Guest Post by Andrew Sheves (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Googling ‘what is a risk manager?’ will get you variations on ‘it’s the person who manages that organization’s risks,’ which is a pretty weak answer. It’s certainly not enough to help anyone who’s just starting in the role to understand what they’re supposed to do. Similarly, if someone’s thinking about this as a career, we need a bit more.
So here’s a more detailed answer.
‘A risk manager is a person who helps an organization achieve success by understanding, managing and responding to its risks.’
That’s a lot better, but I want to go deeper and see what that means in practice. That way, if you’re thinking about becoming a risk manager, or are just beginning your career, you’ll have a much better understanding of what the role entails.
Let’s start with the term risk itself before we go any further.
What is risk?
The ISO definition of risk is “the effect of uncertainty on objectives” (ISO 73). This is a robust, simple definition that I’ve used extensively because it works.
It tells us that 1) we’re dealing with uncertainty and events that might occur and 2) we need to understand how these events might affect an entity, and 3) we’re focused on how these effects influence its objectives. That’s all we need for right now, but there’s a more in-depth article on risk here if you want to go deeper.
So now we have a definition for risk, we need to understand what risk management is.
What is risk management?
The critical idea in the risk definition we’re using is that risk could affect if or how you meet your objectives. So a risk could be beneficial – it could accelerate your progress (an upside risk) – or a hindrance – it could slow down your progress (a downside risk). So a risk has the potential to change your pathway to success.
Therefore, we’re dealing with potential change, and that’s where risk management comes in.
Risk management helps optimize organizations for success by preparing them to adapt to change, and there are four components to this:
- Reducing uncertainty as much as practical
- Addressing identified risks
- Developing specific contingencies to address anticipated events and general contingencies for unanticipated events
- Building tools to limit losses and maximize benefits (balancing)
These four components are the main elements of the risk manager’s role.
So we now have the description of the role – a risk manager is a person who helps an organization achieve success by understanding, managing, and responding to its risks – the risk manager’s four primary responsibilities and definitions for risk and risk management.
That’s a much more thorough answer to the question ‘what is a risk manager?’ I think.
What a risk manager isn’t
However, in addition to defining what a thing is, I always find it helpful to define what things aren’t. That helps sharpen up our understanding and, in this case, avoids ‘creep’ into areas that aren’t the risk manager’s responsibility.
So what does the risk manager not do?
First, the risk manager isn’t an auditor, even though there is an audit component to the role. The difference is that the risk manager is responsible for managing the risk management system, not just compliance and governance. So the role is focused on managing risk, not checking boxes to adhere to a standard.
Second, the risk manager isn’t the emergency and crisis leader. This is slightly more contentious because many risk managers do have a response role, but this is a secondary role in my eyes. Functional leaders are best positioned to manage incidents in their teams or departments so they should lead the operational response. The risk manager can support the response but my recommendation is to only ‘double-hat’ the position as a risk and response role if they have the skills and temperament to do both: it shouldn’t be a default responsibility. However, the risk manager will play an important role in an organizational crisis when high-level decisions are being made, but this is part of their role supporting decision-makers, not as fire-fighter in chief.
Finally, the risk manager isn’t a back-room, administrative function. The risk manager needs a direct link to the leaders they support, ideally having a formal role in decision-making. This allows leaders to take full advantage of their unique understanding of the organization’s operational risk environment and what the alternatives might look like. This allows the risk manager to add clarity and reduce uncertainty in decision-making for issues that would otherwise be opaque.
Small organizations are an exception
Even though it is helpful to have these ‘no-go’ areas for the risk manager, the role will be shaped by the organization’s size and type.
For example, in a small organization, it’s not unusual to have one person who has a risk, safety, and security role that combines elements of all of these, along with audit and incident management. In this kind of a situation, it would be necessary to 1) ensure that everyone understands that these are separate functions, combined into one role (similar to having someone do sales and marketing), and 2) that the individual selected for the position as an aptitude in all of these areas. Being good at one of these doesn’t guarantee success in the others.
What about the [blank] risk manager?
If you have a prefix – financial risk manager, security risk manager, cyber risk manager – then you have the same role and responsibilities but focused on a specific organization area.
The difference with functional risk managers is that they often have more blended roles incorporating audit and response, for example. Safety and security risk managers are very often Jacks (or Janes) of all trades. Otherwise, the core responsibilities are the same.
(As a side-note, roles that use prefixes are often threat-led, not effects-led, which isn’t ideal because you end up with silos. For example, a security risk can arise from inadequate screening of new employees. If you’re threat-led, HR might oversee screening and exclude security from these decisions. This creates a blind-spot because the person responsible for security doesn’t have insight or input into managing this particular risk. However, if you are effects-led, security would coordinate with functional areas to ensure that whatever the origin, security risks were being assessed and mitigated.)
So what is a risk manager?
So let’s go back to the original question. Now we have a definition describing what they do (in bold):
‘A risk manager is a person who helps an organization achieve success by understanding, managing and responding to its risks.’
And a set of responsibilities explaining how they do this.
- Reducing uncertainty as much as practical
- Addressing identified risks
- Developing specific contingencies to address anticipated events and general contingencies for unanticipated events
- Building tools to limit losses and maximize benefits (balancing)
Now, we’ve got a much better answer to the question ‘what is a risk manager?’ which, I hope, really helps people understand the risk manager’s role and how they fit into the organization.
So if you’re just starting out as a risk manager and feeling your way a little; if you’ve just inherited the title of the risk manager and aren’t 100% sure what that means; or if you’re interested in this as a career path, I hope that this has helped give you a better idea of what a risk manager is and what they do.
This is the first in a series of articles focused on the risk manager, their responsibilities, skills, and role in a company. You’ll find the other articles here as these are published.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup d’etat, and kidnapping.
Leave a Reply