Is Risk Management Obsolete?



Oh, the plight of today’s risk managers. Often viewed as little more than buyers of insurance, they have struggled to deliver value and needed oversight to business operations in a way that would improve results and maybe even earn them some desired attention from upper management. However, risk management has historically operated with one figurative hand tied behind its back. In practice, recognition by management and inclusion in the important project planning processes has been rare.

Then the glimmer of hope: back when the calendar turned to the 21st century, enterprise risk management (ERM) was being bandied about as risk management’s golden opportunity to shine. There was hope that the position was finally going to get some face time with the C-suite, something that had evaded the profession for far too long. Risk management, they said, was about to hit its stride. The excitement within the profession was palpable.

So much for that.

A decade later, risk management is in the same place doing the same job (times 10) and getting the same recognition (little to none). Despite all the promise and opportunity, risk management has remained in the unenviable position of buzz killers brought in at the tail end of project planning: that necessary evil, required by law in some cases, that is there to throw cold water on a hot project.

“We need risk management, but not the way it’s currently operating.” – Henry Good

It is that scenario, among others, that has people like Henry Good believing the crazy notion that risk management should not be a profession at all. Strange words coming from Good, a career risk manager who now serves as an independent insurance risk consultant after a 33-year stint with Rohm and Haas, a manufacturing company in Philadelphia. Good believes the risk manager’s actions—or lack thereof—have created an unhealthy vacuum within which the profession now lives. “We need risk management, but not the way it’s currently operating,” said Good.

In his opinion, only 20% of today’s risk managers are functioning as what he calls true risk managers—being involved in decision making, planning and elevating the goals of the company. “The other 80% are functioning as insurance buyers,” he said.

How ineffective is risk management? Enough that almost every U.S. executive surveyed is reconsidering the position; 91% intend to reorganize and reprioritize their risk management approaches within the next three years, according to a 2012 Deloitte and Forbes Insights study. The same study reveals that 77% of companies now have a centralized risk management model to deliver ERM, and the risk management responsibility has shifted to the CEO and CFO, at 26% and 23% respectively.

Where Risk Managers Go Wrong

To Good, risk managers do a few things wrong that are killing their careers. He believes they are stopping themselves from making an impact in the company. Most risk managers, he says, are recommended by brokers to management. Once they’re hired, Good says they then “wait for the invitation from senior management.”

That is something risk management struggles with, say the experts. In Richard Meyers’ estimation, risk managers do not socialize enough. “It’s all about visibility,” he said. Meyers, chairman and CEO of Richard Meyers & Associates, a talent acquisition and management firm in New Jersey, relates the story of a firm that decided to adopt an ERM strategy. Instead of appointing its risk manager to head ERM, the company brought in someone else. Why? He blames what he calls the perception of insurable risk management. “While companies are recognizing that there is a value and an importance of risk management, many traditional risk managers do not have a very clear business mentality,” said Meyers.

David Rogers holds a slightly more positive view of risk management’s current state. Rogers, global product manager for risk at Cary, North Carolina-based SAS, thinks risk management as a function is not dead. However, new realities across financial and non-financial business units are forcing a change, and it is one that risk managers may not be ready for or adapting to quickly enough.

For Rogers, risk management is integrating itself into business decision making in a more regulated environment. He thinks that as business groups see how risk management can impact their ability to deliver value, the need for good risk management will increase. “The critical word is ‘management,’” he said. “If the risk function is to have a future, it needs to be seen as a partner in delivering the management’s decision dashboard.”

“While companies are recognizing that there is a value and an importance of risk management, many traditional risk managers do not have a very clear business mentality.” – Richard Meyers

Therein lies the challenge. Rogers says that risk management has to learn to be relevant and accessible to the decision maker. That relevancy comes from stepping outside the bubble and learning the business functions. “What I heard on a panel recently was until you’ve actually run a P&L, you often don’t appreciate the difficulties of the issues you’re presented with.”

Jeff Triplette says that risk managers need to shift their focus. In his opinion, it’s not about the profession, but about what constitutes a professional. Triplette, who is principal of Triplette Advisors in Memphis and a referee crew chief for the NFL, says too often risk managers are not engaged in what the C-suite is concerned about. He thinks many risk managers can turn it around just by shifting their perspective.

