Home > Risk > Risk and the effective manager

Risk and the effective manager

January 14, 2015 Leave a comment Go to comments

If you are to be an effective manager and achieve your objectives, you need to be able to manage the risks to the achievement of your objectives. There can be no question about that.

Yet, many organizations separate the risk management function from operating management and designate a chief risk officer as responsible for the management of risk. Their boards establish a risk committee and have separate discussions about strategy, performance, forecasts, and risk.

Sorry, but this is nonsense.

The only risks we should worry about are those that might affect the achievement of objectives (and it doesn’t matter whether you prefer COSO or ISO; both sets of guidance say this).

The setting and execution of strategy and objectives and the consideration and management of risk go hand-in-hand.

The people who should own risk are the people who own performance and the achievement of objectives.

So, why do we talk about risk managers and a risk management function when the people who own and manage risk are in operating management?

Is it time to recognize that risk management should not be a separate profession but an essential element in effective management? Should we not establish risk managers as subject matter experts who are not there to own risk, but to advise and help those who do own risk?

I welcome your comments.

  1. John
    January 14, 2015 at 5:30 AM

    In performing our periodic risk assessments in a large teaching hospital I oberve time and time again that our managers do their job day in and day out, but really are very, very lacking about risks and their responsibilities. Forst question we ask– what are the top 3 risks to your department/area. Most struggle with the question. They do their job well and mange, but are really lacking the bigger picture. We get a lot of blank stares and pauses on the question about what prevents you from achieving the organizations strategic objectives? More like “what strategic objectives”? I think we are missing a big opportunity in not educating/training managers.

  2. Ray Purcell
    January 14, 2015 at 5:30 AM

    “Should we not establish risk managers as subject matter experts who are not there to own risk, but to advise and help those who do own risk?”

    I think is exactly what a risk management function should be doing, and as part of providing expert advice, I would expect them to establish processes that enable senior management to have effective oversight of the most serious or emerging risks. As you say, ownership of risk, and the responsibility to manage a risk, must belong to the leaders who own the specific objectives to which the risks relate. This responsibility should not be delegated to risk specialists.

    While the risk management function should coordinate risk identification and should organize the top-level risk assessment effort, risk identification and assessment activities need to be part of the job description for managers throughout the organization, and not only at the top, in any organization that is serious about achieving its objectives in a world of change and uncertainty.

  3. Constantinos Tsolakkis
    January 14, 2015 at 5:37 AM

    Excellent article Norman, keep reminding everyone, especially bankers.

  4. Anand Varma
    January 14, 2015 at 5:47 AM

    A firm’s risk management (RM) team anticipates how unexpected events could affect the business performance, allocate resources so that the firm remains solvent in the worst scenario. However, in practice, performance managers (PM) know little of RM and need RM specialists to help them (PM) identify, assess and manage risk. While PM team would have to own various risk but risk managers necessarily bring in their specialized and hi-tech knowledge of how risk should be managed. With due respect to the author for his deep expertise on risk, it won’t be right to say that risk management is part of performance management. Risk management will always remain a separate specialized area, and line managers will always need to rely on risk managers for formulation of risk policies and a risk management plan. Both need to act coherently to achieving the business strategy.

  5. Constantinos Tsolakkis
    January 14, 2015 at 6:06 AM

    My experience tells me that CROs are those responsible for the financial crisis.Their independence is in doubt as they cooperate closely with CEOs and they do not dare
    to tell the truth to the Board Risk Committee in front of the CEOs.

    Directors should interrogate CEOs and CROs on the risk culture and risk management processes.

  6. January 14, 2015 at 6:57 AM

    Just skip the ranting here and there of https://maverisk.wordpress.com/2013/11/14/ihrm/ … comparing RM to HR; there, too, it’s ‘first line’ management that does the actual performance evaluations, not some second line. The support is there for coordination (of standardization, if not when you’d need that) and methodology/tool supply.
    So, a full Yes to integration.

  7. January 14, 2015 at 10:19 AM

    The problem is that most management feel that they effectively manage risk already, so have additional risk advisors in the organization? It requires a mindset change from senior management to incorporate appropriate risk management behaviour with all of the leaders charged with meeting objectives.

    CRO’s do not OWN any risk – any CRO who believes that is delusional. CRO’s play a vital role in facilitating and elevating the risk discussion with management so that their actions are aligned with meeting continued and changing objectives.

  8. Jesus Levy
    January 14, 2015 at 2:12 PM

    Absolutely agree……

  9. January 14, 2015 at 6:37 PM

    Anyone who calls themselves a risk manager is an impediment to their organisation, not an asset. The sole functions of those in the so-called risk management profession (and I used the word lightly) should be to train, support and motivate those making decisions to utilise the risk management process to ensure their subsequent actions support and do not detract from the achievement of the organisation’s objects. This, of course requires skill sets that are often not present.

