Issue 07 / October 2015
As the importance of organisational risk management grows, risk managers are often asked to contribute advice and ideas on a host of complex (and often interconnected) threats, encompassing political, economic, technological, governmental, legal and regulatory risks.
This is compelling risk managers to revise their skill sets and reinvent their roles. At the same time, boards are increasingly calling for greater engagement from executives involved in risk oversight.
Risk managers have to take a risk themselves and become optimistic, well-informed risk takers.
For example, in a recent survey of over 1,000 companies – 2015 Report on the Current State of Enterprise Risk Management by North Carolina State University on behalf of the American Institute of Certified Public Accountants – a third of organisations indicated that they have a designated individual to serve as a chief risk officer (CRO) or equivalent. Forty-five per cent also indicated that they have a management level risk committee.
More worryingly, a majority of the firms also indicated that their risk management activities are not important strategic tools.
Furthermore, only about one-half of the survey respondents – who were mainly chief financial officers and equivalent board level executives – said that existing risk exposures are considered when evaluating new strategic initiatives.
Given these startling results – which indicate that organisations are struggling to integrate their risk oversight efforts with their strategic planning process – it would appear that significant opportunities exist for organisations to strengthen their approaches to identifying and assessing key risks and coordinating these efforts with strategic decision making.
Improving companies' decision-making processhttp://www.resilience.willis.com/articles/2015/09/17/how-risk-managers-are-supporting-c-suite/
We would argue that the risk manager is in a unique and privileged position within the organisation to drive these efforts forward.
Far from being aligned solely with compliance and loss prevention, with little connection to strategy and value creation, we believe that risk managers and their teams can be an effective and important input to the strategic planning process.
Fortunately it appears that the evolution towards strategic risk management is already underway. The first step in the process is to establish risk leadership and accountabilities at the board and senior management levels.
As we have seen, this is already underway in many organisations, but the question for risk managers themselves is how best to align their activities, initiatives and programmes to ensure that risk management is an important strategic tool, which provides risk insights that inform strategy.
In this article we seek to share some insights from Willis colleagues around the world into how we see the risk management profession evolving and to highlight some of the opportunities that we see to enhance the strategic value of the role.
Unfortunately the rapid pace of change and broadening set of risks in the global business environment presents many challenges to even the most highly evolved risk manager. Globalisation, supply chain complexity, crossborder regulation and greater reliance on IT has created a greater interconnectedness between companies’ exposures – with risks (ostensibly belonging to one category and/or region) increasingly ‘spilling’ into other risk categories and regions.
For example, risk professionals are less worried about a big fire on their own premises than one on the premises of a business they know nothing about. A manufacturing plant burning down on the other side of the world might have huge implications not just for their supply chain, but also their company’s reputation.
“When facing threats such as currency wars, Isis and Ebola, risk managers can’t hide behind their traditional responsibilities. They have to be honest about the scope of traditional insurance programmes to cope with these broader risks,” says Paul Merlino, managing director, Global Solutions (International), Willis.
“Reputational risk, for example, is certainly growing fast – as evidenced by the number of incidents involving household-name companies – and is a massive exposure but it is often linked to other areas and risks such as cyber and product liability,” explains Danita Cole Medved,executive vice-president, global client advocate, Risk Solutions for Willis of Wisconsin.
“A data breach not dealt with properly and quickly, or bodily injury or death claims associated with a product, causes serious damage to a brand. The same is true with a product recall.”
One way for risk managers to add greater value, and eventually increase their influence at C-suite level, is to break down organisational silos and demonstrate the value risk management can bring to the wider organisation.
Boards increasingly expect much greater communication and cooperation between the different types of risk management within companies – such as financial, health and safety and security, says Geoff Taylor, executive vice-president, Willis Insurance Services of California.
“Risk managers therefore need to cultivate an enterprise-wide view of risk if they’re going to be of value to the board,” adds Taylor.
“The goal should be to encourage each part of the business to develop and communicate its own insights into the risks it poses to the business as a whole and set that alongside the organisation’s risk tolerance.”
The question for risk managers is how best to align their initiatives and programmes to ensure that risk management is an important strategic tool.
According to the AICPA study cited earlier, almost two thirds (60%) of organisations do not provide or provide only minimal training and guidance on risk management. Providing some basic training and education around the risk management process would help firms to build a more robust and effective enterprise-wide approach. Furthermore, identifying ways of linking risk management into compensation structures would help incentivise proactive management of risks.
Risk managers’ thinking will reach into all parts of their organisation in time, including, for example, human resources (HR), says Peter S. Philipp, managing director of Willis Global Solutions in Zurich.
“The HR department is definitely important. Risk managers may already be speaking to HR about accident and health insurance policies, but this is only one aspect of human capital risks that bears on the balance sheet.”
Duncan Holmes, head of global client engagement & global client advocate in the Financial Institutions Group, agrees. “Managing people as an asset to a business is increasingly a board-level issue.
"The risk manager has traditionally brought some value to this area with personal accident insurance and employee benefits programmes, but the whole human element of retaining and looking after talent is a risk that needs to be understood and managed much better.
“For example, the risks of not having enough diversity among your workforce or having an unfit workforce through to the costs of human errors in the workplace, are all areas where risk managers could work more closely with HR professionals to cut costs, and improve wellbeing and productivity.”
Boards no longer automatically expect a risk transfer solution to every potential problem, says Holmes. “Though we are in a riskier world, there is an expectation that risk professionals have got a handle on insurable risks and can control them or create the right responses to them.”
Though this can present some challenges, it also presents opportunities for risk managers looking to forge a more expansive, entrepreneurial role, says Taylor. “When working with business strategists you often see an interesting dichotomy between gloomy analysts and optimistic entrepreneurs, and the risk manager has to be careful about where they position themselves in those discussions.
