The structure of roles and responsibilities for enterprise risk management is still far from settled in most companies. The lines of defense model places operational managers on the frontline as the most knowledgeable and capable of identifying and managing specific ongoing risks, but there is less certainty in how other roles are playing out in practice.
Risk managers particularly have less clarity settling into elevated enterprise roles. They have a responsibility to educate and support the frontline managers on one hand, and inform and engage the board on another. In practice, some are mired in a checkbox world struggling to differentiate their value from compliance officers. Others stay solely within the confines of managing the policy portfolio for insurable risks.
It may just take some time to crystalize their distinct enterprise role as risk management strategies progress, or perhaps the skill requirements for enterprise risk managers have fundamentally changed.
That may be a strange statement to make for a relatively young profession. Skill requirements are certain to change as the risk management function evolves. However, two trends encumber the enterprise risk management profession: (1) the historical focus of the role, and (2) the vastly changing dynamics of emerging risks today.
Settling into a Comfort Zone of Known Risks
David Druml of Enterprise Risk Specialists, provides an insightful ERM history highlighting the narrow path taken by risk managers focusing on insurable “pure risks” rather than the broader risk management perspective first outlined by Robert Mehr and Bob Hedges in their 1963 book “Risk Management in the Business Enterprise.” While risk managers developed standard tools and expertise for the narrow set of known pure risks, financial managers developed a separate set of tools to address the financial risks prevalent in the 1970s.
Similarly, other significant enterprise risks spawned unique expertise and means of assessing specific risk categories (e.g. information technology risks, geopolitical risks, reputation risks, model risks, etc.). Now, as risk management trends bend back toward an integrated risk perspective for more efficient management across the enterprise risk portfolio, are risk managers up to the task?
Turning to the Next Ideal Enterprise Risk Manager
The criteria for a successful enterprise risk manager are unique to each company depending mostly on company size, industry, and geographic location.
In startups and small companies, a CEO may rely on his own broad business skills, supplemented with support from insurance agents, brokers, or risk consultants, to address known risks. In certain industries where risk management is a core business value delivered to customers, risk professionals well-versed in the business model are necessary even in small companies (i.e. financial risk experts in financial management, engineers in construction, IT security experts in cloud computing companies, etc.).
Once companies reach a mid-size stage, however, the enterprise risk manager should have broad business knowledge and skill sets to both (1) help set risk management standards for first line risk managers across business functions, and (2) communicate the top and emerging risk concerns to the board. Any risk managers still focusing purely on insurance policies or regulatory compliance will miss the opportunity to play a more vital role in guiding risk-aware corporate strategies and enhancing organizational value.
The first wave of enterprise risk managers generally rose from the insurance sector, financial sector/corporate treasury roles, and engineering while creatively extending risk management perspectives based on their personal experiences. Highly-lauded risk manager Hans Laessoe notes with an engineering background he had to Google “strategic risk management” when Lego asked him to address the long-term challenges for company faced.
Experience in underwriting, insurance brokerage, financial management, and auditing provided the basic skills for many of today’s enterprise risk managers as they expanded their corporate roles, but Chartered Financial Analysts (CFAs) and Financial Risk Managers (FRMs) often suggest an educational background more strictly focused on mathematics may be better preparation for implementing creative risk analysis across the multiple risk sources for an enterprise today. The Society of Actuaries established the Chartered Enterprise Risk Actuary (CERA) program in 2007 for this purpose. The CERA Global Association now oversees the CERA certification standards and has credentialed over 3,000 individuals globally.
While various educational backgrounds and risk management certifications may provide some of the tools for analyzing risk factors, risk managers need hands-on experience to unlock the creativity necessary to integrate enterprise risk analysis. A review of seventy enterprise risk management job offerings on LinkedIn (see word cloud) reveals business process knowledge and an average of at least five years of experience are common requirements. Certifications, with most mentions of CRMA, CISA, and CPA, are required for less than a dozen of the positions.
Airmic sounded the warning to the risk management profession at its annual conference this week as it released the findings of a recent survey of insurance and risk managers. New business models are necessary to move beyond conventional risk management approaches that protect physical assets. The intangible value of S&P 500 corporations has grown from 17 percent forty years ago to 84 percent today. Three-quarters of the survey respondents believe the risk management profession must undergo significant change to address today's organizational challenges.
Airmic’s chairman, Clive Clarke noted a deeper understanding of digital trends is now necessary in the profession and warns:
“The type of skills required of a risk manager in ten years’ time will therefore be quite different to the skillset of the 40 and 50 somethings running the industry today. We need to adapt as a profession and open the door to graduates or we will be facing a huge gap in knowledge and experience.”
The insurance sector recognizes the need to address intangible assets and emerging risks critical for companies moving forward. Can the rising enterprise risk managers lead this more holistic vision for risk strategy within their organization rather than merely follow the trends of new insurance products and services offered by external vendors?
The successful risk managers of tomorrow will likely require a mixture of a mathematical mindset, knowledge to leverage AI tools, experienced insights into business operations, good communication skills, and creativity. Lots and lots of creativity.