|
All companies manage risk. Often, risk management responsibilities are informally housed in various departments throughout an organization, as well as with third-party vendors. For many entities, however, the best solution for building a world-class risk management function begins with a strong, formal risk management department.
Why formalize risk management leadership into a distinct and separate department? Positioned correctly, a risk management department resides in a unique position within an organization, at the crossroads of the operational, financial, accounting, and strategic functions. Not only can it play a key role in identifying, managing, and mitigating enterprise-wide risks, but also it can help senior managers spot opportunities, where others might only see threats.
Managing Risk: The Stakes Are High
Few corporate managers would make the argument that managing risk is just another corporate business process. Newspaper headlines of the past few years have brought home the harsh penalties for mismanaging corporate governance risk, workers’ compensation risk, business slowdown risk, and risks posed by competitors, to name just a few.
But awareness of the critical nature of risk management doesn’t always translate into action. Some boards and senior management teams continue to deal with risk in the traditional, haphazard manner, one that eschews a formal risk architecture and diffuses risk management responsibility throughout the organization. Some of their assumptions include:
- Managing risk is most efficiently done department by department, as individual managers possess an understanding of specific “local” risks better than anyone else within the organization.
- It’s difficult to quantify the return on investment from a risk management department.
- Risk is about threats, not opportunities.
In the following pages, these myths will be dissected and debunked. Whether a company has yet to develop a risk management department, is nurturing one in its infancy, has a good department it wants to make great, or a great one in need of tweaking, an organization can improve its bottom line performance through investment in the risk management department.
Improving an Existing Risk Management Department
In written Chinese, two brush strokes create the word “crisis.” The first stroke denotes the word “danger,” the next stands for “opportunity.” For far too long, risk management has been thought of solely in terms of managing hazard risk — damage or business interruptions from fire, storms, etc.
Perhaps because of this traditional view of risk, many corporate managers today continue to view risk management as simply avoiding dangers.
In fact, there are opportunities in every nook and corner of an enterprise to apply risk management techniques to improve performance and help the bottom line. The challenge is encouraging disparate groups scattered throughout an organization to know and trust the risk management leaders.
How does a risk manager develop this goodwill and effectively partner throughout the organization to help the company spot opportunities? A strong risk management leader learns about a company’s products and markets, forges ties with other managers throughout the company, becomes involved in company-wide initiatives, and takes calculated gambles to increase the presence of the department.
Some of these areas of the company that a risk manager needs to understand include operations, legal, human resources, tax, marketing, internal audit, and compliance.
Delivering the Most Value
With an understanding of the overall business, a risk manager will have a better idea of where the risk management department can have the most impact. For example, perhaps a company has used far too conservative accounting practices to book revenues. If the risk management department understands the basics behind the accounting treatments, the group will have the credibility to raise this issue and partner with the accounting department to explore alternative accounting options.
Or take a manufacturing company. The risk management team should know the process for introducing new tools or work processes into a factory environment, to ensure that the shop floor stays as safe as possible. What about when corporate is looking for the best insurance deal? Risk managers should be able to grasp the financial implications of using a captive versus a guaranteed-cost program versus a large deductible program.
With strong leadership and a track record of managing a wide variety of risks, the risk management department will become a real asset to senior leadership in pinpointing opportunities to improve the business, as well as identify and mitigate the six or seven risks that threaten the business most.
Looking at the Big Picture
One issue, of course, is time. Many risk management departments, at their current staffing and funding levels, are hard-pressed to manage even hazard risks. To find the time to build bridges throughout a company and subsequently understand all different types of risk, risk managers need to delegate tasks to others, including third-party firms, such as companies hired to administer claims. Too many risk managers second-guess third-party vendors and fail to delegate various parts of the risk management function.
The key is to avoid “doing the doing,” or getting lost in the minutiae of tasks. To pinpoint the big picture risks, risk managers need to think big, think ahead, and manage others to whom the details have been delegated.
The Long-Range Goal: Enterprise-Wide Risk
Broadening the purview of a risk department does help individual departments manage their risks better. But the real goal is to develop a framework that assists senior leadership in assessing risk consistently across the organization.
Historically, most companies without a risk management team have managed risks strictly in terms of functional risk: operational risk, financial risk, strategic risk, etc. Today, however, we understand how several risk factors taken together can cripple an organization. And by looking at risks enterprise-wide, organization-wide opportunities can also be spotted.
If the risk management department can identify patterns of risk across departments, bring risk solutions from one business area to another, and recognize the cumulative effects of risks — both good and bad — then there will be precious few questions from the board of directors about the value of the risk management department. Even then, however, every risk manager should be prepared to quantify the value his or her department brings to the organization.
Quantifying Return-on-Investment
Some risk managers assume that because risk management has recently been a “C” suite issue, the value of the department is intuitive to the board of directors and senior management. Like any other department managers, however, risk managers must quantify their contributions to the business and illustrate how risk management pays off across the entire organization. There are two facets to this equation: the resources spent on the risk department, and the bottom-line value that the risk department brings.
Pinpointing the total investment by the organization in the risk management department can be more difficult than one might expect. One issue is that many organizations spend resources on risk management within individual departments, and allocate these expenses to the risk management department’s budget. The risk management team must stay involved in the accounting to the point of ensuring that the accounting or finance department is properly characterizing and accounting for risk expenses.
As far as quantifying the value of risk management, risk managers face a heavier burden than other corporate managers because it’s impossible to fully document the potential devastating effect of events that good risk management prevents. What can be accomplished, though, is a detailed cataloguing of the risk review processes implemented by the risk management department, followed by a benchmarking of results against similar companies.
In addition, risk managers can provide measurable results on the opportunities side of the ledger. For example, if a company’s risk department signed off on an acquisition using best-in-class due diligence, and other companies shied away on what turned out to be a great deal, this would constitute tangible evidence of effective risk management.
Concerns for Companies Without Risk Management Departments
For companies without risk management departments, the leap to better risk management can be a difficult one to make. Typically, company leaders need a better understanding of the responsibilities of the risk management function, the partnerships the department will forge within the organization, and the value that formalized risk management can bring.
Confusion Between the CEO and the CRO
One common issue for companies without risk management departments is that the role of a potential risk manager has frequently been confused with the risk management duties of the CEO. In fact, some CEOs have opted to go without such a group due to a belief that chief risk officers (CROs) might overstep their bounds. But the delineation between the two roles could not be clearer. The risk manager is in charge of developing the architecture that assists the management team in measuring and mitigating risk and identifying risk-related opportunities. The CEO is the ultimate judge of which risks to play defense against, as well as which risks to take.
Risk Transfer and Alternative Risk Solutions
Another challenge for companies just starting their risk management departments is difficulty in moving from risk transfer — or insurance — solutions, to creative alternative risk solutions. Assuming a certain amount of risk and designing processes to identify and mitigate such risk, is a major change at many companies. It can make people uneasy and anxious to depart from the obvious, insurance-based solution. But once the value of alternative risk solutions becomes clear, senior management realizes the benefits of being insulated from insurance market fluctuations, and the company finds better ways of managing losses, the risk management department will attract more and more supporters.
Conclusion
Historically, few of us have been comfortable working toward a “non-outcome.” That’s why the preventive nature of much risk work has long gone unheralded. Like the billions of dollars of Y2K consulting work that was questioned after the new millennium began without a glitch, much risk idenftification and mitigation work has been the victim of its own success. Today, however, with formal risk departments that can better quantify the risks mitigated and risk-related opportunities realized, the value of risk management has never been more apparent.
|
