As part of #ChangingRisk, I’d like more risk managers to report to the CEO, with access to the board, says Gaëtan Lefevre, group risk and insurance manager at Cockerill Maintenance & Ingénierie.
The risk manager role needs to evolve to better support business. That means that risk management cannot just be about evaluating risks, it must also be about understanding the strategic direction of a company and – critically – adding value.
For this to happen, it is critical that risk managers report into high level management, the CEO or CFO, for example. They need to be communicating with those at the top of a business and be having regular contact with decisions-makers.
Ideally, with this contact comes the creation of a new senior level role, such as chief risk officer (CRO). Risk managers are not yet at the top of the maturity curve and the challenge is to develop a specific role in the company.
Creating such a position is not easy because there may be internal challenges from other departments, but a CRO needs to have oversight of all the risks whether it is reputation or cyber risks.
Some industries are ahead of the curve on this, namely insurance or finance, where it’s mandatory to have a CRO. But for other sectors, fundamentally, it’s up to the company whether to employ or develop the CRO role. So, if an organisation doesn’t understand the strategic importance of good risk management – they’re unlikely to see the value of a c-suite risk role.
It is critical that risk managers start speaking the language of senior managers. They need to understand the business and in particular the company’s strategic direction.
To rise up the maturity curve, risk managers need to develop new activities that clearly demonstrate how risk management can add value to an organisation. They need to make sure that they are giving the right support and the right advice to the right people.
This means a change in the way that risk is communicated. You can no longer just say, “we need to do this (or not) because it avoids a risk, and I’m the risk manager and this is my job.”
You need to create your position even when you have the title and to convince your management that you add value.
This is so important. If you can’t show how your advice and support will create value in the company you are completely missing the challenge. You’re not framing your advice in a context that your c-suite and board will understand.
This is a huge change for many risk managers, who will need to develop the right skills and confidence to communicate this way. They’ll need to understand finances, corporate strategy, and to balance risks holistically against opportunities.
In the future I’d like to see more risk managers reporting to the CEO with access to the board. My dream is that all risk managers will play a central role in supporting the business. But to achieve this, risk managers need to stop thinking like risk managers and start thinking like the c-suite.