Enterprise Risk Management
Enterprise Risk Management
In a complex and fast-moving world, we can expect that the profile of risk management will continue to increase. Ian-Edward Stafrace and Dominic Fisher, President and Vice President of Malta Association of Risk Management (MARM), raise the curtain on the value that professional risk management can bring to the enterprise as a taster of the upcoming joint seminar being organised by MARM and MIA.
Whether it’s the amount of due diligence required to fulfil anti-money laundering obligations or the way in which audits are planned, nowadays everything seems to be driven by risk. The local financial regulator even mandates that banks and many other financial institutions must have a Risk function. Whilst there is a growing appreciation of the importance of risk, those charged with governance often seek meaningful guidance on the people, tools and techniques which are needed to help deliver effective risk management that provides added value across the enterprise beyond compliance.
What does it take to be a professional risk manager? As you are reading this, MARM’s educational sub-committee should be putting the finishing touches to a document on the core competencies of a professional risk manager, which is intended to answer this exact question.
The main body of this document comprises a description of the key roles of the risk manager, the required competencies associated with these roles and the ways in which an individual can demonstrate these competencies. Before tackling these issues, we felt it was important to set the scene by tackling a few common misconceptions.
Risk Management Misconceptions
Above the player’s entrance to Wimbledon’s Centre Court is inscribed a quote from the poet Rudyard Kipling ‘If you can meet with Triumph and Disaster, and treat those two impostors just the same’. Interestingly, neither the origin nor the current usage of the word ‘risk’ is so ambivalent. The word ‘risk’ is derived from the Arabic word ‘rizq’, also the origin of the Maltese word ‘risq’, which meant god-given blessings, a very positive connotation. On the other hand, the way in which risk is commonly understood today is the chance of an adverse consequence. Risk as defined by ISO 31000, a leading risk framework, is ‘the effect of uncertainty on objectives’. As with the quote from the tennis stadium, this definition of risk is completely neutral between potential upsides and downsides. If a potential missed opportunity has similar characteristics in terms of impact as a downside hazard, a professional risk manager should be unbiased between the two.
The ‘Darwin Awards’ have become synonymous with recognising people engaging in reckless self-endangerment, with the overall purpose of giving the rest of us somebody to laugh at. This is where we touch on another common misunderstanding arising around the role of the risk manager. Instinctively, people understand that risk management is something we are doing all the time, if only to avoid a Darwin Award. Indeed, we should be managing risk all the time. The ‘Three Lines of Defence’ model, which was proposed by the Institute of Internal Auditors, but has also been endorsed by leading risk management bodies, demands that the primary responsibility for risk management should reside with front-line operational staff. So what’s so special about a risk manager? The role of a professional risk manager in the second line of defence is to assist in the management of risk across the entire organisation (and even beyond). This overarching responsibility should be achieved holistically, maintaining a suitable degree of distance and independence from any particular department or stakeholder.
The Role Of A Risk Manager
A person’s view of a risk management professional is often coloured, or possibly clouded, by the sector in which we work. A person holding the title of risk manager in a bank may have special focus on quantitative risks such as market and credit risks, whereas a risk manager in a construction setting is likely to have safety as their over-riding objective. In putting together our document we tried to describe the skills required to undertake professional enterprise risk management within any type of organisation. Sector specific requirements are supplementary.
That being said, let’s get down to how in our latest draft paper we define the roles of the risk manager and the associated competencies. We started by looking at the process of risk management itself. ISO 31000 provides useful guidance in this regard, stipulating what are known as the 7 Rs of risk management. These are as follows.
- Recognition or Identification of Risk
- Ranking or Evaluation of Risk
- Responding to Significant Risks
- Resourcing Controls
- Reaction Planning
- Reporting & Monitoring Risk Performance
- Reviewing The Risk Framework
Drawing inspiration from the categories employed in a risk reference tool produced by the French Risk Management Association (AMRAE), we mapped the above into the following four roles.
- Defining & Redefining The Risk Framework
- Risk Assessment, which covers identification and evaluation
- Risk Response, which covers items three to five from the above list &
- Risk Monitoring and Reporting
To the above roles we added managing risk culture, as we considered this to be an important aspect of ensuring effective overall risk management across the whole of the enterprise.
Once again building on AMRAE’s risk reference tool, we compiled a list of the tasks and likely associated requirements with each role. To a greater or lesser degree a host of soft skills are all needed to be recognised as a professional risk manager. Further we found that these soft skills need to be complemented by a certain level of technical knowledge. How can a risk manager define a suitable risk framework without an understanding of some? How can a risk manager help to determine suitable risk responses without an excellent understanding of the choices?
These competencies can be demonstrated by way of qualifications which give credit for both experience and knowledge. In this regard, we have taken the Federation of European Risk Management Association’s (FERMA’s) remap professional risk management certification as our benchmark, but have recognised the value of other qualifications and experience.
We hope that the document will be of use for employers, regulators and those wishing to build a career in risk management.
On the morning of Thursday 28th September, MARM will be co-hosting an event together with Malta Institute of Accountants focused on Enterprise Risk Management. This event will bring together experts to expand on this subject with a special focus on topics likely to be of interest to accountants, whether they are in industry or in the profession. See you there!