risk management who's job is it?

Risk Management, so who’s job is it anyway?

The significant learning point arising from the current pandemic is confirmation that the management of risk is not just a job for the Risk Manager.

Whilst professional advice from the Institute of Risk Management recognises the role of an administrative function, it also stresses the need for every manager to be involved in both identification of risk and the embedding of a risk management culture within their part of the organisation; through such commitment the effective identification of risk and its mitigation becomes part of everyday governance. 

The outcome of the spread of COVID 19 will inevitably lead to global recession and therefore it is correct to say there is a financial risk; however most organisations will have recognised that this reflects a measure of how well other risks were identified throughout the organisation and mitigated through a robust business continuity plan. Placing this in context, health-based organisations had carried sufficient Personal Protection Equipment (PPE) then paying over the odds after chasing such a scarce resource may have saved both effort and cost? This however is not the only example as a spectrum of enterprise wide risks will have also been recognised, some of which will have a long-lasting impact on the reputation of organisations including:-

  • Technology risk, including those related to working from home,
  • Health and Safety risks, including some reportable under RIDDOR legislation,
  • Supply chain risk,
  • Working capital and credit risk,
  • Clinical risk,
  • Academic standards risk, and
  • Customer relations risk.

It will therefore be interesting to see whether, perhaps when normality returns, advertisements for management positions reflect the need for the candidate to demonstrate an ability to successfully manage risk in their area. There is currently a ‘conveyor belt like’ series of risk management jobs being advertised of which the majority are focused upon the administrative co-ordination of risk throughout the organisation. On appointment perhaps their first task should be to ensure that an organisation-wide understanding of the risk appetite of the Board exists.

The success of this action is likely to be enhanced through the introduction of risk management software as this introduces a transparent risk template for managers to use and should convey an understanding of the risk impact definitions and risk matrix that the Board is working to and regarding which it requires report.

Risk Management software is likely to provide a model based on traditional three lines of defence theory, requiring therefore not only identification of principal risks but also the key mitigating controls and the available sources of assurance that are available to confirm to the Board that the residual risk assessment is accurate and that any business-critical risks have been brought to their attention.

No matter what the nature of the organisation it is therefore essential to introduce a balanced approach to risk management which recognises what the ‘killers’ are and how they are being handled by the Executive Management Team. The critical focus for every Board in future should therefore be what is on our risk horizon – this may be events emanating from the areas mentioned above but may also reflect wider risk scenarios including the potential for:

  • Flood risk,
  • Terrorism risk,
  • Insurance risk,
  • Currency risk, or 
  • Succession risk.

The watchword for most Boards therefore is to ensure that Directors don’t just skim the surface but that effective deep dive into individual risks or the occurrence of a series of risks is undertaken to test the resilience of business continuity plans using sensitivity analysis. 

This may be best done by ensuring that not only is the risk managers job specification correct but that all managers understanding the relevance to effective risk management, as this may be more relevant than managing their budget?