This post first appeared on Risk Management Magazine. Read the original article.
If there was ever a time to get the most out of risk management and insurance, it is now. The COVID-19 pandemic has forced operational shutdowns, lay-offs, project cancellations and major supply chain reorganizations. It has also pushed companies to shift spending toward parts of the business that need immediate funds to either thrive or survive.
Risk professionals have been at the heart of these
processes, yet it is still common for boards and risk committees to overlook
their skills, expertise and experience and view the role of risk professionals
in narrow terms.
Furthermore, executives and risk committees tend to overlook
the contribution they themselves can make to risk discussions by failing to
share insights gained through their collective corporate and cross-industry
experiences. After all, many committee members have extensive backgrounds as
corporate executives. As such, they may have been involved in setting the risk
appetite and reviewing risk management frameworks and processes for other
enterprises and have valuable lessons to share for yours. A close relationship
with the risk committee can also provide risk professionals with access to
members’ networks and contacts.
Taking advantage of these resources and experience and
developing an understanding of what motivates the committee will also help risk
professionals develop risk plans.
“If risk managers want to take the relationship they have
with the risk committee and the board further, they need to know who they are
dealing with and what makes them tick,” said John Drummond, chair of business
consultancy Corporate Culture. “Once they do that, they can then tap into that
experience.”
Basic research can help get the ball rolling. “Look at their
CVs and what directorships they hold or have held,” said Val Jonas, CEO of
business consultancy Risk Decisions. “Use that information to ask individual
committee members for their input by directly addressing them on particular
issues that you think will be relevant to them. You can then open up the
conversation to the rest of the committee to see if they want to add anything.”
Collaboration and Conversation
Experts believe there are currently problems with the risk
committee relationship because traditional risk reporting and interactions
between risk managers and executives have become too formulaic. Risk managers
discuss a pre-approved risk plan in front of a committee, wait for feedback,
and then go off and do what they are mandated to do—sometimes without challenge
or further input. In the post-COVID world, a check-the-box approach will not be
effective, if it ever was.
“Too often, risk reporting is simply what it sounds like: A
head of risk gives an update on the key risks to the business and what steps
the function has taken to minimize or control them, then leaves,” Jonas said.
“Risk management has much more to offer than risk reporting. Meetings with
executives are an opportunity to demonstrate this, as well as find out what
boards actually want from the risk function in the long run.”
Risk professionals should ask executives about their goals
for the risk management function and how they would like to see it evolve in
the next few years. “There is a real opportunity for the risk committee, for
example, to work with the risk manager and ask him or her to set out what their
vision is for the function—how risk management can expand its role; provide
wider, deeper and better assurance; help support the overall strategy
implementation; get involved in new areas and so on,” she said. “Such
conversations would help transform risk management into a much more proactive
and strategic force within the organization.”
Jonas believes that the COVID-19 pandemic could provide the
risk management profession with an opportunity to assert itself. “Risk has
never been so high on a board’s agenda,” she said. “Companies have had to think
fast and act fast due to COVID-19, and these strange circumstances have given
risk management a unique opportunity to show its strengths. Heads of risk need
to capitalize on this to showcase what they can do.”
Given this, risk managers must be prepared to steer the conversation
to work toward a deeper and closer partnership. She suggested that risk
professionals start by asking members questions or directly soliciting their
opinions if they are not engaging or pressing for more details. “As the head of
the risk function, it is your responsibility to try to come away from any
meeting with the board or the risk committee with the answers and help you
want,” she said.
Risk managers need to push for a “one to-one relationship”
with the members of the risk committee. “The conversation needs to be ongoing
and should not be limited to a brief meeting every three months,” said Julianna
Forsyth, senior vice president for risk management at Marsh Commercial. “CROs
need to be more forceful about making other appointments—even informally—with
individuals from the committee to discuss risk topics, share ideas, talk about
difficulties such as resourcing issues, and get a better feel for what they
want from the function. More frequent email exchanges and even
video-conferencing would be helpful, too.”
It is important “to create a dialogue with the risk
committee rather than just go and reel off a list of risks and controls as a
one-sided conversation,” said Nick Watson, corporate and commercial partner at
Keystone Law. Risk professionals should also take care not to re-tread old
ground. “Giving a presentation that gives too much focus on historic risks to
the business—even from the previous year—is not helpful,” he said.
Instead, begin a fresh dialogue about what risks may be on
the horizon and how they may impact corporate strategy, Watson advised, noting
he believes risk professionals should align themselves with ensuring strategic
success. Risk functions should do this, he said, “by showing that they
understand what the strategy is and how it will be delivered, as well as by
challenging the assumptions that underpin it to see if management has
understood the type of risks involved and their impact.” Watson also cautioned
risk managers to “avoid a rigid adherence to policy or procedure that can set
you at odds with business goals and commercial reality.”
