If there was ever a time to get the most out of risk management and insurance, it is now. The COVID-19 pandemic has forced operational shutdowns, lay-offs, project cancellations and major supply chain reorganizations. It has also pushed companies to shift spending toward parts of the business that need immediate funds to either thrive or survive.
Risk professionals have been at the heart of these processes, yet it is still common for boards and risk committees to overlook their skills, expertise and experience and view the role of risk professionals in narrow terms.
Furthermore, executives and risk committees tend to overlook the contribution they themselves can make to risk discussions by failing to share insights gained through their collective corporate and cross-industry experiences. After all, many committee members have extensive backgrounds as corporate executives. As such, they may have been involved in setting the risk appetite and reviewing risk management frameworks and processes for other enterprises and have valuable lessons to share for yours. A close relationship with the risk committee can also provide risk professionals with access to members’ networks and contacts.
Taking advantage of these resources and experience and developing an understanding of what motivates the committee will also help risk professionals develop risk plans.
“If risk managers want to take the relationship they have with the risk committee and the board further, they need to know who they are dealing with and what makes them tick,” said John Drummond, chair of business consultancy Corporate Culture. “Once they do that, they can then tap into that experience.”
Basic research can help get the ball rolling. “Look at their CVs and what directorships they hold or have held,” said Val Jonas, CEO of business consultancy Risk Decisions. “Use that information to ask individual committee members for their input by directly addressing them on particular issues that you think will be relevant to them. You can then open up the conversation to the rest of the committee to see if they want to add anything.”
Collaboration and Conversation
Experts believe there are currently problems with the risk committee relationship because traditional risk reporting and interactions between risk managers and executives have become too formulaic. Risk managers discuss a pre-approved risk plan in front of a committee, wait for feedback, and then go off and do what they are mandated to do—sometimes without challenge or further input. In the post-COVID world, a check-the-box approach will not be effective, if it ever was.
“Too often, risk reporting is simply what it sounds like: A head of risk gives an update on the key risks to the business and what steps the function has taken to minimize or control them, then leaves,” Jonas said. “Risk management has much more to offer than risk reporting. Meetings with executives are an opportunity to demonstrate this, as well as find out what boards actually want from the risk function in the long run.”
Risk professionals should ask executives about their goals for the risk management function and how they would like to see it evolve in the next few years. “There is a real opportunity for the risk committee, for example, to work with the risk manager and ask him or her to set out what their vision is for the function—how risk management can expand its role; provide wider, deeper and better assurance; help support the overall strategy implementation; get involved in new areas and so on,” she said. “Such conversations would help transform risk management into a much more proactive and strategic force within the organization.”
Jonas believes that the COVID-19 pandemic could provide the risk management profession with an opportunity to assert itself. “Risk has never been so high on a board’s agenda,” she said. “Companies have had to think fast and act fast due to COVID-19, and these strange circumstances have given risk management a unique opportunity to show its strengths. Heads of risk need to capitalize on this to showcase what they can do.”
Given this, risk managers must be prepared to steer the conversation to work toward a deeper and closer partnership. She suggested that risk professionals start by asking members questions or directly soliciting their opinions if they are not engaging or pressing for more details. “As the head of the risk function, it is your responsibility to try to come away from any meeting with the board or the risk committee with the answers and help you want,” she said.
Risk managers need to push for a “one to-one relationship” with the members of the risk committee. “The conversation needs to be ongoing and should not be limited to a brief meeting every three months,” said Julianna Forsyth, senior vice president for risk management at Marsh Commercial. “CROs need to be more forceful about making other appointments—even informally—with individuals from the committee to discuss risk topics, share ideas, talk about difficulties such as resourcing issues, and get a better feel for what they want from the function. More frequent email exchanges and even video-conferencing would be helpful, too.”
It is important “to create a dialogue with the risk committee rather than just go and reel off a list of risks and controls as a one-sided conversation,” said Nick Watson, corporate and commercial partner at Keystone Law. Risk professionals should also take care not to re-tread old ground. “Giving a presentation that gives too much focus on historic risks to the business—even from the previous year—is not helpful,” he said.
Instead, begin a fresh dialogue about what risks may be on the horizon and how they may impact corporate strategy, Watson advised, noting he believes risk professionals should align themselves with ensuring strategic success. Risk functions should do this, he said, “by showing that they understand what the strategy is and how it will be delivered, as well as by challenging the assumptions that underpin it to see if management has understood the type of risks involved and their impact.” Watson also cautioned risk managers to “avoid a rigid adherence to policy or procedure that can set you at odds with business goals and commercial reality.”
