The Chief Risk Officer (CRO) or Risk Management Director is now an established position in Finnish companies and is responsible for a wide range of tasks, the emphasis of which is moving from property risks to business risks.
The most significant challenge for these professionals is considered to be establishing risk management as an integrated part of the management system and business process. In order to be successful, the CRO must first convince line managers of the importance of risk management. This has to be our mantra.
At the same time as enterprise wide risk management (ERM) has become more common, a new group of professionals – the CRO:s – has evolved. The views and opinions of these professionals and the challenges they have experienced were studied in a research project during the spring of 2007. The research was organized by Ernst & Young in co-operation with the Finnish Risk Management Association. The target group was the risk management professionals working in Finnish companies and associations.The professional background of individual CRO:s varies a lot (figure 1).
This may be due to the relative newness of the position and that risk management in its entirety is quite an extensive area, covering many different sectors.
The risk management professionals who answered the questionnaire represented 15 different educational and experience backgrounds in total. When asked, only 17 % of those who answered stated that their education and experience were specifically connected to risk management. The vast majority, i.e. over 80%, have therefore moved to risk management work from another sector, the most common of which is insurance. The other common backgrounds are corporate safety, accounting and financing.
Risk management seeks security
The objectives that an organisation sets for risk management form an important starting point for the work of a CRO (figure 2). The most common objective that the organisations participating in the research work identified for risk management is “ensuring the achievement of targets”. Three-quarters of those who answered the questionnaire stated that they had set this objective.
Setting objectives is a fundamental part of ERM. According to this, hazards are all those factors that can put the achieving of business targets at risk – no matter which risk class they represent. Other objectives, which have been most commonly set are connected with improving risk awareness and the risk management function within the organisation, loss prevention and securing continuity of business operations.In contrast, the objectives connected to economy and financing, such as reducing the fluctuations in profits or cash flow, or ensuring the achievement of the forecasted profit are only rarely set. Thus the dogmas of business economics and financing do not seem to be applied to any significant degree in practical risk management work.
This is despite the fact that business economics and financing are well represented in the backgrounds of risk management professionals and that risk management directors or CRO:s very often report to the Chief Finance Officer.Chief Risk Officers participate in many activities and must work in several areas of risk in order to meet the objectives. Typical areas of work cover physical as well as intangible risks, technical as well as commercial risks, together with risks that are internal as well as external to the organisation. However, this does not mean that the CRO would be responsible for all of these risks; according to an established model, the Group Risk Management operates primarily as a coordinator and internal consultant for the managers of the business units, who in practise are responsible for the line risk management.Based on the research results, it is clearly more common for the CRO to participate in developing and co-ordinating risk management activities rather than to be completely responsible for the work. According to the survey, property risk management is the area for which the CRO bears most responsibility for developing risk management strategies.
It has been estimated that nowadays property risks occupy most of the time of the CRO (figure 3). Property risks represent the traditional area of risk management, as do health and safety risks, which also demand a substantial portion of the CRO’s time. Furthermore risks related to marketing, client contact, competitors and supply chain management have recently emerged, to broaden the scope of CRO’s area of responsibility.
In the future the emphasis will be on strategic risks. The results of the survey suggest that this trend will be further strengthened in the future. When asking the question; which types of risk the CRO:s will put the most effort into during the next three years, it is clear that the risks connected with marketing, clients contact, competitors, partners and networks are clearly expected to rise above the others.It seems that the focus for risk management work in the future will be concentrated towards the strategic risks of business operations. This is an area in which the CRO:s have not traditionally been involved.
Only a few of those who answered the questionnaire were of the opinion that in the future the focus should be on property risks. It was also considered that the risks connected to health & safety and economic reporting will demand less consideration in the future than is currently the case. However, this does not mean that these risks will disappear. But so much effort has already been put into these risks, that in the future it is anticipated they will demand less consideration, relative to the newly emerging areas of risk.
The main risk management activities for which the CRO:s are responsible include the development of risk management principles, reporting practices and tools and insurance (figure 4). However, only one in four of the CROs are responsible for identifying and assessing risks. The survey indicates that this task belongs primarily to those who are directly responsible for the risk, being typically found within the sphere of the specific business operations management.
However, it would be beneficial if those working in risk management, actually participate in the risk assessment and provide the necessary methods and tools to carry out the process. Thus it is alarming that almost 40 % of those who answered the questionnaire advised that the risk assessments of investments are carried out without the participation of the CRO, although, it is more common for the CRO to participate in due diligence processes.
The challenge is to take risk management to the business operation units. The biggest challenges for CRO:s are in connection with introducing risk management to the organisation (figure 5). As many as 80% of those who answered the questionnaire felt their main challenge was to integrate risk management into the management system and business processes. The second most important challenge the questionnaire highlighted was marketing risk management and proving its benefits to line management and business operation units. One third of those who answered also felt that the maintenance of defined operating methods in the organisation was a significant challenge. These three issues are closely connected to each other.To ensure that the organisation maintains the risk management processes, it is necessary that risk management is integrated into practical management and that the benefits it brings are clear for the business operation units. The selling of risk management to senior management in a company seems however, to be a lesser challenge, only stated by 25% of the participants. Using the words of one of those who answered the questionnaire: “Senior management has already begun to understand the significance of risk management, however, how do we increase the understanding of the next management levels”?
The most significant challenges when communicating with senior management are connected to understanding their expectations, clarifying their targets and meeting their targets, i.e. proving the operating ability of risk management to them and the board of directors.The operating environment of companies is constantly changing and developing and the new phenomena that are emerging in addition to familiar risks must be understood and managed. The world of risk is continuously expanding, so that the challenges facing the Chief Risk Officers will not decrease. On the other hand, the same development might ensure that the services of the CRO in greater and greater demand in the future.
Fredrik Åström, Manager, Advisory Services unit of Ernst & Young
Saturday, December 06, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment