The traditional role of the risk manager is evolving

As banks struggle with the sour fruits of financial risk management, corporate risk managers are reasserting the value of traditional approaches to managing risk, raising new questions for insurers and brokers.

Corporate risk management was historically linked with insurable risks, if not with insurance itself, and lacked the heady excitement of making lots of money and the intellectual challenge of higher mathematics that were the preserve of financial risk management. US economist Harry Markowitz, who developed the theory of the efficient frontier of risk and return in a portfolio of securities, for example, received a Nobel Prize.

But the traditional role of risk manager has been evolving. Compliance has become an important factor, as corporate governance measures, such as the UK’s Combined Code and the US Sarbanes-Oxley Act have focused companies’ minds on their responsibility to avoid nasty surprises for investors. Pressure has developed for a senior risk professional or even a chief risk officer (CRO) to sit on the board, or at least to report directly to it.

The rise of the CRO

The position of CRO became more common once the Basel Accord on banking security, the Sarbanes-Oxley Act and the UK’s Turnbull Report provided guidance on internal control. The first adopters were sectors whose businesses centre on risk: financial institutions, investment houses and insurers, where the role of the CRO is effectively an operational one, as well as data-heavy industries, such as energy companies and utilities.

The C-suite seemed to beckon. In his 2003 book Enterprise Risk Management – From Incentives to Controls, James Lam comments: “The trend towards enterprise risk management (ERM) and the appointment of CROs has created an exciting career path and attractive compensation opportunities for risk professionals.”

CRO positions, however, remain concentrated in their original industries, and Peter den Dekker, current president of the Federation of European Risk Management Associations (FERMA), is rather sceptical of their value, especially outside financial services. “The CRO is not a specialist in risk management, but is basically the person on the board who holds that title for two main reasons. One is to satisfy the shareholders that the company is taking risk management seriously.

“Secondly, it is the position that oversees all risk management activities below the board, but this is not a guarantee that the company has enterprise-wide risk management. For that, it is essential to have a team that works together; otherwise the company will work in silos.”

Den Dekker also questions the value of a boardroom position in relation to effective risk management itself. He makes the point that if a CRO is a member of the board, he or she will be part of the decision-making process for the whole company. In a public company, the board may feel under pressure to perform from quarter to quarter and from day to day in its trading results. “The risk manager needs to be an independent thinker,” he says, “someone who is able to express themselves independently.”

Value of insurance

Den Dekker argues that insurance is a medium through which the true risk manager can break down the barriers to communication about risks in the organisation. “If the risk manager is doing the job properly, he or she will already be involved in many risk areas of the company, so their thinking is going to be well grounded, and they will grow into a broader enterprise risk management position. They are usually good communicators and because they need to be aware of operational risks, they visit everyone and everyone knows them.”

Meanwhile, Oliver Wyman president and chief executive John Drzik highlights the limits of quantitative modelling as part of corporate risk management. “You can build much more sophisticated models where there’s lots of data to work with. That doesn’t mean you’re focusing on the biggest problems that firms face, because those are where you have thin data sets and often have to make judgment calls,” he said during a Wharton School of Business roundtable.

Modelling commodity prices, for example, for which there is plenty of data, may be less useful than monitoring political risks, which are often insurable, such as the seizure by the Venezuelan government of a rice processing plant belonging to the US giant Cargill in March 2009.

A profession in its own right

The diverse and diffuse nature of general risk management may make its value more difficult to grasp. Harry Daugird, a member of the board of the German risk management association BFV, and president of Komposit Risk Consultants and Insurance Brokers, says risk management is still not clearly defined and so it has not been able to make the impact its advocates would like.

“Our core competence is the management of insurable risk. It is very important to the business, and we should be satisfied if we do this job in a successful way,” Daugird states.

The way the Institute of Risk Management (IRM) has developed its educational offerings in recent years is an indication of the growing importance that companies are placing on risk management. IRM has been very successful with its basic course in risk management, the Certificate in Risk Management. More recently, it has made the syllabus of the Certificate and its post-graduate qualification, the Diploma in Risk Management, increasingly international.

Steve Fowler, the IRM’s chief executive, argues that risk management needs to be a profession in its own right, with an over-arching body of knowledge about the subject. “I believe professionalism to be really important for risk management to have a future. There is no other option. Otherwise, it becomes vague and applies to all sorts of jobs. My current concern is where we have a lot of people who call themselves risk managers, but have no education in the subject to differentiate themselves.”

In the same way as there are corporate, criminal and family lawyers within the legal profession, so Fowler believes there will be a number of different roles within risk management. “Some risk managers will have a broad perspective and ability, while we will also have people who specialise in different areas of risk, such as insurance managers, corporate responsibility or IT security.”

Prudent regimes like Solvency II make the CRO role almost essential for financial companies, according to den Dekker but, depending on the type of company, he sees the risk manager role as increasingly important. He views this as someone who understands operational risk; an intelligent person who can get the operating companies to talk to each other and come up with a report for senior management.

“I see the natural progression of a risk manager toward an enterprise risk management role, more than one of a chief risk officer.” How effective the person is, he says, depends on the ways they sell themselves within the company. “The person needs to be a facilitator, rather than a frustrator.” IT

This article originally appeared in our sister title StrategicRISK,