Triplette relates the story of one of his NFL crew members who was a player in the league for 13 years. During his third year, the player was approached by a coach, who explained what it was to be a professional in the league. The coach made him commit to arriving early and training more intensely. Perhaps most importantly, he was expected to learn the organization. That’s when Triplette says the player’s mind-set shifted and he began elevating his level of play. “That’s when he said he started learning what it really meant to be a professional.”

Triplette says that is exactly what risk managers need to be doing. “Start thinking, ‘What is my boss thinking about? What are the things they’re concerned about that I might be able to find a solution to?’ Be willing to help identify the problem, but be willing to offer viable solutions.”

Anatomy of a Risk Pro

Some risk managers understand this by nature. When Lance Ewing was hired as risk manager at Park Place Entertainment, he admits to knowing “very little about riverboat casinos.” But Ewing, now regional industry practice leader for insurer AIG in Memphis, took the time to not only learn about all the risks the gaming company operated under but also to get to know the business. “Risk managers have to push themselves mentally out of their comfort zone and get the resources they need to respond to the company’s growth and risks,” said Ewing.

When Ewing left risk management in 2010 for an expanded role with AIG, he left behind more than 20 years of experience managing risks. It is a career that has gained him widespread industry recognition and awards, including a year as president of the Risk and Insurance Management Society (RIMS, publisher of this magazine) and a few Risk Manager of the Year titles, which are handed out annually by the industry publication Business Insurance.

How did he rise so high? For him, it all started with lunch.

That is where Ewing says the relationships among all departments and risk management are formed. He says lunch works because “very few people will turn down a free meal.” That lunch is where he would learn the top three challenges his colleagues were facing.

From there, Ewing would take those concerns back to his team, which included the insurance carrier, broker and any third-party administrator. The team discussed everything about a potential loss: how to prevent it, how to mitigate it, how to deal with any fallout if it occurred. “We then went back with a solution.”

He says the solution part was critical to the success of both the company and the risk management function. It was how he and his team were able to elevate the importance of risk management throughout the company.

Ewing relates the experience of one company where risk management gives each department an hour-long presentation on what risk management is and how to file claims. Building that into the front end of the hiring process, he says, goes a long way in developing that professionalism internally.

It’s also not a bad idea, he says, to introduce each department to the team—the carrier, broker, third-party administrator, the claims handler, even the underwriter. “Risk management needs to be a much more collaborative spirit than it has been.”

One way Ewing kept senior management aware of the comings and goings of his risk team was to provide them with a report a few times per year. He kept it brief: three pages of bullet points and bar graphs highlighting only the activities, risks and concerns of the team along with a list of ways the team was managing them.

In times of crisis, risk managers must want to be part of the decision-making process. They must find solutions, not hunker down while top executives do all the work. “We don’t dig foxholes,” he said. “We’re always moving forward.”

Creating Relevancy

Ewing disagrees that risk management is no longer relevant, but he admits it’s struggling. The profession, in his opinion, has not yet embraced what the role really means. “As board members, shareholders and stakeholders begin to see risk more as an internal fabric of how they do business, the risk manager has to be able to step up and get a seat at the larger table.”

“Risk management needs to be a much more collaborative spirit than it has been.”

It’s something Ewing believes that those in the profession have talked about for years, but few actually do. “A way to get that attention is spending time with not just the CEO, CFO and treasurer, but reaching out to the legal side,” he said. “When that claim happens, if legal gets involved, that relationship and rapport has to be there.”

Ewing says that risk managers have to build similar bridges with human resources and the benefits side. Look for an opportunity to collaborate with the benefits side when responding to workers compensation claims. That comes from raising awareness of how risk management can be incorporated into each department.

In some instances, the interactions are already occurring. Rogers says that government regulations are beginning to pull risk management and finance departments together more often. “Especially with regulations such as Basel III and Dodd-Frank, risk and finance can’t sit on its own,” he said. “The information has to be brought together to see a much more consistent picture of how the organization plans and utilizes its capital.”

Education, say the experts, is integral to a risk manager’s career. Meyers’ frustration is evident when he talks about how many risk managers drop the ball. “How many risk managers do you come across that are in the middle part of their careers and have not gotten their degrees?” he asked. “If we were to interview 10 of them, six or seven will say it was really never important to my employer. What a grave perception.”

Meyers says risk managers have no one but themselves to blame for the lack of opportunity. Risk managers are a commodity, and they have to be cognizant of how they want that commodity to be perceived. Without commitment to self, he says, risk managers will be ill-equipped to rise within an organization. “How good is a carpenter without having the proper tools?” Part of that tool chest, he says, is the daily exercise of continually improving self.

