Dr Lynn T Drennan, Head, Division of Risk, Caledonian Business School, Glasgow Caledonian University:
In thinking about the key qualities which European risk managers will need in the future, we should first look to the past. Where have we come from, and how did we get to where we are today? Changes in the content and delivery of the risk management programmes at Glasgow Caledonian University (GCU), over the past 22 years reflect the shifting needs of the industry, and may provide some of the answers.
When I joined GCU in 1987, the BA degree in risk management was still in its infancy. The programme of study was heavily weighted in favour of physical, and largely insurable, risks. Students were taught how to conduct HAZOPs, create flowcharts and fault trees, and carry out surveys of industrial premises. Studying insurance policy wordings, underwriting and claims was a significant feature. At the same time, considerable emphasis was put on developing what were then known as 'personal transferable skills', such as oral presentation, report-writing, teamwork, time management, searching skills and data analysis.
More than 20 years on, only the latter element carries the weight it has always deserved. The embedding of 'soft skills' development within the academic subjects studied in the risk management degree, with a clear progression in the development of those skills over the three or four years of the programme, is more firmly entrenched than ever. While risk identification and analysis techniques (as a vital component of the risk management process) are still taught, an increasing awareness of, and ability to use, specialised risk software is now considered vital. At the same time, knowledge of insurance is delivered as part of a wider 'risk retention and transfer' subject, signifying the change in attitudes to traditional risk financing mechanisms and the embracing of more innovative means of financing residual risk.
The focus of study has altered considerably over the past five to 10 years, with much greater emphasis now placed on the non-physical, non-insurable aspects of organisational risk management. One of the major influences has been the various UK corporate governance guidelines, which have placed risk management firmly on boards' agenda. They have highlighted the individual and collective responsibilities of directors in ensuring that all the business risks are managed effectively, and that robust systems of internal control are put in place.
This emphasis on board-level, strategic risk management requires an integrated and enterprise-wide approach, for the intangible risks associated with corporate behaviour, corporate social responsibility and business ethics must be addressed.
So, the risk manager of today needs to have excellent communication, team-working and analytical skills. There also needs to be commitment to continuing professional development in the field, both informally and formally. Informally, this can be achieved through keeping up-to-date with relevant legislation, and codes of conduct and by attending seminars and conferences.
More formally, personal development can be demonstrated through the achievement of high-level professional or academic qualifications in risk management.
In the UK, the main provider of professional qualifications is the Institute of Risk Management, whose recently re-vamped syllabus includes a broader range of risk management specialist subjects. Alternatively, a number of universities offer postgraduate programmes, designed for part-time study.
Now in its second year of delivery, the GCU Masters' programme adds to the debate on 'who is a risk manager?' It is obvious, from the current cohort of around 60 students, that a risk manager is anyone who is responsible for managing risk in their particular department or organisation. Managers in the public, private and not-for-profit sectors, engineers, consultants, health sector employees, as well as risk managers in local authorities and major industrial companies, are enrolled on a programme which has a strategic risk management focus, and thereby strikes at the heart of every organisation.
The management of risk is now a fundamental part of board responsibilities.
Those involved in risk management at a more operational level need not only to be aware of the strategic implications of any potential threats within their areas of operation, but to be able to communicate them at the highest level. Knowledge, networking, a strategic focus, and the continuous development of the softer skills of communication and persuasion are essential if the risks of the future are to be effectively managed.
Professor Jean-Paul Louisot, Universite Paris 1 - Pantheon Sorbonne Chair Curriculum Committee - CARM - Institute, Sarl:
The question of training and educating risk managers was daunting enough for the first generation of professional association executives in the sixties. It has become even more so in the last 15 years, as it has expanded to providing a risk management education to all professionals and managers.
For a long time, no one seemed to be concerned with risks and hazards within organisations: there was a structural limbo. Not any more. Now, paradoxically, there seem to be too many candidates for the ownership of the risk management process.
Over the last decade, risk management has experienced a real fragmentation.
This fragmentation requires all risk managers, or aspiring risk managers, to familiarise themselves with a totally revised check board. The risks to be diagnosed and mitigated have expanded to include:
- Environment issues, sustainable development
- Precaution principle with its legal and commercial implications
- Procurement and the logistics chain (made more vulnerable with the 'just in time approach')
- Legal risk management
- Safety, security and terrorism
- Reputation
- Crisis management
- Ethics and corporate governance.
