Elevating Risk Management Within the Organization
Risk management plays a critical role in many organizations. As a result, the department must be aligned with corporate objectives and direction.
To that end, the risk management function should be part of the strategic decision-making team. This means that it should play an essential role in merger and acquisition due diligence, and be engaged in any decisions regarding investments in technology platforms, expansion, plant upgrades, facility closures, workforce reductions and supply chain management.
The following questions can help you develop strategies to increase the profile of risk management in order to make this a reality.
Does risk management need a rainmaker?
Who will champion risk management at your organization among your firm’s senior leadership? Does the function have to be led by a chief risk officer (CRO) for that to happen, or will it work if risk management is under the direction of the CFO, treasurer or general counsel? Your champion must be a member of the senior leadership team who recognizes the value the risk management function can deliver to the organization. Many organizations do not have CROs, so risk management should report to the person with the most power and influence.
What will it take to raise the profile of risk management?
How will risk management distinguish itself to senior leadership? What activities are critical for risk management to perform to protect the enterprise? If risk managers cannot speak the language of accounting and finance to communicate benefits they bring in purely financial terms, they will not gain top leadership’s recognition and respect. Equally important, if they cannot communicate with business operations in a way that demonstrates a deep knowledge of what makes the business tick, they won’t be taken seriously by company leadership. A risk manager’s job is not to say “no” to risk taking, but to find ways to measure, mitigate or transfer risk so that businesses can be successful.
Who else is managing risk?
Is your department in the loop? What risk management activities are currently being led by other parts of the company? Should risk management be involved? If risk management is not forming strong partnerships with internal audit, legal, marketing, sourcing and other key internal stakeholders, it will be viewed solely as an insurance-purchasing department—and not a business partner. Often, being a risk management evangelist is a key to success.
Are there any black holes?
Where are the potential gaps in risk management that leadership is overlooking? These may be areas outside the purview of the risk management function, but not addressed by other areas of the company. For example, in a rapidly expanding global organization, significant blind spots may exist around new operations outside the United States that lack the benefit of risk management oversight. Blind spots also often lurk in IT organizations, a primary reason why many firms are still without cyber-risk insurance.
Is leadership engaged in the risk management function?
Is there agreement with leadership on the objectives and deliverables of the risk management department? Where else can risk management add value to the organization? If risk managers are not having these discussions with leadership then there may be a significant disconnect, particularly in the aftermath of a major loss or crisis. This is a career-limiting mistake for many risk managers.
What is your firm’s strategy for assessing and managing risk?
Is enterprise risk management (ERM) the right approach for the organization? If so, how does the organization define ERM? What role is the risk management department taking in driving the process, implementing mitigation techniques and tracking its progress? If your organization has implemented ERM, what were the results? Often, too much energy is spent designing a complex ERM structure that doe snot work throughout the organization. Generally, keeping it simple is the best starting point for ERM. Add bells and whistles as the process evolves.
Does your department have the talent to reach the next level?
Given your department’s scope, are the right skills available to do the job? Is the risk management team engaged and equipped for the challenge? What opportunities exist for career development within risk management, and how can members of the team position themselves to take advantage of them? Many risk management departments face a shortage of talent and resources yet are expected to take on heroic tasks to protect their organizations. In some instances, talent is deployed on necessary but rote and time-consuming administrative tasks as strategic projects languish.
What is your strategy for strengthening risk management’s performance?
Do you have a backup plan if you are unable to get the resources needed to perform critical work? What has been the impact of assigning senior risk management professionals to low-level work? If your department is already stretched, conduct an operational review to differentiate high value, critical work from non-critical work. Once that analysis is done, check your vendor relationships to see who can play a larger role in supporting the essential work of your department. This includes brokers, agents, actuaries, loss control companies, engineering firms and others with whom you have relationships. If you face a hiring freeze now or in the future, you may have few options other than to work with outside partners as an extension of your department. This may require finding innovative ways to compensate them for the additional resources they provide.
What help can you get from the outside?
Whether or not risk management departments have a mandate to raise their performance levels, many still face the same business realities. Not only must they navigate hiring freezes or staff reductions, they must work within the constraints of company policies governing use of outside consultants and service providers. These include criteria for evaluating vendors. If your firm has such a policy, work within the framework to make the case for outsourcing some non-critical work in order to free experienced staff to tackle your organization’s more challenging and complex assignments. Conversely, it may be specialized work you need to farm out to subject matter experts.