‘Everybody is a risk manager’: Risk shifts to executive domain

Companies are more regularly moving risk management programmes back to their senior management and business units, according to the 2017 Risk in Review study by PwC.

The study, which gathered responses from 1,581 corporate officers across 80 countries, stated that an organisation has three lines of defence around risk management: the first line is the senior management and business units, the second line is the risk and compliance functions, and the third line is internal audit.

Nearly two-thirds (63%) of the study’s respondents said they were shifting more risk management responsibilities to the ‘first line’ to make their companies more agile — that is, better at anticipating and mitigating risk events — and 46% have plans to further this shift within the next three years.

So how does this transition impact risk managers?

“This development goes along with the growing maturity of an enterprise risk management programme,” Franck Baron, group general manager risk management and insurance at International SOS told StrategicRISK.

“It usually starts at group or corporate level where the central risk team defines the framework agreed at EXCO and board level. This is then rolled out in the regions and local business units in order to become an operational tool for regional leaders and an escalation tool for reporting risk exposures to the top.

“At the end of the day, risk management should be seen as a facet of each and every manager’s job. This study’s trend illustrates the fact that everybody is a risk manager,” Baron added.

Gordon Song, head of group risk and internal audit at Lazada Group, said the transition in the study is what risk managers have been preaching from the start, that risks can only be managed if they are owned.

“Ownership means better accountability and decision making. If these statistics are representative, then it is indeed a positive development,” he said.

“This does not mean less work for risk managers. In fact, it is the complete opposite. This development will mean more time for risk managers engaging with senior management to discuss risk issues.”

Song said the development will also mean risk managers are more often “reaching down to the ground” to educate and collect input and feedback.

 “Risk managers can now write impactful ‘sense making’ risk reports that reflect risks from the ground but yet facilitate senior management decision making around these risks. All in all, gone are the days of ‘behind-the-desk’ risk managers,” added Song.