“Risk management is not a profession… yet.”

Risk management means different things to different people. Some think of risk management in terms of the function of buying insurance. Others in the context of a broader notion of enterprise risk management (ERM). A few take the view that risk management is a combination of these two functions, or they might see risk managers as overseeing information security or crisis management.

The view of risk management varies in different organisations or industries. In the finance services industry, risk management is considered to be a profession, and is even required by legislation such as Basel II and III. All financial, insurance and reinsurance companies are properly equipped with risk management teams. For the rest of the corporate world, it depends on the country, the culture and even the size of the organisation. At many of the larger firms, risk management is seen as a profession. When you scale down in size, however, this is not necessarily the case.

Nevertheless, we are seeing the development of an official profession for specific angles of risk management. For example, consider the huge increase of cyber-related risk. Over the past eight to 10 years, we have seen an extraordinary development of information security and data privacy positions within organisations. These roles are now very well established, as is the role of chief information security officer. This is a position seen as one for a true risk professional, even if it is specialised in terms of data and security.

So, what will it take to make risk management a profession? This will be the case when a director or executive says, “for this risk management position, I need the person to have risk management certification”. This qualification needs to have been developed by a major risk management organisation, such as RIMS or PARIMA. It will be similar to the certifications we require of engineers, architects and lawyers, that clearly state minimum competency levels. We are not there yet with risk management.

However, we now have three major initiatives across the world with certifications being launched by RIMS in the USA, FERMA in Europe and PARIMA in Asia-Pacific. They aim to create an appropriate platform on which to make risk a profession. Of course, this is going to take some time and we need to ensure that this puts us at the right level of recognition. I would also like to see every business school in the world offer a proper risk management module, which is not yet the case.

PARIMA is being proactive in the pursuit of making risk a profession by reaching out to company executives and explaining what they should be expecting from their risk management team. This enables firms to perform their own gap assessments and ask what is missing from their risk capabilities. Occasionally, we are ‘helped’ by the major risk events across the world, namely terrorism, natural catastrophes or supply chain disasters, which raise awareness of the value of risk management. But it is not going to happen overnight.

Another way to persuade organisations to increase their risk capabilities is to introduce legislation. While I am not a fan of massive amounts of regulation, I believe that certain types can help organisations to become better equipped in terms of risk management. Enforced legislation after the financial crisis ensured that financial institutions became more strongly equipped with risk professionals. A couple of years ago, the government in Singapore also developed legislation that required every listed organisation to have an ERM process. So, legislation can be a real building block for making it happen.

As for when risk will be seen as a profession… as an optimistic person, I would say that in the next five years we should see some visible improvement. However, it is important to be realistic, so we can probably expect it to be closer to 10 years in the Asia-Pacific region.