The ability of a risk manager to influence their board and CEO is a vital cog in how they help manage the risks a firm faces says Geoffrey Au, head of risk, Zurich APAC
A risk manager needs to provide advice relative to the business context in order to be a trusted partner, which in turn relies on collaboration with other functions in the organisation to understand the business. Without the buy-in and support of the board and CEO, the risk manager’s ability to be embedded in the business and provide valued advice will be hampered.
So, how can a risk manager drive effective discussions? I believe there are four primary ways. Firstly, speak the business language instead of risk management jargon. Risk managers might find their jargon easy to understand, but it is the management and board that they are now addressing. By speaking in the business language, risk managers also get a more engaged and interested audience, as the risk highlighted would be discussed in terms of business impact.
Secondly, show an appreciation and understanding of the business and its commercial drivers. This shows to the CEO and management that the risk manager understands the opportunities and challenges the business faces, and is more open to listening to advice from the risk function.
Thirdly, provide actionable advice that is relevant to the business. This can help answer the ‘so what’ question, and demonstrates the value of risk management by providing mitigation action advice.
Fourthly, understanding the interests and drivers of different stakeholders will enable more effective communication and influencing, as you can phrase risks from their perspectives.
A structured way to discuss a risk is to break it down by vulnerability, trigger and consequence. Vulnerability refers to the underlying risk exposure, or what is at risk; trigger is what can cause the risk to manifest; and consequence is the impact of the risk. The advantage of dissecting into these three dimensions is that it enables a structure to understand the risk better and, more importantly, better facilitates a discussion of mitigation actions.
You can mitigate a risk by removing the vulnerability, preventing the trigger or minimising the consequence. Sometimes, the triggers are outside your control. For example, if you transport goods by air, then your risk triggers can be ash clouds or terrorist attacks – which you cannot control or manage. Dissecting the risk into the various dimensions allows you to focus on mitigating the other aspects of the risk: in this example, the vulnerability or consequence. Actions can include using high-speed rail transport instead of air to manage the vulnerability.
In general, removing the vulnerability would be the most effective, but usually also the most difficult because often the underlying vulnerability is the business itself. Minimising the consequence is the easiest, but technically the risk is not mitigated as we are only minimising the impact of the risk.
When presenting to the board or CEO, it is important to cover all the angles in terms of consequences, and that includes financial, strategic, and operational. As an example, when you consider a vendor, the procurement function would want to consider the cheapest option, which takes care of the financial aspect, but how about the risks from a strategic and operational perspective? For example, how would the vendor’s failure impact your organisation? Does your company understand the business continuity arrangements of these suppliers? Have these prepared before meeting the board so that you can offer the fullest impact possible during the discussions. It is important to not only understand the impact of the risks, but to provide advice on risk mitigation actions.
A risk manager should also anticipate questions from stakeholders and prepare answers ahead of meetings. The board will likely ask: “What does this mean for us?”, “How bad can it be?” and “What are other companies doing about it?”
Not all risks are the same when it comes to explaining them to the board. There are some areas and types of risk that risk managers are going to find harder to convince board members and senior decision-makers of their importance. For example, emerging risks with longerterm impact will be the hardest, as the impact of the risk is not yet felt. It will then be important for the risk manager to illustrate how these risks can impact the sustainability of the business.
At the other end of the spectrum, there will be risks where it will be far easier for risk managers to get a positive reply. For instance, risks that have materialised in competitors will be easiest to get sufficient attention from the board and senior management. Risk managers will be well served to have a full understanding of what competitors are doing on this front.
An effective risk manager needs to show they add value, and having a seat at the table is one of the best performance indicators in this regard. Colleagues will seek the advice of a risk manager if they believe their recommendations add value. If a risk manager can contribute to an organisation’s value creation, they can expect a fruitful long-term relationship with their board and CEO. This in turn will improve the overall risk management of the organisation, as well as the standing of the risk manager in the company.
Geoffrey Au, head of risk, Zurich APAC