What Does a Risk Management Professional Do?
People often ask me what I do as a risk manager. To understand the job, I find that it helps to have context about Enterprise Risk Management (ERM). ERM provides a framework that directs to an organization’s risk activities.
Risk management is a distinct field of practice that requires specialized skills and knowledge. Good ERM demands that senior management embrace a holistic risk culture and accept leadership for managing risk. Traditionally, organizations managed risk department-by-department, each viewing risk through their unique lens. Finance folks evaluate financial risk. Insurance folks manage insurable risk. Operations staff address systems, people, and mechanical risks. ERM views all forms of risk through the same overarching set of risk criteria. The criteria provide direction for integrating and balancing effort across the organization. My job is helping organizations identify and implement risk criteria that align with their goals, strategies, and objectives.
Just as emergency personnel in a hospital perform triage to determine the extent and priority of an injury, risk managers perform loss exposure analysis to prioritize organizational risks. Health organizations have benchmarks to prioritize treatment. They base treatment priority on criteria such as the health of a person, gender, age, cultural origin, and prior illnesses. Other organizations should have a similar blueprint of overall health, performance, and objectives for their enterprise. The organization must draw this understanding from the knowledge of senior and line managers, past performance, and projected future growth. By understanding this blueprint, the organization can identify performance variations arising from external events and pressures that they are willing to tolerate. This understanding establishes the “Risk Tolerance” for the organization, and becomes the basis for prioritizing risk exposures and treatments. Any event that threatens to trigger the risk tolerance threshold demands organizational response.
Even in a holistic risk management system, unit managers respond to problems to avoid costly and unmanageable outcomes. Any action that improves preparedness enhances organizational success. In holistic risk management, unit managers do not work in isolation. ERM improves communication between business units and breaks down barriers between silos. Organizations can support openness by ensuring appropriate resource allocation for risk management throughout the organization. ERM focuses on maximizing the overall benefits of risk management expenditures. Decision-makers must communicate and collaborate in the management of risks across all levels of the organization. This continued openness supports actions that are the basis of an ERM culture.
The Risk Manager and ERM
The leadership and openness of senior management promote the acceptance of the risk manager by existing business unit managers. The risk management role may be assumed by one person or a department, depending on the size and complexity of the organization. In any case, while the risk manager is working with departments across the organization, they should function independently from the normal operations of those units to ensure that day-to-day pressures do not bias their opinions and advice. The objective of the risk manager is identifying and prioritizing the various risks faced across the organization. The risk manager can then offer risk treatments that align with the organization’s strategic plans.
Working with All Levels of the Organization
The risk manager should have access to all levels of the organization, including the C-suite, line management, and individual workers. Access to the different levels of the organization allows the risk manager to establish a solid foundation to assess risk and response across the entire organization. The organization supports this access and analysis through transparent communication of the risk management goals. The risk manager applies these goals to prioritize, and respond to, organizational risks.
Senior management must be willing to take action and provide resources to support risk management goals. The risk manager will scan risks from external and internal sources to identify new threats and opportunities. The manager uses the results of this scanning to inform new risk management goals, both with line managers and the C-Suite.
“Environment-related risks account for three of the top five risks by likelihood and four by impact”
World Economic Forum – The Global Risks Report 2019
Creating an ERM framework may seem complicated and expensive. Organizations can start by retaining specialist risk management services to aid in planning an ERM program. Establishing a holistic risk management program may be a large, multi-year, project. So, organizations may focus on a more limited scope based on corporate objectives and evolving pressures on the organization. For example, the WEF Global Risk Report 2019 stated that “environmental risks accounted for three of the top five risks by likelihood and four of five in the impact scale”. Based on this observation, the organization may choose to focus on climate or environmental hazards as a starting point for their ERM program.
It is a Process
ERM is a continuous process. There is no “magic risk bullet.” No one measure will completely safeguard an organization. As the external and internal environments change, so too must the organization’s ERM policies and procedures. It is the risk manager’s job to stay on top of these changes to provide up-to-date risk management guidance to the organization. Assessment and scanning is only the beginning of the risk management process. Ultimately, ERM requires a cycle of identification, evaluation, analysis and reporting to support a robust and effective response to organizational risk.
We are Here to Help
We have many years of experience establishing risk programs and can tailor an ERM framework that addresses your needs.
Feel free to contact us to discuss how we can help you with your risk management program.