Without risk management professionals at the helm of their own careers and training, experts believe talk about risk management becoming obsolete will continue—or perhaps worsen—as business complexities evolve. Triplette believes the key to risk managers rising in their companies is contained in one word: professionalism.

“Learn to be a professional,” he says. “You can keep buying insurance and those kinds of things, or you can figure out how to take things to the next level.”


More articles by »

About the Author

Lori Widmer is a Philadelphia-based freelance writer and editor who specializes in risk management and insurance.



  • “The other 80% are functioning as insurance buyers" and by the sounds of this article many others are focused on premium reuctions as the primary outcome instead of one of many tools in their armoury. Disturbing.

  • Very interesting article. We were surprised by the title and the tone from a risk management magazine! However, the points in the article are pertinent for the risk management community to use to self evaluate where they are currently positioned in the organisation. Of course, every industry and organisation is different, and within organisations there are variances in views and the role of risk management. But what is clear, as detailed in the article, the Risk Manager has the ability to change this. One of the key thoughts that came to our minds was the brand of risk management. Risk management must develop it brand with key principles in mind, just as audit, Information Technology, Human Resources, and Finance have done over the last 10 years. The Risk Manager has to come to the executive table with an opinion and value. We believe this comes from redefining the role of the Risk Manager from a decision point, to a decision influencer through a role in developing business processes using specific risk skills, monitoring the organisations processes and identifying areas for improvement, and through the usage of internal and external data.

  • Gordon Mandt

    I don't know where these statistics come from but my peers that I know don't reflect they just buy insurance. Any company with a bottom line mentaility knows that insurance is one of the top four costs paid every year. Getting upper management buy in and being able to show it's easier and lowers cost to prevent injuries than it is to manage an employee's recovery. If a risk manager can't show the relationship between creating a culture that values workers, promotes quality and integrates safety in to what it does, then maybe they are approaching the job wrong.

  • Well done and like it. More of this type of information regarding Risk Management needs to be distributed in a simple manner. RM must get out and kick the tires, sell themselves or else become a potted plant.

  • Great article. A bit of courage and education goes a long way. The article alludes to courage in saying 'Once they’re hired, Good says they then “wait for the invitation from senior management.”' On education, 'Education, say the experts, is integral to a risk manager’s career.' Based on experience in market risk management, I couldn't agree more.

  • Janey M

    For Risk Management to make a difference organisations need to respect what Risk Management has to offer. It’s all well and good if a Risk Manager understands intrinsically what is required and how risks can be mitigated however if the senior team does not value this input then nothing changes. For Risk to have any real meaning it need to be involved at the coal face, to gain a depth of understanding of the real issues as opposed to ad hoc involvement. Risk needs to be part of the decision making process not just on the fringe and it needs to be part of the business. In answer to the question “Is Risk Management Obsolete?” then “yes” if the powers that be don’t take it seriously and don’t integrate Risk Management as part of the senior team. If the function isn’t involved in the decision making process then it gains no merit and adds no value – it becomes an administrative function. At the end of the day how the Risk function operates regardless as to how credible the manager, is based on how serious the role is sponsored. It needs both capability and credibility- and like all functions within business it needs to be understood and valued.

  • Ken McDonald

    Risk managers have to ensure they are fully engaged with business activities and developments to highlight risks that are heating up, new ones that are emerging to enable the business to fully understand the risk reward ratio. If risk managers are not engaged, or engaged too late, the business will often be to far down the line to change direction and this usually reflects badly on the risk function. Good challenging article but believe if risk managers want to add value and earn their packages they already knew what they needed to do!

  • Joe Hardy

    Lori, a great article and very timely with the RIMS Conference in LA from April 21st-24th. I agree with all the comments from Mr Ewing. . I also believe we have made risk management to complicated. We went from calling it Risk Management to the following:
    1. Holistic Risk Management
    2. Enterprise Risk Management
    3. Strategic Risk Management
    4. Enterprise Behavioral Risk Management
    5. Governance Risk and Compliance
    With all this jargon who really is accountable for managing risk.
    If we keep it simple and call it Managing Business Risk, than all parties within an organization will understand what that means to them. So lets go back to the basics, Managing Business Risk in a much more Collaborative way. Lets manage risk that are Hazardous, Financial, Operational and Strategic. The risk management discipline needs to be recognized as a profession and until that happens the position will struggle for that place at the big table. I am a believer that you need to sell risk management within your organization just like any other commodity. Risk Management is not Obsolete, but risk managers need to take more ownership and be more proactive in pushing for the discipline to be recognized as a profession and this can only be accomplished by advanced education.

