Breathe in, breathe out!.
This is not Pilates or yoga, but the automatism every human being must do in order to live.
In the same way, daily and often unconsciously, humans constantly anticipate a situation, decide, weigh the pros and cons, the pluses and minuses, to decide on an alternative that is necessary for their objectives: “I’m late for my meeting, no traffic. I’ll cross outside the crosswalk and save time.” or “I’m late for my meeting, no traffic. Too bad, I’ll stay safe, my health comes first.” are two examples of decisions that we all choose according to our objectives and their context.
Therefore, while breathing, human beings anticipate risks and consequences and treat them.
Risk management, therefore, seems to be inseparable from any human activity, but strangely enough, once we enter the company, it seems to be hidden from view!
Yet risk management is also fundamental to the life of a company: it guarantees the preservation of value. It is its resilience, i.e. its ability to adapt to different contexts.
And yet, how many companies are left with insufficiently prepared restructurings, projects that go awry, cyber disasters, and economic or climatic variations?
As a consultant in a consulting firm, I first tackled the subject of risk management in 1995 via computer security and contingency plans. It was still a recent subject, but I was immediately interested in the concept. My manager came from the insurance world, and we developed an approach based on the Marion risk method, which we hoped to sell to companies. Unfortunately, we found that the CIOs at the time were not very enthusiastic about the approach but focused on the technical solution, which was valid in any case!
We can notice that the standard ISO/IEC 27001 emphasizes in its title and with annex A the protection solutions and not the reflection on the risks, even if the process of risk management is well described.
As a consultant, I have noticed that most information technology specialists consider Annex A to be the most important, seeking to implement its measures as exhaustively as possible by relying on ISO/IEC 27002 solutions, but most often without any direct link to technological or IT risks, which are only summarily assessed, and above all with little connection to the business. In fact, the CISO function has been deployed more rapidly than the Risk Manager function.
There might be some who object that I’m talking about information systems when risk management with its Risk Manager has existed for many years in other industries. Yes and no.
A little history. The word “risk” comes from the Italian “risico”, which means reef. In the Middle Ages, the Serenissima, rich in maritime trade, began to map the routes where ships would encounter the fewest reefs and, therefore, the fewest groundings. This was the beginning of insurance, and even today, the Risk Manager is often confused with the Insurance Manager.
Risk management is often carried out in silos and often in response to regulations: operational risk management, project risk management, environmental risk management, IS risk management, etc. Each silo has a designated manager for this mission. But overall, there is not enough interaction and collaboration across the board or from the operational to the strategic level (and vice versa), which can lead to errors in risk assessment and treatment. Now, risks are often correlated and faster (for example, a cyber risk with an impact on the robotics of a production line leading to a toxic product leak, among other consequences), and this is a reality to be taken into account.
Throughout my consulting and training missions, I have come to realize that Risk Manager is a rather vague position with uncertain contours that cover various realities: Insurance Manager, Internal Control Manager, Compliance Manager, or Business Continuity Manager. They can operationally manage risks within an entity, a project, or globally within a department.
So, what is the Risk Manager?
While various standards were recognized: ISO/IEC 27000, ISO 9000, ISO 14001 families, etc., a new standard went almost unnoticed in 2009: ISO 31000 “guidelines for risk management”, which allows de facto, to clarify the responsibility of the Risk Manager.
At first glance, this standard is not easy to understand (the latest 2019 version has simplified it), but it clearly defines the issues: “Risk management is an iterative activity that helps organizations develop strategy, achieve objectives and make informed decisions.
Risk management is an integral part of governance and leadership and is fundamentally important to how the organization is managed at all levels.”
Thus, the ISO 31000 standard provides for a holistic approach allowing the creation of a risk management program integrated with the decisions of each unit of an organization, all orchestrated by the Risk Manager position at a General Management level. Even if the Risk Manager has specialized correspondents in each field, he or she must federate a global and transversal vision of risks: from the strategy for each field to his or her portfolio, then to the programs, projects, and finally to the operational level (and vice versa).
Historically in charge of insurance management or risk management operators without any governance activity, the risk manager’s field of activity is now more oriented towards the management of the company’s global risks.
Today, in my opinion, the Risk Manager should be positioned close to General Management, but also to operational staff and other cross-functional functions (quality, safety, projects, finance, sales, information systems, human resources, etc.) through a dynamic and collaborative organization to be put in place (this is the definition of the Chief Risk Officer, widely recognized in the United States).
For the Risk Manager, this corresponds to the implementation of Enterprise Risk Management, the true architecture of risk management.
ERM requires the necessary skills in a company which include:
- Support from the board of directors and management team
- A management structure that supports ERM
- Sufficient resources, including qualified personnel and sufficient funding for tools and training
- A plan and commitment to improving the MRE program over time
- An organizational understanding of risk tolerance
- A process for assessing and responding to risks
- Enterprise-level risk monitoring.
But what are the findings on the Risk Manager function?
The AMRAE (Association pour le Management des Risques et des Assurances de l’Entreprise), or “Association for Enterprise Risk and Insurance Management” provided an interesting survey in May 2022 on the evolution of Risk Managers. This survey shows that:
- The outline of the field continues to be structured, and its skills broadened.
- The average risk manager is 47 years old, and has twelve years of risk management experience, often combining several roles at the same time. Furthermore, the number of risk managers under 35 has declined sharply.
- 99% say they can contact senior management directly or indirectly if necessary. In 2015, only 62% were able to do so.
- At least 50% participate on a regular or ad hoc basis in management committees, executive committees, or audit committees, where they educate knowledgeable executives on the fundamentals of risk management: identification, assessment, control and action plans, and their financing.