In this new cacophony, there is no way that the risk manager can be a soloist, focusing on his insurance role. On the contrary, his best bet is to learn to be the concert master who gives the note to all players in the orchestra and helps each of them understand and interpret their part in harmony.
Under these new circumstances, new skills will be required of the risk management professional. They include an extended knowledge of the field of management and strategic processes, as well as communication skills and the art of convincing others. To be efficient, the new risk manager must show outstanding leadership.
Some American companies have recognised the need to offer an office in the executive suite to this new risk manager. They even have forged a name for this extended mission, that of chief risk officer or CRO, to stand alongside the administrative, the finance, the production, the marketing, the personnel and the information heads.
In the 1980s, the question among risk management professionals was whether the risk management specialist would be part of the executive team. The answer is now a resounding yes. The level of the issues involved in managing any organisation, private or public, make it vital for them to hedge their risks in a world where there are ever more uncertainties and a public less willing to accept their consequences. The network economy is vulnerable to a domino effect, and mitigating risks is thus a strategic issue.
Who in the boardroom has the skills required to take all risks, favourable and unfavourable, into account in the global effort to define and implement a long term sustainable strategy? Knowing how to segregate rewards and potential penalties is a basic skill of risk management professionals.
All that they have to learn is to use them in a much broader picture, to master a management of risk that could be called integrated, global or holistic.
In this new context, crises are not accidents any more, but phases of natural growth to be dealt with. In a constantly changing environment, executives must learn to cope with surprises. Managing risk is then only a component in the implementation of a strategy of ruptures.
Why spend time finding a title for the function, CRO, which is fine in the US, but whose European equivalents are legion? The true question is whether the risk managers of today will display the resources to remain or become the director of risks in their organisation. Their understanding of the world of risks and of strategies to mitigate them is their trump card as they face increasing competition from an auditing world in search of new fields. Their creativity in unexpected waters will be vital, as the auditing process is by nature comparative rather than creative.
Gianluigi Lucietto, Scientific Committee, Director, Academic Risk Management Association, Italy:
Credit risk, default, fire, interest rate, reputational damage, market risk, continuity plans, insurance plans, liquidity, terrorism, sabotage, regulation/deregulation, epidemic risk, counterpart risk, devaluation, flood, unrest, business interruption, recall, contingency plan, civil action, mergers and acquisitions, hacking, moral hazards, explosions, risk assessment, loss, bankruptcy, complaints, impact, catastrophes ...
Nowadays all our libraries provide books that describe, group and explain from many different points of view all of these risks and situations.
In our universities you can find specific training courses for each risk.
The need is to have a new tool, a new knowledge that allows enterprise risk management co-ordination. And it is a matter of enterprise risk management co-ordination rather than simply risk management, because my long and incomplete list does not indicate the set of risks related to different operational activities, but simply the risks that every enterprise has.
They are synonymous with negative consequences and threaten the business continuity.
These are the reasons why the enterprise must change its mentality and the way in which it has done business up to the present. There should be no more managers who are over-specialised on risk analysis and the treatment of a single aspect of risk, but managers who are able to work in a team with the will to put their knowledge in a new perspective by studying impact correlation in all the enterprise's sectors, between the business lines and business units and between the functions and operations, all with the aim of safeguarding the enterprise's activities and where possible gaining advantages.
These advantages are attainable only through a common and integrated risk management and by the discovery of correlation between the aspects of risks and related opportunities.
The borderline between enterprise strategy and risk is not so defined as it was in the past. Top management were focused on doing business and making maximum profit, and the risk manager would be called on to take action when something did not go as planned.
Nowadays, there is a definite distinction between the risk manager and the financial risk manager; the former focuses on pure risk and the second on speculative risk - but it is difficult to find an enterprise risk manager.
The enterprise risk manager is a manager whose aim is to merge risk and strategy together to obtain a competitive advantage to reach the enterprise's objectives in safety.
Combining a strategic risk management approach with business management allows senior management to have a view of major risk across the organisation.
This helps them view risk as a part of their planning and resources allocation.
It has the advantage of viewing the integrated effect of risk on business, of improving capital allocation, reducing earning volatility and sometimes obtaining lower costs.
The silo approach belongs to the past. It is clear now that the gap between risk management and business management must be closed to create stable development for the enterprise. Enterprise risk management is not a revolution, but a natural evolution in the art of managing risk.