People have been predicting for years that risk management will step from its back-office nook and into the leadership sphere.
By Sean Pyott, MD of thryve
This prediction gained some traction at the start of this century with integrated risk management (IRM) and Governance, Regulation & Compliance (GRC) technology systems offering greater integration with business systems.
Technically, these were first called GRC, and later the IRM label was added, but let’s not split hairs. At the start of the 2000s, risk management seemed bound for a much more significant role. From here we can argue for two schools of thought. One can say that risk management then slowly grew and matured, embedding itself more strategically in business. The other argues that little changed. In the most disparaging examples, the majority of risk managers are treated as little more than insurance buyers.
I think both are right. There has certainly been progress both in terms of technology and events. Risk management technologies evolved quickly, using cloud platforms and APIs to create real integration with company resources. At the cutting edge, you find systems that streamline evidence gathering, risk data and divergent questionnaires without burdening employees.
Events also nudged risk management into the spotlight, such as the 2008 financial crisis and, more recently, the rising threats of cybercrime. These helped build a growing view that maybe risk management should be a little closer to the strategic side of a business.
But only a little. Even a few years ago, many risk managers were largely just treated as glorified brokers. The profession wasn’t attracting a lot of people, risk management courses were far and few between, and even most business degrees didn’t require risk management as part of their studies. Technology was helping make up for those deficiencies. By automating risk data collection and pushing ad hoc reporting, the risk manager had more power in their hands and more to show their bosses.
Yet the bosses and business cultures remained distant. Then Covid-19 happened.
There is little doubt that the pandemic – a disastrous yet very predictable event – gave risk management the push it needed. According to Bloomberg, practically all the barriers I mentioned earlier are shifting. Boards and executives are now listening.
Risk managers are feeling the new prominence (and pressure) of their raised profiles. Even risk management education has expanded, and many business degrees have started adding risk management to their curriculums.
This is risk management’s time to shine. But organic growth driven by pandemic panic will only take it so far. While the opportunity is there, risk managers should think of doing the following:
Socialise: Take executives out to lunch and learn about their challenges. Then find a solution to those.
Report often: Generate reports several times a year to keep stakeholders in the loop of the risks they face.
Invest in technology: Use a GRC service that can be launched with a small footprint, generate ad hoc reports, automate data gathering, and more.
Collaborate: Risk management touches many parts of the business, from finance to legal to third parties such as insurers – creating collaboration with these will reinforce risk management’s purpose.
Be qualified: It’s a tragic consequence of risk management’s neglect that many risk managers don’t have formal degrees in the discipline – this is the time to change that if you don’t have the qualifications yet.
Beyond compliance: Many companies only have risk management because compliance requires it – but good risk management can be strategic, so look for opportunities to demonstrate that.
This advice is not new. In fact, I lifted it from this 2013 article. Yet Covid-19 has changed what risk management represents in many people’s minds. Risk managers can rise to the challenge. The way to the top is open, and the above steps will help you get there.
So don’t wait for another disaster to strike. The risk manager is hot stuff right now – it’s time to step things up.