Risk Managers Are Becoming Culture Enablers
"Risk Management” used to be a remote and quantitative function, ideally entrusted to a highly skilled number-cruncher endowed with the unique ability to master every aspect of an organisation’s activities. History – and a series of financial and economic crises – have since proven this was not the best approach. What exactly is the role of the Risk Manager and what skills do they need?
For a long time, the role of the Risk Manager was somewhat confined to that of a specialist secluded in his tower and poring over the myriad of processes involved in an organisation’s daily work. This way of working was not very different from the philosophy of audit or compliance monitoring. But while audit and compliance are more about making sure the organisation can draw on the lessons of past errors to shape its future, risk management is about trying to make the organisation resilient to hitherto undeclared threats, whether known or unsuspected.
Lessons from the crisis
The crisis of 2008 laid bare the shortcomings of the old risk management approach, too often blinded by the race for precision and losing track of the big picture. It has highlighted both the difficulty of seeing the elephant in the room – the financial risks linked to multiplying layers of securitisation – and the lack of direction to react collectively to materialising threats. Corporations and risk management specialists have drawn useful lessons from this troubled period. Among other things, they have come to realise that being aware of risks was fine, but that this was never going to be enough, especially since the financial risks were added to operational or strategic risks, and that they materialized mostly due to non-financial triggers.
However hard you try, you will never be able to draw a complete list of the risks the organisation might be facing, neither alone, nor by putting people from different departments around the table. Although many blamed “models” in finance, for example, it is clear that lack of good governance and capacity of action were fundamental. A crucial piece of information that leads to no action is a non-event. The solution lies therefore in a more complete framework.
Today, risk management is about enabling an organisation to become resilient: in other words, to teach its members to rapidly interpret news but also to react swiftly and efficiently, and to coordinate these reactions. From a somewhat individual responsibility, risk management has now become a collective endeavour, achieved only by empowering every member of the organisation. In other words, the emphasis lies on everyone being imbued with principles of good governance and risk awareness.
As a result, the risk manager’s role has expanded. He was once expected to master every operational, IT and financial process, to evaluate its risks and devise procedures to mitigate them. Today, he is also expected to become an educator, an enabler, someone who has the capacity to break down silos and foster an enterprise-wide dialogue and decision-making. Rather than devising complex procedures, he is expected to help create a company-wide risk management culture that places responsibility in everyone’s hands, to foster permanent dialogue with all risk management stakeholders, and to be an engaged contributor to the Board’s decision-making process. And, “cherry on the cake”, this will help the organisation drive revenues – very different to how risk management used to be seen: all too frequently as a costly drudgery.
The era of generalists
As a result, today’s risk managers have to grow into their function. Even if they start with specialist knowledge of a particular field, they need to broaden their focus. Their role requires them to be generalists. Far from the minutiae of every procedure, they need to gain a broad understanding of the organisation. They are expected to take the helicopter view and to see their organisation as a whole, focusing on the role of each department and activity, and at the same time on how these departments interact and influence each other.
Based on that picture, their role is to work with every department and involve them in designing a global risk awareness culture that incorporates risk into business thinking, and into decision-making processes. Their role is not to evaluate every decision taken at any level in the company, but rather to make sure that everyone, at every level of the company, develops an awareness of the balance between risks and opportunities, and uses this awareness to make sounder business decisions.
Facilitators and negotiators
On top of their generalist’s knowledge, risk managers have to cultivate a set of critical soft skills:
- they have to become skilled at negotiating, as their role is to get managers to adhere to new standards and to become champions of the practices they helped to design;
- they have to become culture builders, as they are expected to weave risk-awareness and risk-opportunities reasoning into the culture of the organisation;
- they have to act as change managers, in order to embed these cultural changes into the everyday business thinking of every member of the organisation.
This job description marks a fundamental switch. Not only have their knowledge requirements changed, their entire skillset has shifted. This is also the reason why training like the Executive Programme in Risk Management do not solely focus on acquiring knowledge and skills. One of our chief aims is to multiply networking opportunities for Risk Managers: discussion between practitioners, enabling the sharing of experiences and best practices, is an integral part of the curriculum, and will be for years to come. This is why we developed a partnership with the London-based Institute for Risk Management, organising joint conferences and events. Contributing to a strong international network of risk practitioners will be of tremendous value to our students, our teachers and the risk community as a whole.