These days, even a cursory scan of the headlines brings fresh reminders of risk, from the ramifications of climate change to shocking terror events such as the recent attack on Paris by Islamic State. Now more than ever, companies need risk managers. Paradoxically, however, the new ubiquity of risk threatens the relevance of the enterprise risk management (ERM) function within large companies. Senior leaders know well that in an ever more perilous world, it’s impossible to do business if you’re always risk-averse.
To stay relevant in this new world, risk managers must shed their reputation as naysayers waving compliance-driven paperwork. Applying risk-averse tools and mindsets to corporate decisions already made is a far less effective approach than bringing a holistic understanding of risk to bear on the decision-making process itself. At a recent panel discussion titled “Why Should We Bother About Risk Management?”, Kelvin Wu and Franck Baron, managers at medical assistance firm International SOS, described the skills and roles risk managers must master in order to add value to their organisations.
Triggering tough conversations
Cutting-edge data visualisation technology enables managers to distill hundreds of global risk factors into an arresting and immediately intelligible visual. But impressive graphics alone are unlikely to win stakeholder buy-in. Instead of relying on models like these to persuade people, Kelvin Wu advocates deploying them strategically as part of a larger rhetorical appeal. “You use ERM the way a drunkard would use a lamppost: not for illumination but for support”, he said.
For example, Wu prefers to perform risk assessment dialogues in two stages: a one-on-one session with each stakeholder to get an unfiltered take, followed by a group meeting where participants can see all the responses. “It can be done in an anonymous way; straight away you can see the disparity of views on the same risk” and the need for alignment, Wu said.
Similarly, risk managers should be ready to grab opportunities to get their agenda heard. Transactional events such as insurance renewals and procurement contract negotiations can provide the optimal moment to trigger a conversation with senior leaders or pivotal stakeholders. The real value of ERM frameworks, according to Wu, is that they facilitate the tough conversations nobody else in the organisation wants to be the one to start. The paperwork itself is not much more than a pretext.
“Risk managers bring together the various stakeholders that could deal with a crisis”, Wu said. “It’s very unlikely that you’ll know better than front-end people. What you can do is make sure that the operations guy is talking to the HR person so that the staff is taken care of, that the financial controller knows to trigger emergency credit lines, etc.”
It’s everybody’s problem
As risk factors become more numerous and complicated, exposure spreads across the various levels and branches of the organisation. It’s the risk manager’s job to monitor exposure and assess risk appetite at every link in the chain. For that reason, Franck Baron believes the role of risk manager is one of the most cross-functional in the entire organisation. “You need to know how to speak finance with finance, legal with legal”, said Baron. Managers should be savvy about how networks actually operate at their company, realising that the organisational chart often doesn’t tell the whole story.
Baron believes the introduction of a Chief Risk Officer position at many companies has been a mixed blessing, because it can unintentionally signal to the other senior leaders that risk isn’t also their concern. Risk managers need to be sending the exact opposite message.
Telling your story
Putting this message across can be as simple as choosing the right story to tell, and learning to tell it vividly. Unfortunately, there is no shortage of real-life cautionary tales to draw from. In the last few years, there have been all too many examples of companies made to suffer because of unforeseen risks. Good storytelling helps to clear away the schadenfreude around such cases so that employees can learn from them. As Baron said, “We tend to think that because we have certain processes in place, nothing will happen. We need to bring it back to people’s behaviour.”
As INSEAD professor Gilles Hilary wrote recently human risk managers needn’t fear being replaced by machines, despite the increasing sophistication of algorithmic analysis. Computers may be faster and better than humans at manipulating enormous datasets, but data alone don’t influence human decision making. A good story makes data meaningful and actionable.
Even if risk managers are performing flawlessly, their work may not be recognised by the rest of the organisation. Theirs is perhaps the only role where if all goes well, nothing happens—at least in theory. However, even if mishaps do occur, flawed risk management may not be to blame. “You can have many [insurance] claims and still do a good job, but it’s not because you had zero claims that you did a good job”, Baron said. Rather than KPIs tied to business outcomes, risk managers should be assessed on their execution of a strategic agenda: the number of stakeholders they’ve engaged, how many reporting structures they’ve enacted, etc.
In addition, Baron said that risk managers should be involved in shaping KPIs for the entire organisation, not just their own. “The way we are measuring the performance of people may lead to the wrong behaviour…We should go beyond compliance. Let’s make sure we continue to be risk-agile.”
Giles Hillary is an INSEAD Professor of Accounting and Control and The Mubadala Chaired Professor in Corporate Governance and Strategy. He is also a contributing faculty member to the INSEAD Corporate Governance Initiative.