The risk manager’s job is no longer about risk defence

The risk manager’s role is fast-evolving to meet the changing needs of businesses. The change is driven by two main trends.

The first is digital disruption. Globalisation coupled with greater interconnectivity are changing the way in which companies operate and so risk managers will need to assess the risks associated with these new business models.

By way of example, many companies are moving away from being a sole-manufacturer to being service or platform providers. But when businesses make this transition, they suddenly develop global connections. This is creating a rupture in the way we manage risk.

Technology might be global, but from a legal point of view, regulations are not global. This means that there is an increase in the compliance burden on organisations.

Keeping pace with the changing regulatory environment is critical. Large global companies must be fully compliant with the law, otherwise they put their top directors at risk.

This leads to the second trend: digital disruption and the added regulatory burdens. This adds a new layer of risks, which are closely linked to business strategy.

We are facing a paradigm shift. Risk management cannot be defensive anymore. Risk management must support the businesses and should be at the root of organisational strategy.

Of course, at the same time, risk managers must still manage the traditional historic risks like fire, flood, storm, and staff health. But on top of this, they need to find a way to be closer to the c-suite.

Risk managers must increase their contributions to the strategic decision-making. They need to ensure that when a company decides to go a in a new direction, this is done through balancing the risk and knowing what is at stake in terms of liability, supply chain and the skills in the organisation.

To achieve this, risk managers need to be connected to board members, whether that’s the CFO or COO or CEO. If a risk manager is too far below the board or if they are isolated they cannot assess strategic risks until after decisions have been made – which is often too late.

This changes the role of the risk manager. Being connected means that risk managers don’t necessarily need to be an expert in all risks, but they do need to be able to interface with senior management and build a trusted relationship.

The best way to achieve this is to increase the resources of the risk management team. This means you can keep all the experts but introduce a management position at a higher level whose job it is to communicate the risks to the board.

Before going to the board, it can be useful to create a governance committee where experts evaluate the risks that a business is facing. Then, when risk managers do go to the c-suite, they can say to the execs and non-execs – here are the top five risks, and we’ve worked out the priorities and actions required.

This kind of model is not always in place. We’re seeing more progress, but creating this structure requires understanding from senior management of the real value of risk management. The c-suite needs to know that they must invest in risk management – both in people and in prevention policy.

One thing that is driving better understanding of risks on boards is the societal expectation across the world that companies will do good.

This has created a climate of corporate responsibility, which is giving risk management a new lease of life. The education of board members has changed so much in the last five or ten years because now there are rating agencies and CSR and all this dynamic is pushing for better risk management. But this can’t be just communication about the importance of risk, it has to have real budget behind it.

And because society expects that a company will not create risk, there are rewards for businesses that have strong risk management even if their end product becomes a little more expensive.

It’s important to understand the world globally and the match the expectations of the young people that own society. People expect companies to be fair and not only making money. This is something which helps risk management to be embedded in the whole of the company.