Guest Post byĀ Andrew ShevesĀ (first posted on CERMĀ Ā® RISK INSIGHTS ā reposted here with permission)
Googling āwhat is a risk manager?ā will get you variations on āitās the person who manages that organizationās risks,ā which is a pretty weak answer. Itās certainly not enough to help anyone whoās just starting in the role to understand what theyāre supposed to do. Similarly, if someoneās thinking about this as a career, we need a bit more.
So hereās a more detailed answer.
āA risk manager is a person who helps an organization achieve success by understanding, managing and responding to its risks.ā
Thatās a lot better, but I want to go deeper and see what that means in practice. That way, if youāre thinking about becoming a risk manager, or are just beginning your career, youāll have a much better understanding of what the role entails.
Letās start with the term risk itself before we go any further.
What is risk?
The ISO definition of risk is āthe effect of uncertainty on objectivesā (ISO 73). This is a robust, simple definition that Iāve used extensively because it works.
It tells us that 1) weāre dealing with uncertainty and events that might occur and 2) we need to understand how these events might affect an entity, and 3) weāre focused on how these effects influence its objectives. Thatās all we need for right now, but thereās a more in-depth article on risk here if you want to go deeper.
So now we have a definition for risk, we need to understand what risk management is.
What is risk management?
The critical idea in the risk definition weāre using is that risk could affect if or how you meet your objectives. So a risk could be beneficial ā it could accelerate your progress (an upside risk) ā or a hindrance ā it could slow down your progress (a downside risk). So a risk has the potential to change your pathway to success.
Therefore, weāre dealing with potential change, and thatās where risk management comes in.
Risk management helps optimize organizations for success by preparing them to adapt to change, and there are four components to this:
- Reducing uncertainty as much as practical
- Addressing identified risks
- Developing specific contingencies to address anticipated events and general contingencies for unanticipated events
- Building tools to limit losses and maximize benefits (balancing)
These four components are the main elements of the risk managerās role.
So we now have the description of the role ā a risk manager is a person who helps an organization achieve success by understanding, managing, and responding to its risks ā the risk managerās four primary responsibilities and definitions for risk and risk management.
Thatās a much more thorough answer to the question āwhat is a risk manager?ā I think.
What a risk manager isnāt
However, in addition to defining what a thing is, I always find it helpful to define what things arenāt. That helps sharpen up our understanding and, in this case, avoids ācreepā into areas that arenāt the risk managerās responsibility.
So what does the risk manager not do?
First, the risk manager isnāt an auditor, even though there is an audit component to the role. The difference is that the risk manager is responsible for managing the risk management system, not just compliance and governance. So the role is focused on managing risk, not checking boxes to adhere to a standard.
Second, the risk manager isnāt the emergency and crisis leader. This is slightly more contentious because many risk managers do have a response role, but this is a secondary role in my eyes. Functional leaders are best positioned to manage incidents in their teams or departments so they should lead the operational response. The risk manager can support the response but my recommendation is to only ādouble-hatā the position as a risk and response role if they have the skills and temperament to do both: it shouldnāt be a default responsibility. However, the risk manager will play an important role in an organizational crisis when high-level decisions are being made, but this is part of their role supporting decision-makers, not as fire-fighter in chief.
Finally, the risk manager isnāt a back-room, administrative function. The risk manager needs a direct link to the leaders they support, ideally having a formal role in decision-making. This allows leaders to take full advantage of their unique understanding of the organizationās operational risk environment and what the alternatives might look like. This allows the risk manager to add clarity and reduce uncertainty in decision-making for issues that would otherwise be opaque.
Small organizations are an exception
Even though it is helpful to have these āno-goā areas for the risk manager, the role will be shaped by the organizationās size and type.
For example, in a small organization, itās not unusual to have one person who has a risk, safety, and security role that combines elements of all of these, along with audit and incident management. In this kind of a situation, it would be necessary to 1) ensure that everyone understands that these are separate functions, combined into one role (similar to having someone do sales and marketing), and 2) that the individual selected for the position as an aptitude in all of these areas. Being good at one of these doesnāt guarantee success in the others.
What about the [blank] risk manager?
If you have a prefix ā financial risk manager, security risk manager, cyber risk manager ā then you have the same role and responsibilities but focused on a specific organization area.
The difference with functional risk managers is that they often have more blended roles incorporating audit and response, for example. Safety and security risk managers are very often Jacks (or Janes) of all trades. Otherwise, the core responsibilities are the same.
(As a side-note, roles that use prefixes are often threat-led, not effects-led, which isnāt ideal because you end up with silos. For example, a security risk can arise from inadequate screening of new employees. If youāre threat-led, HR might oversee screening and exclude security from these decisions. This creates a blind-spot because the person responsible for security doesnāt have insight or input into managing this particular risk. However, if you are effects-led, security would coordinate with functional areas to ensure that whatever the origin, security risks were being assessed and mitigated.)
So what is a risk manager?
So letās go back to the original question. Now we have a definition describing what they do (in bold):
āA risk manager is a person who helps an organization achieve success by understanding, managing and responding to its risks.ā
And a set of responsibilities explaining how they do this.
- Reducing uncertainty as much as practical
- Addressing identified risks
- Developing specific contingencies to address anticipated events and general contingencies for unanticipated events
- Building tools to limit losses and maximize benefits (balancing)
Now, weāve got a much better answer to the question āwhat is a risk manager?ā which, I hope, really helps people understand the risk managerās role and how they fit into the organization.
So if youāre just starting out as a risk manager and feeling your way a little; if youāve just inherited the title of the risk manager and arenāt 100% sure what that means; or if youāre interested in this as a career path, I hope that this has helped give you a better idea of what a risk manager is and what they do.
This is the first in a series of articles focused on the risk manager, their responsibilities, skills, and role in a company. Youāll find the other articles here as these are published.
Andrew Sheves Bio
Andrew Sheves is a risk, crisis, and security manager with over 25 years of experience managing risk in the commercial sector and in government. He has provided risk, security, and crisis management support worldwide to clients ranging from Fortune Five oil and gas firms, pharmaceutical majors and banks to NGOs, schools and high net worth individuals. This has allowed him to work at every stage of the risk management cycle from the field to the boardroom. During this time, Andrew has been involved in the response to a range of major incidents including offshore blowout, terrorism, civil unrest, pipeline spill, cyber attack, coup dāetat, and kidnapping.
Leave a Reply