers grew out of the traditional insurance buying function. The new culture of risk management focuses very much on totality of risk. This means looking at the value plan of the board and trying to chart exposures that could undermine it."
This year's conference has the theme of the new language of risk. It focuses not just on emerging exposures but also on behavioural issues. Says McDonald: "It's not just a question of knowing about the new risks. We also need to consider the way that risk managers will achieve their objectives and the skills they need to do that."
In common with many other risk professionals, he sees the key issue for the future as e-commerce. "Is it an old risk simply dressed up a fraction? Or is it something new, with fields of exposure that no one has yet addressed? We've reflected that question in this year's programme."
He strongly refutes the suggestion that some risk managers may be content to sit back and wait for the first few legal cases to establish just what the e-business liabilities are. "In the case of my own organisation, BAE Systems, in March we announced our intention to establish a joint venture with Boeing Co, Lockheed Martin Corp and Raytheon Co, working with platform provider Commerce One, to provide a web-enabled business to business (B2B) procurement capability. With a commercial venture like this, you want to move fast so that you are the first in the market to deliver synergy savings. This inevitably involves mapping risks proactively as things unfold. You can't wait for contracts to be drawn up and the infrastructure to be put in place. I don't think we're unique in this approach."
E-commerce raises many potential exposures. These include issues of security, management, documentation, business interruption and logistics. In particular, business continuity might seem to be a problem, as many of the B2B delivery transactions that are supported by e-commerce will include some form of penalty for late delivery.
McDonald considers that competent organisations will already have addressed a lot of these issues when they were preparing for potential Y2K problems, and will har ness what has already been done. He thinks the new risks will stem mainly from the legal side. "These are unknown territories and will prove the most challenging."
The concept is that if you do the groundwork for a particular aspect of risk, you can deal more easily with something that comes along in the same category. McDonald stresses that previous conferences have looked at the legal aspects of risks, product integrity and document management. "If your organisation is addressing these issues in a robust fashion, some of the risks that are evolving, such as the potential for a company to be found guilty of corporate killing, are more of the same. They should not be a showstopper if you are already doing your job properly."
E-business will be well covered at the conference. As well as a pleniary session on the global effect of e-com-merce on the risk finance value chain, there is a workshop on logistical risk management. However, preliminary indications are that the workshops on measuring risk management success and extracting value from Turnbull will be among the most popular.
McDonald sees the risk management function as focusing on trying to add value in a demonstrable way. "It involves protecting shareholder value and making sure organisations achieve their value plans. It's part of strategy planning and that brings it up to boardroom level."
He believes that the title "risk manager" is something of a misnomer. "We don't manage the risk. Other people do that. Our main role is promoting the concept of risk management - which comes back, once again to business management skills."
On the subject of corporate governance reporting, some cynics have suggested that you may be able to identify which firm of accountants a company uses from the
phraseology of its compliance statement. In other words, reporting will be just a matter of including a standard form of words rather than going into risk in depth.
McDonald agrees that this could happen in some cases, but believes that many boards will see that it makes sense to have a robust approach to developing a risk framework - and will be prepared to show the stockmarket that they have thought risk through. "I think there will be an increase in the level of detail. It goes back to the recognition that there is a link between competent risk management and shareholder value. It is an added value activity, so boards may see it as an opportunity to demonstrate good business practice.
How would he like to sec members leave the conference? "I think we want them to be challenged, recognising the full dimensions of risk management. They have to be flexible to retain the high ground and deliver what their organisations want of them".
His view reflects the fact that risk management is changing rapidly - and will continue to do so. He believes that, in the future, the person dealing with risk within an organisation is likely to be working in some form of risk directive. Much will depend upon the organisation's own appetite for risk and whether it uses the Turnbull recommendations as a trigger for an active approach.
Certainly, this year's conference (sec p 50) should provide food for thought for all those who attend, and these encompass not just risk managers but also a whole range of service providers. "Tackling the hot issues will drive risk management forwards," says McDonald.
Paul McDonald chairs the IRM conference project team and is deputy director group risk management, BAE Systems.