- For the first time, the identification of opportunities appears in the AMRAE 2022 barometer, which reflects a form of maturity among companies, which realize that certain strategic risks can be a source of growth opportunities.
- The function is becoming more feminine, with women now representing 45% of positions, a ratio that has more than doubled in 13 years.
- Despite the broadening of their scope and responsibilities, risk managers still have small staff, mostly teams of one to four employees. 25% work alone and this lack of resources also reflects in the budgets allocated to them, where 53% declare that their budget is insufficient or not available at all.
- The majority of risk managers appreciate their position, yet 59% of them feel that it is still insufficiently recognized.
- Knowledge of the company is very important to enter this profession. The risk manager examines and clarifies immediate and future decisions. This is why the recruitment of these profiles, often senior, works mainly by co-optation or internal promotion, accompanied by technical training.
In my experience as a consultant and trainer on the subject, the profile of the current Risk Manager should have solid capacities for organization, adaptation, analysis, and rigor.
A risk manager must be a good communicator, both internally and externally, and above all, have the ability to listen to and collaborate with all the other business lines in order to disseminate and integrate a consistent risk culture at every level of decision-making, including senior management. Trust in the Risk Manager is therefore crucial.
A risk manager must be a generalist by training (engineer, business school, economics, insurance), with good professional experience in their company’s business sector, its organization, and its regulatory context. But given the current complexity of the protean panorama of risks, the risk manager must increasingly understand several specialties, such as the standards of the subject, governance, and information systems. A risk manager should also be able to understand the emerging technical subjects in cybersecurity, digital systems, etc., in order to be able to lead their network of field correspondents.
Initial training in risk management remains rare, therefore, it seems important that a Risk Manager follows additional training courses according to their knowledge.
The PECB ISO 31000 Risk Manager training is, in my opinion, essential, as well as training in governance frameworks (e.g. COSO ERM or even COBIT®). Then, depending on the importance of the subject in the context of the company, it seems crucial to me that the Risk Manager understands the security of information systems, cyber security, the digital transition, and the challenges of sustainable development.
It is also interesting to note that the 2022 versions of ISO/IEC 27001 (which simplified Annex A) and ISO/IEC 27005 make full references to ISO 31000:2019 for its risk management, a close relationship with all the businesses and a notion of strategic scenarios.
And for the future:
Risk management should evolve to ensure that all new systems in use continue to have appropriate risk assessment and mitigation controls throughout their life cycle. Companies will have to deal with emerging technologies (quantum, space technologies, IoT, 5G, etc.) and new strategies (ESG, Internet of Behaviors, etc.), hence, they need to actively monitor risks to stay on top of emerging technologies and threats.
The world is currently in the midst of the fourth industrial revolution, in which technologies are merging between the physical, digital, and environmental domains. In this interconnected world, the risk is no longer just about traditional structures, people, and processes. It is also the risk external to the company: geopolitical, climatic, and external service providers, which must be taken into account.
The Risk Manager must evolve in environments where they can collaborate with external stakeholders to manage and mitigate risks and adopt an ecosystem-wide approach to risk while integrating it into processes.
The integration of Environmental, Social, and Governance (ESG) factors
A risk manager will have to face this new challenge in the future. Environmental risks may include concerns related to the global transition to a green future, such as climate change mitigation and adaptation strategies, as well as the physical risks posed by climate change, such as droughts, natural disasters, and agricultural disruptions.
Social risks can include working conditions, safety and respect for human rights, diversity, equity, and inclusion.
Governance risks cover concerns such as anti-corruption practices and compliance with relevant laws and regulations. If not managed properly, ESG issues can cause legal, financial, or reputational damage.
As organizations refine their ESG reporting, risk management becomes a critical component of their ESG strategies. ESG risk factors will therefore need to be integrated into corporate decision-making and enterprise risk management (ERM).
And to conclude:
Since 1995, the theme of risk and the evolution of risk management functions has always drawn and engaged me. It is a subject that will gradually take its true place and importance in the company.
The verdict is clear: risk management is not just a compliance activity, it is the company’s sustainability and a factor for progress. Rather than protesting the cost of implementation, companies need to consider the cost of inaction and the long-term cost of ignoring warning signs and bad practices.
Through Risk Management, I find it particularly motivating to have a global vision of the company with its operating mode and to collaborate with its specialists capable of enriching my knowledge on fundamental and current subjects in the context of the company.
Being a Risk Manager requires a solid background of knowledge, but also the ability to be up-to-date with the latest developments and to have a permanent curiosity about future possibilities.
Furthermore, the Risk Manager is a “preventer”, or “the one who anticipates”. Even if it is important to base oneself on solid factors, the risk manager must be imaginative in order to encourage decision-makers to think outside their daily context.
It is, therefore, a function that will be constantly evolving and that also allows me privately to keep myself informed and try to understand future trends and, therefore, the times in which I live.
Of course, risk management is not an easy job: managing the day-to-day business, the demands of all the units, leading risk committees, communicating internally and externally, keeping abreast of trends and developments of all kinds, anticipating risks, and supervising the implementation of solutions, etc., hence, when at the beginning of this article I mentioned yoga or Pilates sessions, I wasn’t kidding.
I believe it is essential not to “run out of steam” for this type of function and not to get bogged down by the daily routine and the stress of emergencies. In my opinion, if you no longer have time for imagination, you can no longer be a Risk Manager.
So, my advice to all those who are interested in the job: do some sport, do some meditation-full consciousness, conceive of meditation, create stories, drawings, etc., in order to improve your attention and discernment of the present, as well as your capacity of memory, attention, and concentration for better decision making.
In short, in two words: “Breathe in, breathe out”!