In a popular Sword GRC webinar entitled ‘Making Risk Management Relevant to Executive Management’, GRC thought leader Jason Breton explored the importance of the Risk Manager role in 2022 within a context of organizational design.
This blog post features highlights from the webinar. The full ‘Making Risk Management Relevant to Executive Management’ presentation may be downloaded free of charge.
Isn’t risk management relevant to executive management now?
“We often talk about the organization and transactional design and whether or not they meet. Think about whether your organizational design actually allows your Risk Managers to manage… and to what extent risk management is evident in your business transactions. Also think about where the Risk Manager is positioned to manage those transactions.” Jason suggests that we should question whether Risk Managers within the organization can influence good decision-making and whether risk practitioners actually have the mandate to make decisions for the company.
Introducing the Risk Manager
Jason explains how the appointment of Risk Managers within many businesses arose initially from a position of fear in not having one. There then followed indecision around where the Risk Managers should ‘sit’ within the organization, since for many, the corporate mindset was ‘risk doesn’t matter until it matters’.
In early days, Jason explains, CROs (Chief Risk Officers had autonomy and separation from the organization, with some governance and compliance authority that didn’t affect the C-suite or Executive team. “All of a sudden the CRO became one of the other ‘Os’… and we saw the positioning of Risk Managers start to dilute; not from an Executive ‘want’ but in a sense of where Risk Managers are best placed. When we talk about ISO 31000 and organizational design, we start to talk about recalibration and about ownership; about authority and decision-making. The Risk Manager became less a single stream or a silo in the organization, but began to integrate as the actions and controls within the risk register spread across the matrix organization.
“The Risk Manager had a rise to fame and then, as everybody got better at risk and started to apply the standards and behaviours of effective risk management, it became hard to define where that risk manager should ‘sit’.”
Where does the Risk Manager sit within organizational design?
Considering organizational design, Jason poses the questions, to what extent does the design of your organization (Organization Chart) map to the transactions you are required to prosecute daily? Where is the Risk Manager and does the design provide access to decision-makers? Have you ‘buried’ the Risk Manager — what does the placement say to the Executive and to the organization itself? Is the role positioned for success and have you ‘coupled’ the role within your organization?
“Consider who is influencing good decisions within the organization that allow you to prosecute the transaction. Is the Risk Manager just the facilitator? And does the design of the organizational chart actually empower those relevant to make decisions?
“Typically Risk Managers were ‘buried’ under the CFO as risk was seen as more of a compliance activity. I’ve more recently seen risk diluted into engineering, procurement and other areas of the organization… Are Risk Managers positioned to succeed?”
Introducing the ‘Uncertainty Manager’ for influence and relevance
Jason suggests that changing the naming convention, calling risk practitioners ‘Uncertainty Managers’ could provide Risk Managers with greater influence with the C-suite, since. “Evidencing uncertainty and solving it really validates the value of risk management.”
He recommends consideration to whether influence is hierarchical or behavioural. The important thing, he believes, is to add value. “The smart people in the room are silent until they become the solution architects. If you’re going to say something about uncertainty, be sure it’s going to add to strategic intent.”
The key question Jason suggests posing should be ‘Is managing risk a central assumption of your strategic plan?’ His thinking is that the Risk Manager needs to have a ‘diagonal lens slice’ of the business. “You need to know the strategy and you need to know the whole of the business, because how can you manage risk and add value to the strategy if you don’t have that lens?
“Consider what’s in the strategy that’s risky. When you understand what parts of the C-suite or the Executive team own it — the problem and the solution — then you can really contribute as a Risk Manager, an Uncertainty Manager. You let others solve but you actually assist the organization and you really then demonstrate value.”
Climb the decision hierarchy
“We need to think about how we climb the decision hierarchy. There will be winners and losers in any of the big decisions that have a residual impact on the Risk Manager. You may make a suggestion that isn’t taken up and your input into a particular decision fails. That doesn’t mean that you start to lose control of ultimately your role. You need to develop a postscript on strategic decisions; start to map the decisions that happen in your presence and do your own risk assessment. Did your involvement assist? And if so, sell it back to the CEO or the Executive about how uncertainty management assisted the decision.
“Use these wins to become part of the decision hierarchy. The more tangible wins, the more successful you will be in repositioning where risk management should sit. Use risk management as the validation process.
“If you have a risk appetite statement, check and see if the decisions reached by the Executive fell within the bookends of that appetite. This will start to build your risk management ‘brand’ internally.
7 days, 7 actions
- Take the discussion about risk into every meeting
- Try and quantify the exposure you see — make it real and tangible
- Demonstrate the value of knowing — the opposite of ‘uncertainty’
- Forget ‘dragging people’ into risk assessments
- Apportion ownership correctly
- Collaborate to succeed — be the solution architect not the ribbon cutter
- Report the value of what you have designed — espouse the value at every opportunity to ensure it is embedded
What does success look like?
For Jason, the markers of success are when the decision process has been risk managed and every piece of information assessed contextually; when the Executive seek you out to make better decisions; when you make risk management about managing risk, not a compliance exercise alone.
Success also includes changing the perception of risk as a dark and dangerous space; ‘selling’ your professionalism as a business value-add. And when you call yourself the ‘Uncertainty Manager’ rather than the Risk Manager.
“Think about ‘where am I positioned? How am I promoting uncertainty as a valid, tangible output of the Executive? What’s the change process?
“When there is ever any project or program around efficiencies, put your hand up and make sure that you are part of the team. Lobby your value and articulate it well.”
Watch the full ‘Making Risk Management Relevant to Executive Management’ webinar, available on demand.
Harness risk management technology to support business performance
Executive management within your organization can benefit from our best-in-class project and enterprise risk management solution, Active Risk Manager.