Here is the latest white paper from KPMG called The Business Case for a Risk Executive: Leading Efforts to Avoid Surprises, Maneuver through Challenges, and Add Value. (See link below.)
Big title. Fortunately, the paper is only 12 pages in length when you include the canned metaphorical Getty images of the guy looking through binoculars and “business people” talking seriously in the hall. But I digress.
The paper summarizes what many risk practitioners already knew: before the recent economic crisis, what people thought was risk management was nothing but compliance, risk identification or audit and not the strategic tool enterprise risk management was intended to be.
Report reads: “… many organizations saw that they lack an integrated process for managing both emerging and high impact/low probability risks. They fight fires effectively after risk events occur, but have yet to focus on the future, anticipate potential scenarios, and consider how the organization should prevent or prepare for these risk events.”
Riskczar’s translation: they were doing nothing.
Some more revelations about organizations and their existing risk management from the report:
- They were not managing their strategic risks
- They did not identify, define and assign owners to their risks
- They did not define their appetite for risk enterprise wide
- They lacked a risk management champion with the authority to report risk across the organization
Riskczar’s translation: they were doing nothing.
The rest of the paper is quite good at explaining the need for a risk executive (RE). They break the silos of risk management, taking a holistic and strategic view of risk. A good RE makes sure that the President has no blind spots too. The risk executive idea is not a new idea either. (To learn more about this, read about the Chief Monitoring Officer in the book “Heads Up” by Kenneth McGee which is on my list of recommended books.)
I can speak to the need for a senior risk role first hand from two perspective: I was accountable for building an ERM program for a large Canadian financial organization. And while the UK parent was keen about making ERM a systematic capability, there was little local management buy-in for the risk management process. Making my job more challenging, from a roles and responsibility perspective, I sat under the Head of Risk and Audit (ya, that’s right), who reported to the CFO. This structure did not work at all as the risk role was buried too far down the org chart.
On the flip side, the best job I ever had, from an org structure perspective, was when I had risk management oversight over the institutional equity trading business at HSBC Securities, about 10 years ago. I was hired by then CEO, Richard Nesbitt, currently the CEO of CIBC World Markets. Although my role was junior to CFO, COO and other VPs at the firm, I reported directly to Richard. My mandate was clear and I had his full support. His door was always open and as he put it, as long he didn’t see me, he knew I was doing my job.
Finally, for those of you in human resources looking to describe the skills requirements for this job, have a look at this KPMG report too. They explain that a risk executive must be a strategic thinker, project manager, facilitator, have deep industry and institutional knowledge (i.e., about the organization), and be an independent thinker who can gain the “confidence of the C-suite”.
Riskczar’s translation: that’s me!
Have a look at the white paper from KPMG or by clicking on the link below.
(Link was removed)