Seeing the Light: Redefining the Risk Manager
One of the benefits of attending conferences is that they can provide you with unexpected opportunities to contemplate life’s truly important issues. Issues such as the best way to sleep in an airport lounge or whether you can actually get away with tripping the slow person in front of you in the security screening line.
Recently, being wedged into the non-exit row of a commuter aircraft has provided me with the opportunity to clear my mind and consider the more significant elements of my risk management career.
During the RIMS ERM Conference last October in San Antonio, for example, I was asked how long I had been “doing risk management.” What should have been a very straightforward question stopped me dead in my tracks. Why couldn’t I quantify my career? What was it that made me hesitate before I answered?
Sensing a long answer was coming, my questioner suggested that perhaps if I was going to make something up, I could at least do it while I was standing in line for the next round of drinks.
Fast forward 20 hours and I was uncomfortably crammed into an airplane seat that was clearly not designed for extended human occupation. Trying to focus on something other than the pain slowly building through my entire body, I asked myself the same question: how long had I been a risk manager?
My answer: it depends. If I based my answer on my experience in New Zealand, where I started my professional career, the answer would be about 11 years. However, if I were to use the more limited definition commonly applied in North America, the answer would be closer to five.
Why the large deviation? For the most part, it comes down to the competing definitions of “risk manager” used to make the calculations. This rather obvious revelation made me think. If these differences made it hard to even answer a small-talk question, how may they be affecting organizations looking to attract the next generation of risk management professionals?
The Antipodean Approach
In my experience, New Zealanders (and most Australians) are typically less concerned with what a role is called than what it is expected to achieve. Part of this is cultural; title dropping remains a social faux pas alongside being unable to determine the sex and breed of a sheep at 50 meters. But more than anything, this attitude reflects the fact that a title doesn’t really matter — having the technical or practical ability to do the job is far more important than the name on your business card.
Were my colleagues or I called “risk managers?” No. Did we contribute deeply to how risk was managed at an organizational level? Absolutely.
In my earlier career I was a customs officer, leading a team that played a central role in identifying and assessing the risk posed by people and goods crossing the New Zealand border. As protecting the integrity of the border is one of the key responsibilities of the Customs Service, being able to effectively manage the risk in this space was obviously pretty important.
But were my colleagues or I called “risk managers?” No. Did we contribute deeply to how risk was managed at an organizational level? Absolutely.
What this approach meant in practice was that, as a law enforcement officer with national risk management responsibilities, I was welcomed to the table of risk practitioners as an equal. This table would typically include very few of the lawyers, accountants or insurance folks you would see at a similar forum in North America.
It would, however, include individuals with significant experience in managing operational, financial and legal risk. And it would include those who intimately understood their business, even if they didn’t have a distinguished academic pedigree — or any at all, in some cases.
The approach to hiring in New Zealand also reflected a focus on practicality and critical thinking over specific academic credentials. I was hired to my first risk management job with the Customs Service without much more than an engineering degree and a sharp suit.
While the degree might have helped get me an interview, what got me through the door was an ability to critically evaluate the risks in a given situation, use tools appropriate for the task (some of which may have come from my academic training), develop well-reasoned solutions and situate these solutions within the context of the organization’s goals.
As a team leader hiring my own risk analysts, this non-specific approach would pay dividends again and again. By not focusing on a particular academic specialty, I was able to recruit the individual with the best skills to complement those my team already possessed. One of my most effective risk analysts held a Ph.D. in theology, while another had never darkened the door of a university.
The key traits they both shared were an ability to think clearly, apply logic evenly and know when they needed specialist help. In short, they brought common sense to the table. Put together, their skills ensured that a balanced, holistic approach to risk identification, assessment and management was achieved. Combined, they had the tools to ensure that the best possible solution to the organization’s risks could be found.
The North American Approach
As an immigrant, you have the (often annoying) luxury of being able to contrast your experiences in multiple regions. While I recognize the dangers of over-generalizing, my observations have led me to conclude that the majority of North American organizations remain stuck in a silo mentality when it comes to hiring the folks who will be responsible for managing their risks.
Many organizations retain an almost intractable focus on managing risk within defined areas of risk speciality, with lawyers solely looking after legal risks, accountants and auditors only looking after financial risks, engineers and their kin looking after operational risks and almost no one looking after strategic risks.
In many larger organizations, this approach may seem to make a certain amount of sense from a command-and-control standpoint. The division of labor ensures that all the compliance activities required by a large corporate entity are appropriately managed by those people with the skills to effectively do so.
