"Risk Management” used to be a remote and quantitative function, ideally entrusted to a highly skilled number-cruncher endowed with the unique ability to master every aspect of an organisation’s activities. History – and a series of financial and economic crises – have since proven this was not the best approach. What exactly is the role of the Risk Manager and what skills do they need?
For a long time, the role of the Risk Manager was somewhat confined to that of a specialist secluded in his tower and poring over the myriad of processes involved in an organisation’s daily work. This way of working was not very different from the philosophy of audit or compliance monitoring. But while audit and compliance are more about making sure the organisation can draw on the lessons of past errors to shape its future, risk management is about trying to make the organisation resilient to hitherto undeclared threats, whether known or unsuspected.
The crisis of 2008 laid bare the shortcomings of the old risk management approach, too often blinded by the race for precision and losing track of the big picture. It has highlighted both the difficulty of seeing the elephant in the room – the financial risks linked to multiplying layers of securitisation – and the lack of direction to react collectively to materialising threats. Corporations and risk management specialists have drawn useful lessons from this troubled period. Among other things, they have come to realise that being aware of risks was fine, but that this was never going to be enough, especially since the financial risks were added to operational or strategic risks, and that they materialized mostly due to non-financial triggers.
However hard you try, you will never be able to draw a complete list of the risks the organisation might be facing, neither alone, nor by putting people from different departments around the table. Although many blamed “models” in finance, for example, it is clear that lack of good governance and capacity of action were fundamental. A crucial piece of information that leads to no action is a non-event. The solution lies therefore in a more complete framework.
Today, risk management is about enabling an organisation to become resilient: in other words, to teach its members to rapidly interpret news but also to react swiftly and efficiently, and to coordinate these reactions. From a somewhat individual responsibility, risk management has now become a collective endeavour, achieved only by empowering every member of the organisation. In other words, the emphasis lies on everyone being imbued with principles of good governance and risk awareness.
As a result, the risk manager’s role has expanded. He was once expected to master every operational, IT and financial process, to evaluate its risks and devise procedures to mitigate them. Today, he is also expected to become an educator, an enabler, someone who can break down silos and foster an enterprise-wide dialogue and decision-making. Rather than devising complex procedures, he is expected to help create a company-wide risk management culture that places responsibility in everyone’s hands, foster permanent dialogue with all risk management stakeholders, and be an engaged contributor to the Board’s decision-making process. And, “cherry on the cake”, this will help the organisation drive revenues – very different to how risk management used to be seen: all too frequently as a costly drudgery.
As a result, today’s risk managers have to grow into their function. Even if they start with specialist knowledge of a particular field, they need to broaden their focus. Their role requires them to be generalists. Far from the minutiae of every procedure, they need to gain a broad understanding of the organisation. They are expected to take the helicopter view and to see their organisation as a whole, focusing on the role of each department and activity, and at the same time on how these departments interact and influence each other.
Based on that picture, their role is to work with every department and involve them in designing a global risk awareness culture that incorporates risk into business thinking, and into decision-making processes. Their role is not to evaluate every decision taken at any level in the company, but rather to make sure that everyone, at every level of the company, develops an awareness of the balance between risks and opportunities, and uses this awareness to make sounder business decisions.
On top of their generalists' knowledge, risk managers have to cultivate a set of critical soft skills:
This job description marks a fundamental switch. Not only have their knowledge requirements changed, but their entire skillset has shifted. This is also the reason why training like the Executive Programme in Risk Management does not solely focus on acquiring knowledge and skills. One of our chief aims is to multiply networking opportunities for Risk Managers: discussion between practitioners, enabling the sharing of experiences and best practices, is an integral part of the curriculum, and will be for years to come. This is why we developed a partnership with the London-based Institute for Risk Management, organising joint conferences and events. Contributing to a strong international network of risk practitioners will be of tremendous value to our students, our teachers and the risk community as a whole.