The basics of risks in the Extended Enterprise have now been included in IRM’s Level 1 Enterprise Risk Management Exam Curriculum. The importance of risk capability in this interconnected world, the capabilities (technical skills, knowledge and leadership competencies) of individuals and the collective group responsible for managing risk, plus the relationships within and outside organisations, can determine just how successful a company is.
As a result, many organisations and individuals are now reflecting on the capabilities required for successful risk management, whether for the operation as a whole or for the individuals responsible for ensuring companies manage risk effectively.
Let’s look at the capabilities and competencies required to manage risk effectively within a company and, importantly, in the more complex world of the extended enterprise. We will also consider the other key roles that are significant in ensuring appropriate management of risk, and the capabilities each group should demonstrate. Role, responsibility and relationship to risk Effective risk management are not achieved purely by the independent risk management function. However good they are, they need to work in collaboration with key stakeholders internally and externally to achieve the mature risk culture that companies are now striving to achieve. Each group of stakeholders have their risk responsibilities, but also their risk perspective, knowledge and perceptions.
- The Board: The role of the Board is to advise and guide the Executive team in their development and execution of strategy. As well as the financial stability of the organisation, they must now consider the risk that the business is subject to, from not grasping commercial opportunities and as a consequence losing market share, to the extension of relationships that could bring the organisation into disrepute. At the same time, they should not overstep the boundaries of their advisory remit and interfere in the day-to-day operational running of the business. As business complexity has increased and, with it, greater expectations of appropriate governance, the need for a balanced Board with individuals demonstrating the right competencies, or characteristics, is now regarded as a necessity for effective risk management. A recent report published by the Korn/Ferry Institute which asked “What Makes an Exceptional Independent Non-Executive Director?” reviewed and updated research on the same topic carried out seven years previously. Along with confirmation that the core characteristics identified in the original report remained, the updated study noted three new essential skills; an understanding of risk, finance and technology. To quote directly from the report, “mastering the complexity of risk is now considered elementary for Boards operating in the post-crisis era”. The core non-executive director characteristics identified in the Korn/Ferry Institute’s paper were:
- Independence, courage and integrity.
- Challenging and supportive.
- Thoughtful communication.
- Breadth of experience.
2. The Executive Leadership Team: In a mature risk culture, everyone is responsible for the risk management of the business. This means doing the right thing and not putting the business at risk in the broadest sense. It is the role of the Executive leadership to ensure this culture is maintained and that all understand their collective and individual obligations. They empower their risk management team to partner with the business to ensure the right risk/reward balance is struck but they hold ultimate risk responsibility.
In a mature risk culture, each individual within the business understands their contribution including their risk management responsibilities. Collectively, the organisation can think long-term and strategically about the business challenges in the future and put in place plans to mitigate longer-term risk issues through strategic redirection. This is in addition to the risk management processes which ensure day-to-day risk mitigation. To achieve this, the Executive leadership needs to think beyond the quarterly financial reports that drive much of the corporate environment. As individual leaders, they may demonstrate some of the behaviours, values and competencies detailed in Developing Organisational Capability in risk management for the partners in risk management.
However, there are additional considerations for leadership in the complex environment created by the 21st-century company:
- Evaluating long-term value over short-term financial gain.
- Ensuring equal value (role/power/money) is placed on commercial risk management and revenue drivers.
- The ability to empower all direct reports to operate in a mature risk environment.
- The willingness to hear and act on challenges.
3. The Senior Risk Leader And His/Her Team: For this blog, we will assume that the senior risk leader is responsible for enterprise risk management as a CRO, head of enterprise risk management or a head of the risk. There are companies where several senior individuals collectively take the executive responsibility for independent risk management but an increasing number are appointing one individual to be responsible across the entire organisation or business division. Success requires a desire for understanding and risk maturity on behalf of the Board and the business leaders, and of course, an individual capable of the head of enterprise risk/CRO role. This is a significant and increasingly complex role requiring technical breadth, worldly wisdom, stature and the ability to influence as well as communicate succinctly and with clarity.
The risk team forms the backbone of effective risk management, working in partnership across the extended enterprise. Organisations require both “high potentials” to succeed bosses when they move on, as well as “high professionals” who constantly ensure the organisation is kept safe.
4. Regulators Or External Stakeholders: The external stakeholders have their role to play in ensuring risk is managed appropriately and not necessarily only from their perspective; balance is key. There is now a myriad of stakeholders that a company can and does engage with, and they in turn engage with a host of others, including regulators, customers, suppliers and shareholders. All can have a profound impact, positively or less so. Where companies are over-regulated, they may seek routes to keep costs down because they have a duty to other stakeholders (shareholders, and customers) to maintain costs at a certain level. The outsourcing of processes has been extremely popular but does not always bring cost savings over the longer term and can certainly increase risks if not managed correctly. Customers can demand increasing cost savings; responding to this and the competitive landscape, companies may choose to adopt a cost-driven supply chain strategy. The results are short-lived but the reputational damage is much harder to fix.
5. Risk Management Capabilities Within The Organisation: The risk leader needs to blend technical depth and, increasingly, breadth with interpersonal and leadership skills to manage the risk team as well as the relationship with internal and external stakeholders. The risk leader relies on the broader team in the delivery of this objective, and they are collectively supported in this by technical skills and knowledge, behaviours and competencies. Figure 9.1 explores the capabilities required within an independent risk management team. The core blocks of technical skills and relevant knowledge for the industry and of the company, are shared across the risk function, but some individuals will be deeper experts than others. In developing a mature risk team, a risk leader should look to develop “utility players” i.e. those individuals who have the potential and are capable of moving from one technical area to another. At the same time, the importance of technical specialists should not be underestimated. They are the guardians of risk management who ensure that frameworks, policies and processes remain at the forefront of industry standards and are fitting to the business in all of its operations. Behaviours and values are the personal traits that should be shared across the function; they operate as the code of practice for risk management and some may have greater emphasis at different times depending on the sophistication of risk management.
The competencies that are required change. As an individual advances through their career and their level of experience grows, other competencies are learnt and developed which enable further progression. As an individual takes on another position, different role responsibilities need different competencies and previous competencies become lessons learnt rather than currently required. Figure 1.1 illustrates competencies most relevant when working as an individual risk manager (Managing Self), when managing a team (Managing Others) and as the risk leader (Managing Enterprise).
In conclusion, the Board and risk practitioner should be comfortable they can answer the following:
- Are the required risk roles across the extended enterprise identified and resourced correctly?
- Are the risk leaders and team capabilities understood and aligned to the challenges of managing risk across the extended enterprise?
- Does the Board understand and periodically review the risk capabilities of its organisation?