    • But at the same time, -and particularly in the public sector, risk managers should NOT hide behind the veil of complexity and allow the barrier to establishing a risk management program be that "it's too difficult or complex." A good program is likely to have developmental phases and it's only with the committment to its implementation that the organization can develop a program that provides them value, and the road to return will likely be a long one. Should a risk office create a perfect policy that no one cares about, or that fails to adequately provide the changes of behaviors and the contextualization of why those changes are necessary for employees at every level of the organization to become better risk managers, than you are merely creating another demand for employees to meet, which is in stark contrast of the engagement needed to identify and manage strategic and operational risks. The financial ones you can always insure, and that's the point of the article. Well done.

      • Joe brings up a good point about the organization and classification of risk management. Not all risk management is equal and there's a variety of flavors when choosing a strategy (or multiple strategies) for a given institution. It's hard to put a blanket term on a process that's practiced & tailored to so many unique situations. At the end of the day, someone must be held responsible (in the same way that KPIs are made relevant to a specific person or team).

        I don't think that the correct classification or specialization of risk management mitigates that responsibility, though.

  • Excellent article. Risk Management is a relational role. A good, effective Risk Manager will build relationships, take time to understand the goals and motivations of the executive and the departments that need to be involved in the management of risk. I think by nature, Risk Management attracts people who are predominantly Safety and Security driven – they think about the 'what if…. 'scenarios, and that's often what they do best. But that's not how the Marketing Manager thinks, or the Sales Manager, or the CEO in most cases. So, understanding the Expectations and the Needs of the people who they need co-operation from, who they want to be an advisor to, is critical to creating significance in the Risk Manager's role – in short, you need the rest of the business to trust you.

    One of the things we are doing now is reinvigorating Risk Management by including the concept of the development of the 'CTO' – the Chief Trust Officer, who is responsible for managing the greatest risk to any business: the loss of trust.

    Risk Management needs to be there, absolutely, but it needs a hook to pull itself back up to the level and importance that it should hold in any organisation – it needs to be trusted, and it needs to be relational. It will simply die off, or slink into the background without that.

  • Hassan Abdeljalil

    I like this article and comments. The hardest point is to have time to learn more about business, to define ERM framework and to propose solution to mitigate business risks.

  • Rob Groves

    Excellent presentation of the issues and challenges facing risk management practitioners in today's market. I firmly believe that we, as risk managers, need to find ways within the culture of our organization to raise the awareness of the value that can be added by effective risk management. It is then our goal to continue our efforts to ensure the value is realized. Part of the challenge in dealing with risk matters these days is that risks can be identified but unless there is buy-in from the front line employees, there is little chance of success. This is where the public engagement component of the article is dead on. We need to engage our various stakeholders in discussions and find viable and acceptable responses to the risk challenges identified. If the average worker understands why something is done, they will support the activity. I would love to see more discussion of strategies in this regard in future articles.

    • Pd.T.F.

      Lori –
      Ya' hit the nail on the head…..
      Todd, Scott, Gordon, Keith, Greg, Janey, Ken, Joe, Vanessa, Hassan and Rob are most astute and perceptive.
      Joe is especially observant…… 5 different names through the years…….. same product……
      I've been practicing ERM for 20+ years before the term ERM was even "coined"…….
      Mike Benishek, Pd.T.F.

  • Marshell

    Very interesting article and great feedback. I also find that the role of a risk manager may significantly differ per organization and/or industry. Many also have additional responsibilities, or wear other hats that may include security, privacy, audit and/or compliance, HR, Legal, etc. In my opinion, Risk Manager's have one of the hardest jobs in the organization and probably most undervalued. They are usually responsible to identify and report risk for the entire organization, top to bottom. This also means they must have extensive knowledge of the operations of every department and keep up to date on current issues and regulatory actions.

