These days, even a cursory scan of the headlines brings fresh reminders of risk, from the ramifications of climate change to shocking terror attacks. Now, more than ever, companies need risk managers. Paradoxically, however, the new ubiquity of risk threatens the relevance of the Enterprise Risk Management (ERM) function within large companies. Senior leaders know well that in an ever more perilous world, it’s impossible to do business if you’re always risk-averse.
To stay relevant in this new world, risk managers must shed their reputation as naysayers waving compliance-driven paperwork. Applying risk-averse tools and mindsets to corporate decisions already made is a far less effective approach than bringing a holistic understanding of risk to bear on the decision-making process itself. At a recent panel discussion titled “Why Should We Bother About Risk Management?” (part of the INSEAD Risk Management Breakfast Series), Kelvin Wu and Franck Baron, managers at medical assistance firm International SOS, described the skills and roles risk managers must master in order to add value to their organizations.
Triggering tough conversations
Cutting-edge data visualization technology enables managers to distil hundreds of global risk factors into an arresting and immediately intelligible visual. But impressive graphics alone are unlikely to win stakeholder buy-in. Instead of relying on models like these to persuade people, Wu advocates deploying them strategically as part of a larger rhetorical appeal. “You use ERM the way a drunkard would use a lamppost: not for illumination but for support,” he said.
For example, Wu prefers to perform risk assessment dialogues in two stages: a one-on-one session with each stakeholder to get an unfiltered take, -followed by a group meeting where participants can see all the responses. “It can be done in an anonymous way; straight away, you can see the disparity of views on the same risk” and the need for alignment, Wu said.
Similarly, risk managers should be ready to grab opportunities to get their agenda heard. Transactional events such as insurance renewals and procurement contract negotiations can provide the optimal moment to trigger a conversation with senior leaders or pivotal stakeholders. The real value of ERM frameworks, according to Wu, is that they facilitate the tough conversations nobody else in the organization wants to be the one to start. The paperwork itself is not much more than a pretext.
“Risk managers bring together the various stakeholders that could deal with a crisis,” Wu said. “It’s very unlikely that you’ll know better than front-end people. What you can do is make sure that the operations guy is talking to the HR person so that the staff is taken care of, that the financial controller knows to trigger emergency credit lines, etc.”
It’s everybody’s problem
As risk factors become more numerous and complicated, exposure spreads across the various levels and branches of the organization. It’s the risk manager’s job to monitor exposure and assess risk appetite at every link in the chain. For that reason, Franck Baron believes the role of risk manager is one of the most cross-functional in the entire organization. “You need to know how to speak finance with finance, legal with legal,” said Baron. Managers should be savvy about how networks actually operate at their company, realizing that the organisational chart often doesn’t tell the whole story.
Baron believes the introduction of a chief risk officer position at many companies has been a mixed blessing, because it can unintentionally signal to the other senior leaders that risk isn’t also their concern. Risk managers need to be sending exactly the opposite message.
Putting this message across can be as simple as choosing the right story to tell and learning to tell it vividly. Unfortunately, there is no shortage of real-life cautionary tales to draw from. In the past few years, there have been all too many examples of companies made to suffer because of unforeseen risks. Good storytelling helps to clear away the schadenfreude around such cases so employees can learn from them. As Baron said, “We tend to think that because we have certain processes in place, nothing will happen. We need to bring it back to people’s behavior.”
As INSEAD professor Gilles Hilary wrote recently, human risk managers needn’t fear being replaced by machines, despite the increasing sophistication of algorithmic analysis. Computers may be faster and better than humans at manipulating enormous datasets, but data alone don’t influence human decision-making. A good story makes data meaningful and actionable.
Even if risk managers are performing flawlessly, the rest of the organization may not recognize their work. Theirs is perhaps the only role where, if all goes well, nothing happens – at least in theory. However, even if mishaps do occur, flawed risk management may not be to blame.
“You can have many [insurance] claims and still do a good job, but it’s not because you had zero claims that you did a good job,” Baron said. Rather than KPIs tied to business outcomes, risk managers should be assessed on their execution of a strategic agenda. In addition, Baron said that risk managers should be involved in shaping KPIs for the entire organization, not just their own. “The way we are measuring the performance of people may lead to the wrong behavior…We should go beyond compliance. Let’s make sure we continue to be risk-agile.”