Risk and return: balanced approach to corporate risk management

For most of us, risk management is usually thought of as something negative, transactional, and frankly boring – but sadly necessary. It’s something we all have to have, but is hardly business as we know it; right? Wrong.

Organisations that are successful in the long run embrace and embed a much broader definition of risk management. More than just insurance-buying, audit, occupational safety and health, project management, and business continuity planning, so-called enterprise-wide approaches to risk management (ERM) take a strategic perspective, framed around the organisation’s core processes and strategic goals.

Rather than focusing purely on “risk management by media”, meaning a panic-inspired focus on the risks making the headlines in today’s newspapers, ERM takes a longer-term view of risks – and of business opportunities.

Effective risk management is multi-dimensional and people-focused: no organisation can gain a real grasp of the risks that truly matter to its operations by just looking at the shop floor or indeed just the boardroom. ERM looks across the enterprise at both, blending systematic risk identification with a good understanding of the “cultural pulse” of the firm.

Risk managers can’t hope to be even vaguely successful by operating from behind the comfort of software packages, spreadsheets and risk registers

While often thought of as a “nerdy discipline”, effective risk management is far from it. Risk managers can’t hope to be even vaguely successful by operating from behind the comfort of software packages, spreadsheets and risk registers. Communications skills, empathy and a real feeling for culture in all its guises are all far more important.

This is even more crucial in complex multi-national organisations. Common sense tells us to expect different approaches to risk in different cultures, yet common sense often goes straight out the window when making global business decisions.

The examples of major corporations that have failed on the doorstep of poor international risk decisions continue to grow by the year, every year. The truth is culture varies from country to country, race to race and religion to religion. Our diversity as a species is truly exciting, indeed inspiring, and a key driving force behind creativity, so why is it that traditional approaches to risk management often completely ignore this?

Organisations that recognise global diversity and culture tend to be long-term successful – think Apple or Samsung, both of which blend strong design-led leadership with a good understanding of global markets, and an almost messianic focus on recruiting, growing and motivating the very best people.

Getting the right risk manager within the team can significantly strengthen the likelihood of achieving that level of nirvana. Whether that person be a dedicated risk manager, or a part-time role for another member of the leadership team, doesn’t actually matter. The important thing is that he or she must be outwardly focused, culturally empathetic and a superb communicator.

The risk manager must be both the chief executive’s confidant and trusted adviser, and able to explain risk issues simply, without jargon, and in financial terms that are easily grasped at board level.

Rather than an obsessional focus solely on “down-side risk”, the risk function is also there to work with the board and senior management to make new business initiatives work in a risk- effective way.

Nowhere is that balanced approach needed more than in today’s extended business enterprise. Haliburton, Transocean and BP were all involved in the Gulf of Mexico oil well disaster, yet BP suffered most in terms of reputational damage.

The Institute of Risk Management (IRM), a not-for-profit global body dedicated to improving skills in risk management practice, is currently developing guidance on how organisations can best manage risk in complex supply chain situations.

Today’s lean organisations tend towards single efficient supply sources yet this can often conflict with building organisational resilience. Just think, the human body has two kidneys for precisely this reason – and as a species, we’ve been around for quite a few years.

So where next? The good news is there’s a global standard for enterprise risk management – ISO 31000 – that provides straightforward advice on how to embed a balanced and effective approach. There are also numerous courses and guidance available to help firms make the transition to ERM.

Increasingly professionalised, risk management has moved on from the transactional job it once was. In a sense, it’s at a similar crossroads to that faced by the HR and IT functions some 20 to 40 years ago before they became established parts of the corporate leadership landscape. The time has come to bury outmoded views of the “I wouldn’t do that if I were you” risk-averse risk manager.

Steve Fowler is chief executive of the Institute of Risk Management and has held a wide range of business roles, including commercial IT director and head of commercial business transformation with RSA in the insurance industry.