Eamonn Cunningham, former chief risk officer at Scentre Group and Westfield, debates the virtues of risk specialists versus management professionals moving into the field
There is no doubt that risk qualifications have relevance. Risk certification in some form is absolutely necessary for the profession to be seen as credible and meaningful. Risk managers will deeply expand their knowledge by having risk management credentials. Meanwhile, having those general management skills, perhaps from an MBA or equivalent, helps too. So what is more important?
Firstly, not enough can be said in praise of good old-fashioned experience of working in an organisation. It is that broad-based general experience that is drawn upon in times of need. Every risk manager’s day is different. Risk managers do not have this perfect set of procedures to automatically rely on every day. Risk managers must travel back into their body of experience when that curveball invariably comes their way.
Where risk qualifications are useful is in providing a structure and methodology around risk thinking. It starts risk managers off with a level of risk awareness and the ability to tap into those foundation principles. That is risk identification, assessment, treatment of the issue and reporting on it too. You will then repeat the cycle. That sense of structure is important because it should be used to train other risk professionals in an organisation too. This process can also be used for the executives or other employees in your organisation who need to better understand risk management thinking.
Unfortunately, in Australia there are a limited number of specific risk qualifications which can be pursued. You can attain qualifications around insurance and basic risk management. Most of the more valuable qualifications which are not that well known and fewer in number, focus on enterprise risk management. It is this area of professional development that can truly offer increased value add to organisations.
The risk qualifications versus non-risk experience debate is especially important when it comes to recruiting risk managers. Often what companies are looking for is someone to provide that perfect blend of experience and risk qualifications. Therein lies one of the dilemmas for the risk management industry as a whole. There are many risk managers in organisations who started off in that firm, but not in a risk role. Those people have transformed from something else, myself included. There are others who assume a risk management role with some background in very basic risk management with perhaps knowledge of insurance. The important thing is to transform these people into having a more broad-base risk management role from an insurance/basic risk role which often has more of a silo focus with a heavy emphasis on procurement of insurance.
I remain unsure if even well-informed HR people will automatically focus their search on appropriately qualified risk professionals from other organisations. They also do not have a full appreciation of what constitutes an appropriately credentialed candidate for a risk management role. So the thinking around the risk management recruitment process, to assist in enterprise value creation, has not yet evolved to an acceptable level. Therefore, it can often be about people simply being interested in the profession and then trying to prove their worth in a risk role.
As for the future of risk qualifications, there is definitely a fork in the road ahead of us. One of the directions in that fork might be towards more technical-specific training in risk, which I personally do not favour. The other fork in the road is to fuse to some extent risk management training with more broad-based sound general management experience. That is the approach that I favour and I do so because when you go to work for the day, you are not really sure what is going to be on your plate. Therefore, you will more likely rely on general management experience, combined with risk management principles, rather than having specific risk management training that you can utlilise in response to the wide range of unique challenges that risk presents.
You need to be well prepared in your response to risk related events that if, for example, when you have the inevitable cyber breach, you and the organisation have already regularly workshopped and time and time again tested the response plan.
Beyond this however, I am imagining a world in which CEOs and CFOs will look towards the most senior risk professional in their organisations to provide comprehensive risk related advice on broader matters. Those senior executives will call that senior risk professional into their office and the conversation might be ‘we are thinking about moving into this country’, or ‘we are thinking of moving into this new business’, or ‘disposing of this department’ – then asking ‘what is your (risk) perspective on this?’ Getting a well-informed, trusted risk adviser whispering in the ear of the CEO and informing them of what to look-out for – that is nirvana for me. You will get that from a risk professional who has been exposed to more general risk thinking, combined with a well developed understanding of general management principles.