What is the role of the risk manager when everybody in business seems to be managing risks?
The Financial crisis may have turned attention on the issue of financial risk in a rather dramatic fashion, but today hyperawareness of risk in its assorted forms – political, regulatory, environmental, technological and so on – has become one of the hallmarks of contemporary corporate culture. Once upon a time business was done; today risk gets managed.
Professional risk managers should be cock-a-hoop at the conceptual shakedown they have pulled off. And to some extent this is true: risk managers appear to be increasingly respected among their business peers. Yet regard also brings with it some delicate challenges: what should be the role of a risk manager when everybody is managing risk?
At Eversholt Rail, a company that finances, owns and leases out rolling stock, risk manager Richard Mackie sees his job as a “salesman for the concept of risk” within the firm. “Everybody has a part to play in identifying and mitigating a very wide array of risks,” he says. “The responsibility cannot fall on one person.”
Those risks are broad indeed: the company’s credit rating suffering through no fault of its own; youth unemployment today meaning the firm struggles to hire experienced people a decade from now; software inadequacies in the age of instant social media; the demand for home-working during the Olympics crashing broadband supply. All must be analysed. And their velocity – the speed at which they can become serious – must be assessed.
From the 40 separate risk registers the firm maintains, Mackie identifies the top 20 risks which get passed up to the board each month.
The greatest, however, is complacency, he thinks. If a planned-for risk does not happen for a few years, attention drifts, but it doesn’t necessarily follow that the risk has reduced. Mackie’s job is to keep vigilance alive without crushing entrepreneurial spirit.
In an Economist Intelligence Unit survey of 275 corporate executives, 75 per cent agreed that risk considerations were playing an increasingly important role in strategic thinking at their firm. But concern with risk is not the same as being better positioned to respond to it. The study found firms were not putting more resources into risk management. And while 51 per cent were concerned about currency instability, 43 per cent had plans in place to deal with it. It was the same with regulation: 22 per cent saw it as a risk, but only 13 per cent knew what they would do if it happened. The “preparedness gap” was present across many identified risks.
This pattern speaks to the role of the modern risk manager. Although risk management has become almost a preferred vocabulary for business, the ability to identify, articulate and mitigate it still needs a specialist’s touch.
Twenty five years ago, the origins of risk management lay in functions such as audit, insurance and health and safety. Today, in complex, fast-changing organisations, risk managers cannot be the ones who say no all the time, notes Carolyn Williams, head of thought leadership at the Institute of Risk Management.
“They need to understand the levels of risk their organisations are prepared to bear to ‘feed better decision-making’. The most valuable skill involved isn’t technical, but revolves around ‘communication and negotiation’.
“Final responsibility for risk may lie with a board, but risk managers have to be sure the information flows up and down,” says Williams.
Keith Smith, risk manager with media services company Arqiva, likens risk management to finance. Just as lots of individual units control budgets, there needs to be a view across the organisation. “The same is true of risk – it’s a team sport, but you need a holistic view to ensure the appetite for risk is not being exceeded,” says Smith.
According to a study by consultancy firm Marsh and McLennan, the broader portfolio of risks businesses face can be laid at the door of globalisation and new technology. These are the drivers of the sense of instability of the age. The 900 managers it spoke to were most nervous about “intangible” risks, such as to their organisation’s brand, human capital and intellectual property.