Fewer than half of risk manager respondents to a StrategicRISK survey can boast a chief risk officer at senior management level. But if that dynamic is to change, risk professionals will need to adjust their outlook
As the world of risk becomes more complex and the drive for corporate transparency gathers pace, the case for having a chief risk officer in the boardroom is strengthening.
While some corporates see value in placing a risk lens on strategic business decisions, many still see risk management as a back-office, compliance function: “a handbrake to progress” at worst.
Only 42.3% of respondents to the Reporting Risk survey, completed by the StrategicRISK Advisory Panel, said that their board included a chief risk officer (or equivalent).
The figure makes sense to Greg McCoy, former managing director of Lockton Asia-Pacific. “For varying reasons, risk management is quite often regarded as an inhibitor, so 42% doesn’t surprise me. But it is very low and needs higher participation and much higher attribution by boards, much higher than 42%,” he says.
“What’s required is a broader understanding at the board level of what risk management really encompasses. It’s not just an insurance cost – it really is protection of events that could impact the very existence of the business – and that’s probably the biggest area where we have to get better at educating.”
One risk manager who counts herself “lucky” to have a board and senior management team engaged in risk management is Telstra chief risk officer Kate Hughes. “It’s a privilege to be involved in something that helps our executives make better decisions,” she says.
“That is the evolution of risk management – to take it out of the academic, out of the process, and make it much more part of the business conversation so that it actually adds value to the commercial decision-making challenge that your leader has.”
Lendlease group head of risk and insurance Kevin Bates holds a similar view. “Risk has a very high profile within Lendlease – it couldn’t have a higher profile,” he says. “I personally have to present to the Lendlease board on a quarterly basis, and the CRO sits on the global leadership team.”
The main thing the board is looking for from the risk and insurance function, he says, is that ownership of risk management is integrated within the business.
“The Lendlease view is that the risk and insurance function will help identify, mitigate, manage and insure risks, but the business owns the risk. So the best thing you can do is turn up to the board meeting hand-in-hand with a member of the business who owns the risk being discussed.
“If you’re doing it as a united front, the board can see that the risk and insurance team is across what they’re doing and adding value by allowing the team to focus on running the business.”
Bates says his team also works closely with the Lendlease strategy team. “It is about making sure that when the business is aiming to achieve its strategy, we’re working to mitigate the key risks as best we can so that we’re not the ‘handbrake to happiness’.”
Alvarez & Marsal senior adviser John Ludlow agrees that risk managers should work hand-in-hand with a company’s strategy team “to identify for boards the risks and opportunities in the business model, and in the wider ecosystem and economy where that business model resides”.
But he says most risk managers are too embedded in the operational and tactical risks of a business: “I don’t think risk managers are in the boardroom enough. They tend to talk to senior leadership teams and they come out with the risk registers and heat maps and have projects and plans to improve things, but that’s typically working with senior leaders in the business.”
Risk managers must move beyond this, Ludlow argues.
“The operational control framework and making sure that the business is repeatable, reliable and resilient is absolutely vital.
“But [risk managers’] true destiny surely lies in working with boards to help them understand how the business needs to adapt over the long term and what the company needs in terms of capabilities in the future so that it’s still resilient and successful and positioned well for that environment,” he says.
As risk managers move from an operational to tactical to strategic risk focus, then their perspective, audience and language need to change, he adds.
“At an operational level, you’re focused on the front line and you’re talking about the physical realities of life. When you step up to the tactical world – the world of senior managers – the language is going to change and what you’re trying to achieve is going to change; it’s a much more commercial world and money is the currency here. At the board level the audience is partners and investors, the focus is the business model and the currency is trust and reputation.”