  10. Ed Lewis
    January 15, 2015 at 3:48 PM

    It seems that it is necessary to repeat my comments to this post here and the two 31000 LinkedIn groups, so here goes …

    “Risk is everyone’s business” is the catch-phrase of note here.
    AS/NZS HB 436: 2013 Risk management guidelines – companion to AS/NZS 31000: 2009 reinforces the principle b. in the Standard: Risk management is an integral part of all organizational processes.
    “Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.”
    The second sentence is the key part of this principle here. Professional “risk managers” should not be the whipping boy for failures in the organization. The authors of the Handbook (including me) agree with your point that they should be the advisors to general managers about how to take up their responsibilities for responding effectively to the risks in their organization.
    The Handbook brings out the interdependence between risk management and governance as well. Principle b applies to governing bodies and to managers at all levels.

  11. Emmanuel Abdullai
    January 16, 2015 at 1:29 AM

    Yes I agreed with Roberts comment.

  12. January 16, 2015 at 7:14 AM

    To my opinion the risk manager is indeed not correct as it is the risk managers task that risk management is embedded in daily processes, systems and reports. That is the responsibility of the risk manager, that managers get the right tools to manage risks and opportunities, that they are trained to use these tools and facilitated when needed (e.g. for the application of more complex risk management techniques such as a Monte Carlo analysis).

    Additionally the risk manager may identify risks and ask mgt how they plan to manage these.

  13. January 17, 2015 at 8:38 PM

    We need to see the business and risk together (not in silos) creating the company value. We need to ensure that the business as the risk owner comply to the rules set by the risk management functions, and the risk management will tell them how to do so (as Grant Purdy correctly mentioned).

  14. Ammar Ahmed
    January 18, 2015 at 9:13 AM

    I don’t agree, Norman. My point of view is, if it is the risk owner who is assessing and/ or managing the risk, then, there is a big conflict of interest in that scenario. Risk management function serves as an independent eye/ mindset to assess the risks faced by the organization and how well they are being managed and report the finding to the board. As in the case of Internal Controls, nobody would be ready to report deficiency in the risk assessment and/ or risk management in his/ her area of accountability.

  15. Norman Marks
    January 18, 2015 at 10:26 AM

    Ammar, that means that the management is not to be trusted to run the business and a secret police is needed to keep them under control. That will never work.

    • January 18, 2015 at 5:53 PM


      The sole purpose of risk management it to provide decision support. The person who makes the decision is responsible for discovering and understanding the risk. He or she might call upon someone to facilitate the discussion on risk, but the business owner is the risk owner. He or his colleague also ‘own’ the controls the organisation has in place to modify risk to keep its level acceptable.

      The risk management professional cannot be a policemen if he is also supposed to act as a mentor, guide and facilitator. That is a real conflict of interest.

      Similarly, auditors are not responsible for the monitoring and review of controls. That is management’s job. All the auditor can do is occasionally ‘check the checkers’ by sampling to provide some level of assurance.

  16. Ammar Ahmed
    January 19, 2015 at 1:56 PM

    Norman, I didn’t mean that. The management is trusted by the the board that’s is why they are appointed to run the business operations. Also, they should be the one who should be owner of the risk management process themselves. However, the role of the independent RM function should not be replaced by the management itself. If I were in the shoes of the process owner/ management my main would always be to ensure that operations are being run smoothly with very less focus on managing the risks – they tend to think, plan and take decisions short shortsightedly. In my view, IA/ RM kind of play the role of “Opposition” to the ruling government in a democratic system.

  17. Ammar Ahmed
    January 19, 2015 at 1:59 PM

    Grant purdy, If I go by your stance then we would have been still living in the Big Five culture of 90s with Arthur Anderson still posting billions of dollars in revenue per annum.

  18. Yolisa
    January 21, 2015 at 3:31 AM

    I agree with your statement 100% Norman and some of the views here. I find it difficult to engage in discussions with management if they themselves don’t know the risks pertaining to their immediate environments.To your point….why are they entrusted with running the business? One cannot separate risk management from all facets of the operating business.

    If we do not get this clear we will end up being blamed for all kinds of anomalies happening in the business leaving the underlying cause unresolved.
    Businesses have adopted a stance that when things go wrong, they ask where was the Risk Manager in this? To an extent, where warranted, yes but there are instances where this question buffles me. It is a great question but directed to wrong parties. Even senior people in the organisations ask these kinds of questions without holding the responsible parties accountable. Even when reporting, we are expected to report on all risk related incidents while leaving the people responsible for these environments to account. That then explains why Risk Managers are seldom excluded in the strategy discussions. We are viewed as working against the strategy although in my view it centers around risk vs reward.
    if this conduct continues, we will never get this right.

    It’s an ongoing exercise to educate our customers about our role. Good luck!!!!!

  19. John S
    April 1, 2015 at 9:28 AM

    Yes, I agree with you Norman – but, how do we get and keep risk on the agenda – or more precisely, ‘the effect of uncertainty on objectives’ without a separate function / committee etc.. The function and committee bring focus and attention; its inevitable.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: