In the previous post, I discussed the role risk managers can play in Strategic Risk Management (SRM). In my view to enter into the SRM arena, risk managers need to change their own mindset first. Presently the risk management function focuses on mitigating operational risks at micro level and hedging financial risks. To add to the confusion people equate SRM to Financial Risk Management. In my view SRM is more than hedging of risks, as this is risk mitigation where risk is viewed as a threat. Business strategy covers market, operations, finance, resources and products. Hence, SRM encompasses exploiting the upside and protecting the downside of business strategies across functions to increase business value
Risk managers are nowhere near addressing the strategic risks. As per the survey “Fall guys : Risk management in the front line – A report from the Economist Intelligence Unit Sponsored by ACE and KPMG” – just 41% of the organizations involve risk management function in formulating and implementing corporate strategy. The gap is huge and risk managers need to restructure and reframe their departments to focus on strategic risk. I am giving here three suggestions for risk managers to bring about this change.
1. Fragmented risk management departments
Risk management function in a large organization constitutes of internal audit, compliance, information security, disaster recovery, fraud risk and physical security departments. Sometimes these departments are integrated and reporting to one Chief Risk Officer. In some organizations, these departments are reporting to different functional heads, namely Chief Financial Officer, Head of Shared Services, Chief Technology Officer etc.
These departments are all focused on addressing the financial and operational issues of the business. None of them has the objective to provide a strategic level understanding of business risks to CEO and board. When the department structuring and key performance indicators are incorrect, it is not possible to address larger issues of the business. The first step is to restructure the risk management function and prepare an annual plan incorporating time for addressing strategic risks. Risk management function should integrate embed itself in the organization framework.
2. Risk managers focus on negative aspects
Generally, on checking risk registers one will find negative aspects – threats and weakness with a “what can go wrong” analysis. Risk registers do not contain the opportunities business managers can exploit to increase business value. The positive aspects or the upside of risk is not evaluated by risk managers. Without it, how can they contribute to strategy? According to Economic Intelligence Unit survey, senior managers think risk management function top three objectives are- identifying new and emerging risks, enabling managers to make better business decisions and ensuring corporate survival.
Sit back and think about it, how many risk managers have effectively contributed towards these objectives in the last year. Risk managers need to start working towards being business partners and enablers. That is, focus on the constructive aspects and become solution providers.
3. Supply not meeting demand
According to the Economist Intelligence Unit survey, the top three activities, which risk managers focus on, are – conforming to regulatory requirements, securing corporate reputation and image, and stemming financial loss. The top three risks which senior management are concerned about – weak demand, instability in one of the major markets, and financial market instability. In the analysis of top ten, some of the risks mentioned in senior management demand and risk managers supply chart are common. However, it is clear that there is variance is senior management requirements and risk managers’ fulfillment. What is demanded is not supplied.
Hence, it shouldn’t surprise risk managers that senior management is frustrated and does not see value add from their role. Risk managers need to get a better understanding of senior management expectations to become involved at strategic level. Leave the risk management jargon at your desk and focus on understanding business strategy.
Risk managers need to develop a holistic view, look at the big picture and understand macro level risks. The focus should shift from identifying micro level financial and operational weaknesses in the business to strategic level. Risk management functions need to rebrand themselves from being problem creators and nitpickers to business partners and positive contributors. The doors to the CEO and board cabins will only open when risk managers effectively address strategic business risks and demonstrate to board their business understanding and usefulness