“The voice of caution is not always welcome but it is very easy for the risk manager to be perceived as such. They have to learn to take a risk themselves and become what I would call optimistic, well-informed risk takers.
"Strategy tends to be all about growth and development, and adding value to those discussions is not about being a decision-taker but a decision-enabler,” says Taylor.
Why more needs to be donehttp://www.resilience.willis.com/articles/2015/09/29/why-risk-managers-must-keep-pace-changing-risk-env/
“The key to gaining a seat at the table from the outset when key strategic decisions are made is to accept that risk is not necessarily a bad thing,” adds Cole Medved.
“However, to successfully accept risk as part of business strategy, a company must understand that risk and then establish its tolerance to that risk – this is where risk managers can add value above all other company functions.”
However, though risk managers undoubtedly have the appropriate knowledge to add value to senior-level strategic decision making, do they have the right mix of skills?
In order to deliver effective strategic advice, risk managers must continue to develop their skills, says Philipp. “The risk management profession needs a new generation of people joining with financial skills, HR skills and strong financial capabilities from the economic side, not just the insurance side.
"There is a danger that traditional risk assessment and transfer skills could disappear, but this shouldn’t happen if they focus on key issues around financial output and return on investment.”
Risk managers need to cultivate an enterprise-wide view of risk if they’re going to be of value to the board.
Holmes also feels that the next generation of risk managers will need to have a broader, more analytical mindset and a deeper understanding of technology. “It won’t just be about technical skills, however, as future risk managers will really have to be able to interact with the C-suite and operate at the highest levels of a business in order to make a broader impact.”
A marriage of high-level analytical skills with an easy manner at senior levels is a key component of successful risk management, says Jennifer Caldarella, regional partner for Willis in New York.
“Risk managers will need to be able to ‘manage up’ effectively. Much of this will be by demonstrating their ability to understand and analyse financial data, but it will also be about speaking the language of the CEO and CFO.”
While in the past some risk managers might have relied a little too much on gut feeling to make some decisions, they are now almost always required to back up their instincts with solid evidence, which means embracing data and analytics. With analytical tools, risk managers can make use of the vast amounts of information and data that their businesses generate to drive risk thinking throughout the organisation.
Helping you to know where you are going and the best path to takehttp://www.resilience.willis.com/articles/2015/09/29/why-firm-knowledge-risk-tolerance-can-be-risk-mana/
“If risk managers can do that, then strategy directors and other board members – in addition to the treasury and chief financial officer – will look to them for advice,” says Merlino.
People with actuarial backgrounds will come into risk management and use their skills to carry out more analysis of losses, says Merlino. “This will lead to a greater confidence in self-insurance, so the insurance market becomes only one of many possible solutions.
"As data quality, aggregation and assessment improves, companies will increasingly be able to make an informed decision not to buy insurance, based on a clear understanding of the benefits that brings to the balance sheet.”
If the risk manager of the future takes on a sophisticated, strategic advisory role within major corporations, what will happen to their relationship with the insurance market?
“Today’s C-suites often have a greater tolerance for risk retention than in the past, when risk transfer might have been a preferred solution,” says Caldarella.
“But there is potentially a disconnect here as it is currently very cost-effective to transfer risk. It is possible to reconcile this contradiction, by exploring possibilities such as pushing up retentions and, at the same time, extending coverage to areas that traditionally haven’t been transferred.”
Risk managers should avoid eroding their own positions, says Taylor. “Don’t hand over some insurance purchasing to procurement because they will go for the cheapest option. Risk managers have an important role in explaining the value in the insurance transaction; procurement can certainly help with the process, the systems, the assessment etc., but they should not make the final decision on price alone.”
“After all, this wouldn’t be allowed to happen in other parts of the business where a service and expertise is being bought,” Taylor adds.
In the US and Europe, risk manager associations are striving to professionalise risk management through certification. But the risk management profession is in transition and, as yet, it’s hard for anyone to predict with absolute certainty how the risk manager role will eventually be defined.
For the foreseeable future, at least, it looks as if a risk manager’s role will be just as hard to pin down as the diverse set of risks they manage.
For many big corporations, the title of chief risk officer has come to embody the individual that best combines the skills of a financial engineer with those of a futurist and a diplomat. Strategic risk managers are always looking around the corner for the next big risk and evaluating the potential impact that risk may have on an organisation’s financial goals.
This type of insight is perhaps the most valuable, as evidenced by CEOs increasingly turning to strategic risk managers for meaningful advice and ideas around emerging threats that require a high level of analysis due to their complexity and interconnectedness.
Whatever challenges organisations face in future, by focusing on broader, strategic objectives, adopting a more entrepreneurial approach, working more closely with other internal stakeholders and adopting a more analytical approach, risk managers will be able to step up.
In the years ahead, we believe the firms who master risk will gain a competitive advantage by unlocking their growth potential and investing strategically in the future.
Christine LaSala works closely with the leadership of Willis North America focusing on business development and expanding Willis’s footprint in the marketplace while helping Willis build a strong and vibrant client advocacy capability throughout the firm.
Willis Group Holdings plc is a leading global risk advisor, insurance and reinsurance broker. With roots dating to 1828, Willis operates today on every continent with more than 18,000 employees in over 400 offices. Willis offers its clients superior expertise, teamwork, innovation and market-leading products and professional services in risk management and transfer. Our experts rank among the world’s leading authorities on analytics, modelling and mitigation strategies at the intersection of global commerce and extreme events.Find more information at our website, www.willis.com
Resilience is the risk management magazine from Willis for business leaders around the world. Each issue explores the latest trends and issues facing multinational businesses as they compete in an increasingly dynamic and interconnected threat landscape.Subscribe today.