  • kartik

    This article has added nothing new but sermonising what risk managers need to do..I think Janey is right when she says that risk management needs sponsorship. When the corporate culture veers towards "short termism" and architecture is designed to divorce the risk function from business decisioning and is only used as a counterweight (opinion)..little will change at the ground level.. by designing the risk function separately in the current management architecture…the business conveniently avoids the pitfalls/accountability of agressive risk taking (eulogised as entrepreneural spirit)…

    If you may recall the chief risk officer of large MNC bank in the US during the crisis put a scathing anonymous letter to the economist on the role of risk management.. Even today the chief risk officer does not get a seat on the board…It is the CEO and CFO…how do we expect things to change..the flaw is the the lack of empowerment in the role…risk is best managed when the overall risk responsibility and accountability is with the business..and until then the present state of affairs of a subdued risk management presence will continue to show up…

  • Robert Cranmer

    Some interesting and very relevant points in the article regardless of the industry and country in which one is operating. For me the most important message is 'relevance'…….too often risk managers (and I reflect from a financial services perspective) do what they have always done "because"……and also too often hide behind regulation. Regulations are guidelines and it is up to the Risk Manager in conjunction with business to ensure that what is being managed is appropriate and the cost/benefit ratio fully understood. There is no need to measure everything but RM's should know what the 'everything' is and collectively, with Senior Exec buy-in, measure and monitor that which is most critical.

  • I see that corporate culture is changing and risk management/CRO is getting onvolved in the decision making process at transaction level, product level and also at organizational level. I have personally experienced that enhanced and proactive participation from risk in transaction structuring and product development get them much higher value in the organization. However risk management role does get impeded as mostly and at last CEOs and Board members are driven by business goals. Most of the organizations are structured in a manner where Risk management has to ultimately succumb to business pressure from top.

  • Willem Jan (WJ) de Waal

    Gread view

  • Willem Jan (WJ) de Waal

    Great view

  • Managing risk is about achieving the business objectives of the firm. The risk auditor and tick box mentality does not deliver risk management. Good article generally.

  • Charlotte McLeod

    I work in Riak Management, and don't touch insurance! I only deal with project Risk Management; ensuring the deliverables are achieved on time and within budget, and providing management with the knowledge and supporting information to make informed decisions. This sector of RM is growing in line with the large number of developments and construction activities globally. Don't simply think Risk Management is limited to insurance and the finance sector – there's a whole world out there for the eager and talented to explore within other sectors like nuclear, oil and gas, construction, infrastructure (rail / highways).

  • Mark Higby

    My 2¢… The title is misleading at best and the article only rehashes the same issues that risk professionals have faced and discussed for 30 years. BUT… the paragraph on Anatomy of a Risk Pro is spot on… and applies to all of senior management, not just risk pros. If you can't constantly be aware of what you don't know and be willing to put the effort into learning, instead of propagating the status quo, then you will never optimize your risk management.

  • Fonahanmi

    Great article, and good comments. In developing countries, we lived in and work in an environment of Risk. Most individual who claim to be religious and happen to work in top management positions of an organization has the mentality that GOD is their insurer. They hardly want to pay insurance premium for any adversity. Similarly, most insurance in the same environment, make bold the print of their premium and tiny italics the terms and conditions of the insurance that will not make the organization promptly pay claims when the unexpected happens. Personally, I think Risk Management is much more relevant now than ever before, but the operators whom are to be the game-changer seems “obsolete“ in terms of new ideas in tune with development. A lot of information and enlightenment of minds is required as we lived and work within a world full of RISK.

  • Anette

    Very good and interesting article with some relevant facts and appropriate/tough hints for risk managers. However, as indicated by Charlotte McLeod risk management and insurance management are two different things. Insurance is only a risk transfer technique for certain types of risks.

  • I think historically too many Risk Managers focussed on forensic type analysis and not proactive risk preventing activities. I once interviewed for a risk job and was told I would be too busy putting out fires to be proactive about anything. We need to work harder than we have to be business partners with the groups we work with.

  • Stephen Smurthwaite

    Some very good points in this article, I believe that by waiting for the invitation Risk Managers run the risk of becoming "wallflowers" or being left out in the cold. Risk Managers must understand the business and its objectives and as said in the article a very good way of facilitating this is to socialise and then go back with ideas. This also offers the opportunity for the Risk Manager to inform others in the organisation who may not be aware of how they will be affected.

  • David G Wilson

    "…crazy notion that risk management should not be a profession at all" – NOT SO CRAZY! As someone involved with the insurance industry for over 30 years and having spent the last 4 researching and writing on topics related to complexity, risk and uncertainty, it is, frankly, laughable that anyone within FS labours under the illusion that we are in anyway 'professional'!