Managing an organization’s risks in individual silos is like trying to pick up a six-pack without the little plastic thingy that holds them all together; you can do it, but it is far harder than it would be if the cans were connected to each other.
The trouble with this approach is that it can also break down organizational cohesiveness and, ultimately, lead to organizational failure — despite the risks within each silo being managed to the required standard. Managing an organization’s risks in individual silos is like trying to pick up a six-pack without the little plastic thingy that holds them all together; you can do it, but it is far harder than it would be if the cans were connected to each other.
It remains rare within North American risk practice to see a lawyer directing an ERM branch that reports to the head of treasury or an ERM-specialist engineer that reports to the chief legal officer. This doesn’t mean it can’t (or doesn’t) happen. However, role specialization remains a significant potential barrier to the true integration of risk management practices.
Education vs. Experience
You may have formed the view that I don’t support or recognize the value of specialized education. Nothing could be further from the truth. I wouldn’t want the bridges I drive over to be designed by a history major any more than I would want my knee surgeon to be a physics professor. Both might be smart enough to do the job, but each would most likely lack the technical skills to do the job safely and effectively.
As a good enterprise risk manager, I am acutely aware of where my skills lie and, more importantly, where they do not. I would describe myself as a generalist risk manager, with a particular set of skills in process risk control and strategic risk management. My real (and some would argue only) skill comes from knowing when to pick up the phone and ask for the specialist input and when I can go ahead with nothing more than a good solid dose of common sense.
For my organization to be truly effective, I need to have the sense to draw in expertise only when it is needed — because the rest of the time that expertise needs to be focused on delivering its specific value to the organization.
As an organizational risk manager, there is an expectation that I can bring a steadying hand to the tiller and be able to cool the jets of those specialists who would have us burn the organization to the ground every time something goes wrong. Like a good football coach, my main skill comes from knowing when to bring specific players together to deliver a play and when I need to sub in other players to deliver a specialized play that is beyond the skill level of the players currently on the field.
Identifying the Next Generation
Before we talk about the specific risk management skills, experience and education we will need in the next generation of risk professionals, we first need to be crystal clear about what we expect our risk management function to achieve. Unfortunately, this conversation never happens in many organizations. But without this understanding, we can’t reasonably hope to define the talent pool from which we should be recruiting.
For example, if an organization only requires the traditional insurance and risk-transfer functions, then it absolutely makes sense to draw from a recruitment pool of those with business or finance backgrounds. However, if the organization’s risk management function is required to play an active role across the full spectrum of organizational risks, then a reevaluation of the required skills may be in order. By carefully evaluating the outcomes required from risk managers, it is possible that many organizations will find that they have a skill shortage in some areas and an oversupply in others.
Analyzing what organizational outcomes need to be both protected and advanced by the risk management function will help organizations determine what sort of risk management skills they actually need to retain in-house and which skills can be more economically farmed out to specialists.
By reducing the specific educational or certification requirements associated with traditional risk management roles, the ability to attract internal applicants — those who already have the organizational skills and knowledge they need to succeed at the enterprise level — will be enhanced.
By removing the silo-based speciality bias, organizations would be able to more effectively develop their existing employees to identify, assess and manage risk — not only within their area of knowledge but also across the organization’s operations.
Such an approach would have two main effects on the risk management profession: it would decrease the total market demand for “traditional” risk managers and expand the potential recruitment pool for enterprise risk managers, moving the focus towards developing staff members who already possesses the requisite business process knowledge to effectively manage risks.
By reducing the specific educational or certification requirements associated with traditional risk management roles, the ability to attract internal applicants — those who already have the organizational skills and knowledge they need to succeed at the enterprise level — will be enhanced. Equally, by opening the doors to a wider range of skills, experience and knowledge, organizations may find that this new breadth of thinking can assist them to start, bolster and accelerate the growth of their key programs.
After all, effective risk management (and management in general) is not about stopping at “no” — it’s about knowing how to get to “yes” safely, effectively and efficiently. This skill isn’t necessarily tied to any one discipline, and the wider the skill base the process can draw on, the better the eventual answer is likely to be.
On paper, I should never have been hired as a risk manager by a large North American organization. Though I had a wealth of experience managing complex and critical risks, I lacked the educational background. Luckily, I work for an organization that not only sees the benefit of enterprise risk management but, more importantly, recognizes that the knowledge and skills required to do the job don’t necessarily come standard with an MBA (or any other particular degree).
The risk management profession can sustain and recruit the next generation of keen young risk managers — but it must be prepared to slaughter the sacred cows that keep it rooted in its traditional past. Come to think of it, meat-packers might actually make good risk managers — what with all that blood, gore and sharp knives.