Why is risk management important to your organisation?
Simply put risk management is important to my organisation (Blue Zoo) because it is what we are passionate about and get out of bed for, it is what we excel at, and what our customers rely on us for. Being able to lead the integration of risk into the vast array of different organisations and business models we encounter is a great challenge. For the organisations that we assist, over time the indicators of the importance of risk to their activities really starts to stand out. In particular, in the changes to how decisions are being made, the mind-set of individuals and the business value becoming noticeable.
Of all the categories risks can fall into which one is your number one priority?
I have a personal focus on resilience related risk which I find is so often poorly understood and taken into consideration. Organisations generally have a pretty good handle on areas like financial risk, health and safety, regulatory and legal, etc. In extreme cases these are the kinds of risks that if not managed properly can see directors facing jail sentences. Not surprisingly then they get a lot of focus and mature faster than other areas.
On the other hand, organisational resilience is often underestimated or the value of business continuity plans as a control overestimated. Certain industries with large capital intensive assets and critical infrastructure such as utilities are typically very good in this area, as you would expect. But on the whole, a change in understanding of resilience risk at the top is needed. A telling quote from a survey conducted by a business continuity professional association a couple of years ago that highlights some of the challenges with thinking about resilience risks – “After the 2011 tsunami 337 companies went bankrupt and yet only 46 were located in the region; the rest went bankrupt as a result of the impacts of this major disruption on their supply chains.”
What are the emerging risks organisations need to be keeping an eye on?
A couple of areas that are worth keeping an eye on are:
Strategy – with profound technology advances and new ways of accessing capital like crowd sourcing, the number of ‘big bang’ disruptors wiping out mature products is increasing and product life cycles seem to be getting shorter. Risks associated with strategy, protecting core competencies from imitation and being able to foresee the point of inflection where the market materially shifts without getting left behind, are being realised more often than any other time in history.
The second for me is cyber security although, it is not an emerging risk. The risk has been front of mind for well over a decade, but in my experience senior management hasn’t really grasped the threat and required control strategies. The misconception that building a fortress like perimeter to address the risk, and leaving a soft and chewy inside is starting to be dispelled and overcome on a much broader scale than ever before. People centric rather than control centric risk strategies are coming to the fore.
Are there any risks that have become redundant to organisations operating today?
I wouldn’t say that any risks have become redundant but there is no doubt organisations have matured in some areas more than others through experience, continuous improvement, regulation, etc., or have transferred the risks to third parties in ways such as adopting cloud computing. At the end of the day the risk profile changes but I’m a bit more cautious about saying risks are redundant.
What factors do you consider when evaluating risks?
Accuracy and application of the right technique to the right situation to achieve it. Poor management decisions result from inconsistent and non-objective assessment of risk. Everyone has their own risk appetite that is shaped by their life and values, and the key is being able to consistently evaluate risk with the organisation’s defined appetite and context. When reviewing the risk profile and risk records of an organisation, I will always look very closely at consistency (between like risk, different business units, different organisational levels etc.) of evaluation and perception.
What is the most difficult thing about your role?
In my role as a Principle Advisor charged with building and improving enterprise risk management practices for many large multinational clients, the most difficult aspect is tailoring practices to differing operations. In effect I’m afforded the opportunity to perform varying aspects of the CRO role for organisations that operate materially different business models in different industries, with their own values, behaviours, structures, levels of risk governance maturity, and risk appetites. To be effective requires ‘deep diving’ into how the organisation works, and a lot of active listening without preconception so that the outcome is ‘fit for business’.
How do you make sure the risk management process is working as you expect?
I tend to focus heavily on diagnostics of the risk culture as they key to whether the process is working as expected. Is the organisation taking the right risks? i.e. are we communicating the risk appetite well to all levels of the organisation. Is there a common risk management spirit and shared behaviours? Is the tone being set at the top? i.e. leadership behaviours support and encourage risk taking. If these indicators are right then generally speaking the process should be working well.
Why is the role of a CRO important in companies?
In my opinion it is all about getting the risk governance architecture right, and then more importantly creating a risk culture that fits the company and is integrated with its values. Risk isn’t one size fits all and the CRO needs to champion getting this architecture right and engrained above all else.
What makes an effective CRO?
I think the measure of a truly successful CRO is when they have established risk practices that are at a level of maturity such that the CRO is in position to focus the majority of their time on emerging risks i.e. the governance architecture is right and risk is enshrined in the culture. Early detection, prevention, continuous improvement and communication are engrained competencies, and the CRO has enough influence and respect to fight the inertia against risk mitigation strategies like organisational resilience investment.