    The lust for high growth and market share saw the sector become slaves to a failed model, based upon flawed economic theory with a rating that is, at best, quasi-scientific and risk management tools, techniques ans thinking that lack the requisite variety to enable it to fulfil its intended purpose. If it were not so then transparency would be seen as an opportunity and NOT a threat. Regulation could be 'light touch' and actually benefit the customer instead of being a huge financial and administrative burden that benefits no-one except Regulators and lawyers.

    This extract from an excellent book, 'The Checklist Manifesto' by Atul Gawande. As a surgeon AG is better used to managing risk in a highly complex, life or death environment than many self-anointed risk professionals.

    All learned occupations have a definition of professionalism, a code of conduct. It is where they spell out their ideals and duties. The codes are sometimes stated, sometimes just understood. But they all have at least three common elements.

    First is an expectation of selflessness: that we accept responsibility for others – whether we are doctors, lawyers, teachers, public authorities, soldiers, or pilots – will place the needs and concerns of those who depend on us above our own.

    Second is an expectation of skill: that we will aim for excellence in our knowledge and expertise.

    Third is an expectation of trust-worthiness: that we will be responsible in our personal behaviour toward our charges.

    Aviators, however, add a fourth expectation, discipline: discipline in following prudent procedure and in functioning with others. This is a concept almost entirely outside the lexicon of most professions, including my own. In medicine, we hold up "autonomy" as a professional lodestar, a principle that stands in direct opposition to discipline. But in a world in which success now requires large enterprises, teams of clinicians, high-risk technologies, and knowledge that outstrips any one person's abilities, individual autonomy hardly seems the ideal we should aim for. It has the ring more of protectionism than of excellence. The closest our professional code comes to articulating the goal is an occasional plea for "collegiality". What is needed, however, isn't just that people working together be nice to each other. It is a discipline.

    Discipline is hard – harder than trust-worthiness and skill and perhaps even harder than selflessness. We are by nature flawed and inconstant creatures. We can't even keep from snacking between meals. We are not built for discipline. We are built for novelty and excitement, not for careful attention to detail. Discipline is something we have to work at.

    That's perhaps why aviation has required institutions to make discipline a norm…

  • Marlon

    At least at the operational level, for risk management to be felt and appreciated, risk and control self assessment should be imbedded as part of the requirement in all processes, function and lined up projects. This is to ensure that the uncertainties in the achievement of the objectives on affected processes, function and or projects are identified and managed. Since nobody wants to fail, in some other form risk mgmt. is actually being done on a daily basis, maybe not in a full & formal manner but with this, risk mgmt. cannot actually be made obsolete.

  • Education, attitude, integration and experience are the four main ingredients a risk manager requires to deliver value to his/her organisation. However, the same responsibility lies with the senior most managers at Board level to understand that value will only arise if they appoint the right person for this role and afford them the required support and authority to deliver the professionalism discussed in the article.
    Professionalism is a two-way equation at Enterprise level and lunch is only the start.

  • The Chief Risk Officer should be familiar with each of the risks disclosed in a public company's 10K section 1A (or a private company's risk assessment analog), understand the proximate causes, and have a mitigation strategy for each.

    As obvious as the above may appear, many risk officers will challenged as an increasing number of the risks now speak to enterprise level consequences — the most prominent being reputation which rose as disclosed risk from 40 of the S&P500 companies in 2009 to 343 of the S&P500 companies in 2012.

  • Addressing the aspect of people risk is the only way an organisation can improve the way their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

    Risk Culture Building is the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.

  • Christopher Stephens

    Lori, Excellent article as it focuses on the true limitations that plague our profession. If anything this shows us that complacency should not be the driving force in our profession. In order for any risk professional to be truly effective he/she must work with management to show that a reduction of premium is just the tip of the iceberg and that is not something that is going to magically appear overnight. The goal of any risk manager is to integrate oneself into the very fiber of the organization and that comes with getting to know each aspect of the business's operations and to continuously encourage feedback from every employee. In order to be innovative, Risk should be viewed as a collective process as it is every employees responsibility and not just that of the Risk Manager. Often it is too easy to become complacent once we obtain the position. But ignorance does not encourage innovation. We need to educate the C suite executives that Risk is an integral component of any organizations business plan and provide them with more detail with our assessments of their true risks,to provide a clear plan that shows them the many steps that are involved in reducing the premium. To educate them that effective Risk Management can have an immediate and positive impact on their bottom line. Afterall ERM is not just the sum of the parts as much as it is the whole of their existence. Once we have accomplished this transparency is when we will know we have finally earned our place in the C suite.