Raising the Risk Management Profile
If risk professionals want to be taken more seriously, they
need to visualize how they want to be regarded and move toward that goal,
Watson said. “If risk managers want to be listened to, be taken more seriously,
and be able influence the debate and its outcomes, then they need to think how
they can make that happen,” he explained. “They need to build their part up.”
For example, if risk professionals want to be seen as
proactive and business-savvy, they should consider how best to demonstrate
these attributes in a meeting. “A positive outlook works better than a negative
one,” Watson said. “A frequent criticism of risk management is that the
function just lays out the risks to the business in order of severity and
likelihood and suggests actions for management to take. That approach doesn’t
generate a conversation easily. Instead, risk managers need to think about what
the organization’s goals are and what the board wants to achieve, and then
suggest ways that the risk function can help—perhaps by moving into new areas,
working with other in-house teams such as compliance, internal audit or project
management, and suggesting ways that progress and success can be monitored,
measured and achieved.”
Hard numbers and verified data always carry weight when
trying to earn the respect of the board and the risk committee. Anecdotes and
analytical examples of the good or bad experiences of other companies also add
color and can demonstrate that you know what it takes to succeed. “Show the
risk committee that you have done your homework and that you have the evidence
to back up your claims and ideas,” Watson said.
Another way to win over executives is to build a broad base
of support, both with operational areas and with other assurance functions.
“Align yourself with business leaders in all areas—sales, operations, finance,
IT and so on—and find out what their priorities are, and what they think are
the key risks to the business from their perspectives,” he said. “Also, work
closely with other assurance functions—compliance, legal, human resources and
IT, for example—to get a unified view of risk to present to the board. This
will also avoid duplication of work and prevent a drain on resources.”
Looking at the upside can help get on the risk committee’s
good side as well. Drummond suggested that providing ways to leverage the
upsides of risk will always grab their attention, as will looking for quick,
provable wins and realizing opportunities that are easy to turn around, can
rely on in-house expertise, and bring in revenue rather than strain resources.
Looking widely at risks in the sector and the economy, not just within the
organization, can provide greater confidence and shows industry knowledge. It
also helps to provide options, rather than singular recommendations. “Executives
need to ultimately make the decision,” he said. “Giving them just one option
means that you have made the decision, but that they need to action it. That’s
not how the relationship works.”
Some experts believe, on the other hand, that there is no
“trick” to getting executives on your side: Good risk managers who can prove
their worth will always have an executive’s ear. Bob Sibik, senior vice
president of software vendor Fusion Risk Management, said that the best way for
risk managers to deepen the relationship they have with executives and
management is “to keep doing what they’re doing—only better.”
Ensuring that the organization continues to provide
stakeholder value is the most important issue for risk managers to bear in
mind. “Delivering value is the ultimate goal of any organization,” he said.
“Failing to achieve that raises questions not only about the board, but also
about risk management’s capabilities and standing.”
Strategic Focus
There are plenty of ways that risk managers can get the
notice of the risk committee and the board, but to avoid having the
relationship be one-sided, experts stress that risk professionals should not be
making all the moves—executives also need to open up more and be prepared to
give more, especially around strategy.
“If executives want the risk function to think more
strategically, they need to tell them what the strategy is in full,” Forsyth
said. “Risk functions can’t add any real value unless they know the full
picture, so the board and the risk committee need to share information too, and
do so regularly.”
Risk committees also need to be more willing to challenge
risk management to get the best out of the function. “Risk committees rarely
question whether the risk plan that has been agreed upon is actually the right
one for the business—even if the risk landscape or circumstances impacting the
business have changed,” she said.
Risk committees too often see their role as reviewing and
overseeing a process that has already been agreed with management, and which
therefore must presumably be the right one to satisfy the needs of the
business, Forsyth said. It is very rare that the underlying premise of the risk
plan is questioned. Risk committees often assume that all the work laid out in
the plan can be done appropriately and on budget.
Increasing scrutiny of the board and risk committee should
incentivize working more closely with risk professionals. There is much more
pressure now on executives to probe the robustness of the organization’s
approach to risk management, said Neil Kirton, EMEA regional managing director
in Kroll’s business intelligence and investigations practice. “Investors want
much more information about a company’s risk management framework, how it is
reviewed and resourced, and who in the organization is responsible for
overseeing risks on an operational level or day-to-day basis,” he said. “A risk
committee that fails to ask probing questions about how risks are managed in
the business is failing to uphold proper corporate governance.”
Anecdotal evidence suggests that risk committees and boards
are asking more questions about the risk management process, and that they have
a greater willingness to support the function further, especially during the
pandemic and the recovery to come. The relationship can be most improved—and
the associated benefits quickly realized—if both sides showcase their
experience, are willing to have an open dialogue, and make a greater effort to
align risk management to the organization’s strategy.