Risk management is a C-suite issue

The siloed roles of the traditional risk management approach are no longer enough to deal with broad risk exposures faced by companies.

But should top management be involved with the risks their company faces or should they be focusing on running the business? Ideally the two should go hand in hand. Recent research about risk leadership, conducted by Harvard Business Review Analytic Services in association with Zurich, the Federation of European Risk Management Associations (FERMA) and the Public Risk Management Organisation (PRIMO), has identified key areas of risk management that respondents felt needed more emphasis.

The Leadership in Risk Management research will be released later this year and reflects the results of a Harvard Business Review Analytic Services web-based survey conducted with 217 global respondents from both private and public-sector organisations involved in risk management for their company.

Of those surveyed, 84 per cent cited financial risk as an area requiring input from the C-suite when asked which areas they felt needed top management level attention. This was closely followed by strategic risk at 79 per cent, and legal and regulatory risks came in third receiving 70 per cent of the responses.  These results suggest that risk management is assuming a broader and more strategic role within many organisations, and hints that some business leaders are really starting to engage with risk managers on risk issues.

Chief executives should discuss risk management whenever they talk about markets or customers, as all are equally critical to success

Concerns about businesses’ exposure to cyber risks, communication on the internet and social media were also underlined by respondents as key areas of worry. There was great concern on IT or data privacy and technology, which each received 60 per cent and 52 per cent of the responses respectively.

The amount of risk present in the modern business environment is arguably only exceeded by the need for greater communication about potential challenges and optimal treatments. It is encouraging to see that in the majority (62 per cent) of companies surveyed, there was a bi-directional approach to risk communication. In other words, communication about rising and emerging risks flowed in both directions between the C-suite and operations.

The survey also suggests that risk management is being taken more seriously than before in respondents’ companies. Not only is there bi-directional communication, but key risks are communicated to the C-suite regularly at 70 per cent of companies surveyed, the board reviews risk management policies and procedures annually at 59 per cent of respondents’ companies, and reviews top risk exposures and treatment actions at least bi-annually at 73 per cent of participating organisations.


The results speak for themselves, but do they represent a business reality? Linda Conrad, director of strategic business risk at Zurich North America, believes there is more work to be done.

“Today, risk can be a competitive advantage if companies are ‘risk smart’, innovative and ready for change. The figures are encouraging, and I have seen some improvement in communication about risk and opportunity between business heads, chief risk officers (CROs) and the board.

“Ideally, chief executives should discuss risk management whenever they talk about markets or customers, as all are equally critical to success. Yet many companies still struggle with how to embed risk acumen throughout their enterprise and proactively address risk issues.

“The blind-side of risk can cost you money and prevent you from taking advantage of opportunities that can drive growth. But when risk management is linked to strategy and budget, a firm can more clearly articulate their optimal balance between risk and reward to deliver improved results.  For this to happen, the C-suite must continue to promote a risk culture shift and encourage dialogue that can improve risk awareness, accountability and, ultimately, achievement.”

Training in risk management is on the rise in some organisations, as more than half (56 per cent) of the companies surveyed have increased the resources they devote to risk-related education and training over the past three years at least at the CRO level and higher.

While the implication may be that it is only top management who are getting the necessary training and education, there are results which show they are leading respondents’ companies in culture change. For example, more than three-quarters (79 per cent) of the respondents said employees are encouraged to call attention to new risk exposures and business changes, and another 52 per cent said that, over the past three years, their board has strengthened codes of conduct and protections for internal whistle-blowers.

“It can only be good news that top management are becoming more risk-aware,” says Vinicio Cellerini, Zurich’s chief executive of global corporate in the UK. “This research clearly shows that the C-suite and the board are working with CROs to bring about significant change in some companies.

“Risk awareness and a truly enterprise approach to risk management could help businesses cut costs and identify their risk appetite more easily.

“It is fundamental for every business to have the correct processes and measures in place to protect their company, and effectively manage risk. But sometimes that is easier said than done, and companies need an outsiders’ perspective on their approach to risk management, risk transfer and risk finance. This is when companies should engage with their insurer.”

This research was created in collaboration with Harvard Business Review Analytic Services, Zurich, FERMA and PRIMO, and data was collected between January and February 2013.

You can sign up to watch the Leading Risk Culture Change webinar, which provides an overview of the research, by going to www.krm.com/hbr/RiskCultureCL