  • Vilma

    Thanks for the article. It is perfectly corresponding with my view based on personal experience. Working as a consultant, I encourage my clients to develop risk management culture in the organization instead of just appointing risk manager. I strongly believe in risk ownership and awareness inside the business. When head of sales admits that he has very concentrated skills inside the team, he starts to spend more time with his personnel developing them and coaching instead of pushing. When new product is tested not only on competitiveness in the market but on possible operational and/or financial risks before to be launched, the company can save considerable amount of time and money.
    Certainly, someone shall coordinate the process of building risk awareness and installation of risk management process itself. Maybe, that is the alternative for risk managers as professionals?

  • Becky.C

    Nailed it…. at my company! "visibility, awareness – relevance"; RM is much more than claim management and acquiring coverage – so…… how and where do we begin to change it? (please… not with just a name change!)

  • phelandrtom

    The tone of the article suggests that risk management is a neglected and obsolete field. It is dead, according to the writer.

  • Hariharan

    How does one get across the real value-add that the risk gives to the business – it is all about perception and as Vanessa Hall has said in her comments earlier, it is a 'relational role' and about how to be a 'Chief Trust Officer' -good one Vanessa.

  • Chris Linton

    Very insightful piece as I have thoughts on expanding my own EHS knowledge base by complementing it with RM. You often do not know as an EHS practitioner what are the ways to perhaps transition to RM as there is no clear cut path to take.

  • Estefan James

    ALL senior executives will never relinquish control of critical decisions to a risk manager. As an example, have you ever heard a risk manager say that, despite the CEO and CFO, they DECIDED to nix an acquisition? Doubt it. As such, the risk manager usually has no power over important decisions. The real risk manager is therefore the CEO and sometimes the CFO but NEVER the designated risk manager. In reality, the risk manager serves as a financial defense and, if there is a problem, to serve as the person to blame. There have been some risk managers, usually in financial institutions and utilities, who wield power; but, if you peel back the onion in these cases, most of these guys have a major P/L influence and a regulatory position. Even for these people, the 2008 banking crisis proved them as failures. .

  • Risk Management is only obsolete when you go out-of-business! To prevent going out of business you need to build an effective Risk Culture!

    All companies are practicing some level of risk management, either on a formal basis, with policies, processes and systems; or on an informal basis, without any risk management structure. Those who are not good at risk management or doing nothing about risk management will be exploited by those who are good at it, so it is time to do some “stock-taking” of your risk management capabilities.

    Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk.

    Risk Culture Building is the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation. No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:

    •Nationality & culture
    •Childhood experiences (and formative environment)
    •Work ethics, trust & honesty
    •Education (and the way it was obtained)
    •Work experience
    •Religion and other spiritual thinking

    To start this process an organisation first needs to get an accurate picture of the current level of risk culture maturity in the organisation.

    Although most inputs in any kind of maturity assessment are subjective, there is value in using a combination of approaches, but generally the outcome, due to human nature and perception, is always mid-point or average. These processes generally fail to identify specific weaknesses or action plans.

    There is no standard definition for the different levels of maturity, but an interesting aspect is that most practitioners working on this use the concept of 5 different levels of maturity, this in itself also contributes to most consolidated assessment results ending up at mid-point.

    I have defined the five levels of Risk Culture maturity as follows:

    * a bad risk culture, people will NOT do the right things regardless of risk policies and controls

    * a typical risk culture, people will do the right things when risk policies and controls are in place

    * a good risk culture, people will do the right things even when risk policies and controls are not in place

    * an effective risk culture every person will do something about the risks associated with his/her job on a daily basis

    * the ultimate risk culture every person is a risk manager and will evaluate, control and optimise risks to build sustainable competitive advantage for the organisation

    Once an organisation has established the level of maturity, the Board of Directors and Executive Management can commence the process of Risk Culture Building. It is not possible to implement risk culture in any organisation; it is a process of building, starting at the top. There are no best practices that can be implemented, the risk culture must be built upon the underlying corporate culture, so each risk culture building process is organisational specific and unique.

    The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.

    More here:

  • Jesus Levy

    Yep. specially when their compensation packages include bonuses on premium reductions. But that's not something to blame the Risk Managers for, but their employers.


Leave a reply to Keith Goodenough