The first step to managing risk is understanding it.
That simple sentence gets to the heart of the opportunities and challenges of risk management. The concept of risk is pretty simple.
The ISO 31000 definition of risk couldn't be much more straightforward: "the effect of uncertainty on objectives." But anyone who's been tasked with managing an organization's risk knows that identifying and managing business risks is complex.
How organizations tackle risk varies from company to company based on their particular risk appetite. One business may be ready to push the envelope and look for competitive advantages through bigger gambles, while a more conservative firm may rely on established trends and avoid risk to the extent possible.
For risk managers tasked with interpreting an organization's risk appetite and recommending a course of action, risk is something of a moving target. The risks themselves are constantly changing, and even within a single organization, the approach to risk may vary by department or individual.
See also: Easier Approach to Risk Profiling
And risk managers' jobs are only getting more difficult. In fact, more than 70 percent of executives say that risks have gotten more numerous and more complex over the last five years, according to a recent report from the Enterprise Risk Management (ERM) Initiative at North Carolina State University and the American Institute of Certified Public Accountants. The report, "
The State of Risk Oversight: An Overview of Enterprise Risk Management Practices," surveyed CFOs and other executives at organizations of varying sizes across a broad range of industries. While these executives said that risks were getting more complicated, only a quarter said that they have a "mature" or "robust" risk management process to address these escalating risks.
Understanding risk at the enterprise level
Those organizations that lack effective risk management processes have limited ability to assess emerging strategic, financial or operational risks and opportunities. Only a quarter of those surveyed considered their organization's risk management process to be an important strategic tool.
The holistic approach of ERM, which seeks to actively manage all of an organization's risks instead of taking the traditional silo approach, has several benefits. It helps leaders establish an enterprise-wide appetite for risk and prioritize individual risks based on what's likely to have the most significant impact on the organization.
Perhaps most importantly, it identifies the interplay of specific risks--circumstances that could originate in one area but have major implications for another. If flooding is likely to delay a delivery to a manufacturer, a robust ERM program would analyze that risk's effect on not just shipping and receiving but also sales, facilities, customer service and any other area that could be affected.
As organizations take an enterprise-wide view of their risks, the skills risk managers need to be successful will shift as well. In one
2017 PwC survey, 63 percent of corporate officers said that giving frontline employees more risk management responsibilities enables their companies to better foresee and respond to risk, and about half will further this shift in the next three years. It's clear that organizations are increasingly relying on risk managers who can effectively communicate risk elements and strategy to both executives and employees.
Understanding emerging risks
Understanding your organization's risk appetite and addressing current risks is only part of risk management. New risks crop up all the time, and risk managers need to stay vigilant. Cyber risk, with its ever-increasing sources and severity, gets a lot of media coverage and is a top priority for most organizations, but even traditional types of risk are constantly shifting and evolving. Risks stemming from government action and regulations have been particularly difficult to predict of late, and organization-specific issues like employee malfeasance, reputational harm and operational risks continue to pose serious threats.
More and more risk managers are turning to data analytics to quantify these risks, but many organizations still struggle to effectively use the data at their disposal. In fact,
another PwC survey asked U.S. executives, "Which areas of risk represent the largest capability gaps for your company today?" The leading response: fragmented risk data and analysis. Risk managers have so much data at their fingertips, much of it unstructured, that they can't effectively use it to make risk-based decisions. Complexity scientist Francesco Corea
points out that more information should lead to more accurate results, but it can also make things more complicated.
See also: New Approach to Risk and Infrastructure?
Understanding what your risk managers need
As organizations work to establish an ERM program and grapple with overwhelming amounts of data, let's take a closer look at three factors that will make risk managers and their departments more effective.
- Risk managers need education. A solid foundation in risk management principles and practices, as well as an understanding of the methods used to deploy ERM across an organization, is essential. The Institutes' Associate in Risk Management (ARM™) program provides that comprehensive overview, but ongoing education to keep up with evolving risks is just as important.
- Risk managers need access. Risk managers need to be able to secure buy-in from many individuals: executive decision makers, data scientists, frontline employees and more. Risk managers therefore need access to these collaborators, as well as training on the soft skills needed to be effective in their role.
- Risk managers need allies. An organization shouldn't rely on just one or two risk experts to deal with risk. If risk is to truly become a key strategic tool, individuals at every level of the company need to develop basic risk knowledge and a risk mindset.
This piece is based on one of several Institutisms, mottos to inspire risk management and insurance professionals to success through lifelong learning and continuous education. Knowledge is the path to managing your clients' risks. And in the world of risk management and insurance, The Institutes are the ultimate knowledge resource for professionals--at every level and in any discipline. From designations and continuing education to networking and research that informs public policy, our name is all you need to know. Learn more about the ARM designation.