Risk management has evolved in an extraordinary fashion over the past 20 years. While we still see (and will continue to see) risk managers focused on more traditional tasks such as the management of financial risks, insurance buying, and health, safety and security, a new framework has emerged that emphasizes the importance of integrating the widest-ranging view of risks with the most comprehensive effort in assessing and addressing those risks. Popularly, this framework has come to be known as Enterprise Risk Management (ERM), a term we have adopted at the Opus College of Business, though a cautionary statement is in order here.
The growth of risk management has not been free of political influences since much is at stake for organizations, consultants, academics and other technical experts; thus, recent years have witnessed a kind of “capture the flag” competition, whereby ERM is variously defined through the lens of audit, finance, legal and security, among many perspectives. This is understandable, and to be fair, ERM does include these important perspectives; further, it has become a near-axiom that risk management will invariably take the shape (indeed, must take the shape) of the organization and the work it does. So, for example, financial risk management is going to be central to a bank; health, safety and security concerns will dominate a hospital’s attention.
Nevertheless, there is a bigger – more inclusive – defining idea that exists today. It sees ERM as an organization-specific effort that nevertheless exhibits the following characteristics:
- Risk management is explicitly connected to and informed by organizational strategy, governance and compliance expectations.
- Top management and boards have an express role in establishing an organizational policy toward risk and ensuring performance expectations are met.
- With the assistance of technical risk experts within the organization (insurance buyers, security managers, financial risk managers), all managers are risk managers within the scope of their responsibilities.
- While philosophically one might say that both the CEO and the chairman of the board share the title of chief risk officer, practicalities dictate that some individual of sufficiently elevated status has overall responsibility for leading, coordinating, educating, communicating and managing the organizationwide effort.
It is that “individual of sufficiently elevated status” who is the subject of interest to Copenhagen Business School and the Opus College of Business. Who is this person? From where does he or she come? What knowledge, skills and abilities are necessary to perform this role?
These questions are important for two reasons. First, while the answers may seem self-evident, early research has shown that they do not appear to be simple. Second, in certain business sectors (financial services, for example) regulations and other requirements have led to a situation where the demand for these individuals outstrips our ability to understand the specific requirements of the role and the types of individuals needed to succeed in these positions.
I have been actively engaged in the subject of risk management for more than 30 years, and in my work I have identified the aforementioned issues as increasingly important both to practitioners and academics. Professor Torben Juul Andersen of Copenhagen Business School has been involved in scholarly activity in this area for nearly as long. We both have determined that while a great deal of academic and practitioner research has looked at ERM, a number of critical gaps exist, primarily around the issue of the relationship of risk management to strategy, risk management to governance, and risk management to organizational culture and values. Central to this work is the question raised in an earlier paragraph: Who is that person who most effectively provides risk leadership?
In an effort to develop a structured inquiry into this question, the University of St. Thomas Blanch Risk Leadership Initiative was launched in 2012 to determine whether it is possible to fully describe the current state of affairs facing leaders of modern risk management practice and whether it is possible to determine the professional developmental needs of these individuals and others with whom they work. The work to be done is both academic in nature and practitioner in orientation – to critically examine the risk leadership phenomenon and to understand what professional developmental needs are (and will be) for risk leaders.
What is a Risk Leader?
The term “risk leader” has emerged in recent years to provide some differentiation between traditional risk managers (insurance buyers, for example) and those individuals who are now charged with carrying the widest range of risk management responsibilities within an organization. The term, admittedly, is not sharply defined – for example, the term might reasonably apply to anyone within an organization who takes on a role in addressing a risk that might not fall fully within the scope of that individual’s managerial responsibilities. It also has been used to address situations where multiple public organizations collaborate on common challenges. And finally, it is sometimes argued that only the CEO can be the true risk leader of an organization.
We adopt the term in this initiative to address a very practical problem: “that individual with the widest responsibility for the overall management of organizational risks” currently has many, many different titles; however, we do think that focusing on that individual will nevertheless provide insights into the various applications of the risk leadership concept.
To date, a survey has been conducted in the Twin Cities on current risk leadership issues and practices, and the results have served as the basis for three roundtable discussions. In parallel fashion, roundtable discussions have transpired in Denmark, discussions that have included top representatives of major Scandinavian firms. Results of these roundtables have led to the early framing of a research agenda and a plan for professional development activities, including a late-April visit to St. Thomas and major presentation on Scandinavian risk leadership perspectives by the senior strategic risk manager at Lego, Rico Ferrarese.
Read more from B. magazine