Raising the Risk Management Profile
If risk professionals want to be taken more seriously, they need to visualize how they want to be regarded and move toward that goal, Watson said. “If risk managers want to be listened to, be taken more seriously, and be able influence the debate and its outcomes, then they need to think how they can make that happen,” he explained. “They need to build their part up.”
For example, if risk professionals want to be seen as proactive and business-savvy, they should consider how best to demonstrate these attributes in a meeting. “A positive outlook works better than a negative one,” Watson said. “A frequent criticism of risk management is that the function just lays out the risks to the business in order of severity and likelihood and suggests actions for management to take. That approach doesn’t generate a conversation easily. Instead, risk managers need to think about what the organization’s goals are and what the board wants to achieve, and then suggest ways that the risk function can help—perhaps by moving into new areas, working with other in-house teams such as compliance, internal audit or project management, and suggesting ways that progress and success can be monitored, measured and achieved.”
Hard numbers and verified data always carry weight when trying to earn the respect of the board and the risk committee. Anecdotes and analytical examples of the good or bad experiences of other companies also add color and can demonstrate that you know what it takes to succeed. “Show the risk committee that you have done your homework and that you have the evidence to back up your claims and ideas,” Watson said.
Another way to win over executives is to build a broad base of support, both with operational areas and with other assurance functions. “Align yourself with business leaders in all areas—sales, operations, finance, IT and so on—and find out what their priorities are, and what they think are the key risks to the business from their perspectives,” he said. “Also, work closely with other assurance functions—compliance, legal, human resources and IT, for example—to get a unified view of risk to present to the board. This will also avoid duplication of work and prevent a drain on resources.”
Looking at the upside can help get on the risk committee’s good side as well. Drummond suggested that providing ways to leverage the upsides of risk will always grab their attention, as will looking for quick, provable wins and realizing opportunities that are easy to turn around, can rely on in-house expertise, and bring in revenue rather than strain resources. Looking widely at risks in the sector and the economy, not just within the organization, can provide greater confidence and shows industry knowledge. It also helps to provide options, rather than singular recommendations. “Executives need to ultimately make the decision,” he said. “Giving them just one option means that you have made the decision, but that they need to action it. That’s not how the relationship works.”
Some experts believe, on the other hand, that there is no “trick” to getting executives on your side: Good risk managers who can prove their worth will always have an executive’s ear. Bob Sibik, senior vice president of software vendor Fusion Risk Management, said that the best way for risk managers to deepen the relationship they have with executives and management is “to keep doing what they’re doing—only better.”
Ensuring that the organization continues to provide stakeholder value is the most important issue for risk managers to bear in mind. “Delivering value is the ultimate goal of any organization,” he said. “Failing to achieve that raises questions not only about the board, but also about risk management’s capabilities and standing.”
Strategic Focus
There are plenty of ways that risk managers can get the notice of the risk committee and the board, but to avoid having the relationship be one-sided, experts stress that risk professionals should not be making all the moves—executives also need to open up more and be prepared to give more, especially around strategy.
“If executives want the risk function to think more strategically, they need to tell them what the strategy is in full,” Forsyth said. “Risk functions can’t add any real value unless they know the full picture, so the board and the risk committee need to share information too, and do so regularly.”
Risk committees also need to be more willing to challenge risk management to get the best out of the function. “Risk committees rarely question whether the risk plan that has been agreed upon is actually the right one for the business—even if the risk landscape or circumstances impacting the business have changed,” she said.
Risk committees too often see their role as reviewing and overseeing a process that has already been agreed with management, and which therefore must presumably be the right one to satisfy the needs of the business, Forsyth said. It is very rare that the underlying premise of the risk plan is questioned. Risk committees often assume that all the work laid out in the plan can be done appropriately and on budget.
Increasing scrutiny of the board and risk committee should incentivize working more closely with risk professionals. There is much more pressure now on executives to probe the robustness of the organization’s approach to risk management, said Neil Kirton, EMEA regional managing director in Kroll’s business intelligence and investigations practice. “Investors want much more information about a company’s risk management framework, how it is reviewed and resourced, and who in the organization is responsible for overseeing risks on an operational level or day-to-day basis,” he said. “A risk committee that fails to ask probing questions about how risks are managed in the business is failing to uphold proper corporate governance.”
Anecdotal evidence suggests that risk committees and boards are asking more questions about the risk management process, and that they have a greater willingness to support the function further, especially during the pandemic and the recovery to come. The relationship can be most improved—and the associated benefits quickly realized—if both sides showcase their experience, are willing to have an open dialogue, and make a greater effort to align risk management to the organization’s strategy.