Description
Purpose of risk management activities to reduce the likelihood of a crisis arising and ensure that adequate arrangements are in place to manage a crisis if it occurs. One of the risks identified was the presence in a company of a “glass ceiling” that represented a barrier to the sharing and understanding of risk information.
REPORT
Review of the Changing Role of the Risk Manager
Report into the developing role and responsibilities of the Director of Risk Management /
Chief Risk Offcer and how their contribution to business success can be increased
2
In 2011, Airmic published a report entitled “Roads to Ruin” that investigated the causes and subsequent
management of a number of corporate crises. A series of underpinning risks were identifed during the
Roads to Ruin research that would increase the likelihood of a crisis arising and/or the ability of the
company to manage that crisis. It is the purpose of risk management activities to reduce the likelihood of
a crisis arising and ensure that adequate arrangements are in place to manage a crisis if it occurs. One
of the risks identifed was the presence in a company of a “glass ceiling” that represented a barrier to the
sharing and understanding of risk information.
Airmic members are employed as risk managers within their employer organisations. They are in the
best position to ensure that their company avoids the situations suffered by the Roads to Ruin case
studies. Airmic undertook a series of telephone interviews with eight senior risk managers who were
fulflling the role of Director of Risk Management or Chief Risk Offcer within their company. This report
describes the outcomes and conclusions from those interviews. It is intended to assist Airmic members
in their professional development and to support members in the execution of their roles. Supporting
members in this way is one of the key strategic objectives for Airmic.
During these structured telephone interviews, questions were asked about the wide range of challenges
faced by and activities undertaken by risk managers. Areas of discussion included the following:
• role and responsibilities of the risk manager
• structure of risk management in the company
• how to overcome the “glass ceiling” in the company
• contribution of the risk manager to company success; and
• advice that the risk manager would give to more junior colleagues.
There were many commonly held views expressed during the interviews. The overall intention of the
review was to identify the route to becoming a senior risk manager and then maximising the opportunity.
The key conclusions that were reached during this review can be summarised as follows:
• to secure a senior risk management position, the individual needs substantial business sector
experience and/or substantial risk management expertise
• to achieve a sustainable level of input that is valued by the company, the risk manager should
concentrate on making a direct contribution to business success
• to increase effectiveness within the company and overcome the diffculties associated with the
“glass ceiling”, the risk manager needs to develop alliances and groups or teams
• the risk manager needs to develop a higher level of risk awareness in the company and the
opportunity of providing training courses and workshops is critically important
• increasingly, the successful risk manager will require a formal qualifcation in risk management,
as well as signifcant interpersonal skills, especially communication and relationship skills.
The conclusions set out above are not entirely unexpected. Nevertheless, the outcomes from the
interviews reinforce the importance of involvement and communication on the part of the risk manager.
Airmic will continue to investigate the developing role of senior risk managers and this report is part of
the continuing commitment by Airmic to support the professional development of risk managers.
1. Executive summary and conclusions
3
2. Structure of report and acknowledgements
1. Executive summary and conclusions
2. Structure of report and acknowledgements
3. Objectives and scope of the review
4. Profle of selected senior risk managers
5. Structure of risk management in the company
6. Contribution of the risk manager to company success
7. Increasing the contribution of the risk manager
8. Advice to aspiring risk managers
Airmic is grateful to the senior risk managers who agreed to take part in this review. The contents of this
report represent the general impressions gained during the conversations. Other than specifc boxed
out comments, none of the comments or opinions have been assigned to any individual risk manager. In
undertaking this review, telephone conversations were held with the following risk managers:
• Arnout van der Veer, Chief Risk Offcer, Reed Elsevier Group PLC
• Claes Martenson, Risk Manager, Solvay Chemical Company
• John Ludlow, SVP Global Risk Management, InterContinental Hotels Group
• John Summers, Chief Risk Advisor, Rio Tinto plc
• Julia Graham, Chief Risk Offcer, DLA Piper UK LLP
• Nicola Harvey, Group Risk Director, Christie’s International plc
• Paul Taylor, Director of Risk Assurance, Morgan Crucible plc
• Tony Dimond, Director of Insurance and Risk Management - Northern Europe and Asia
The review was undertaken by Airmic to discover the nature and extent of the contribution made by
senior risk managers to the success of the company that employs them. In some cases, the senior risk
manager is designated as the Chief Risk Offcer for the company. In other companies, the title varies but
is often Group Risk Manager. The individuals who were interviewed as part of this review are referred to
throughout this report as “senior risk managers”.
4
3. Objectives and scope of the review
The review was undertaken by way of telephone conversations with the eight senior risk managers
listed on the previous page. The discussions were structured according to an agenda that is the same
as the contents of this report as set out in the Executive Summary. The overall intention was to gain
an understanding of the role, responsibilities and contribution of each of the senior risk managers
interviewed, including:
• the background of the individual risk manager, the nature of the employer and the particular
attributes that enabled the individual to secure the role of senior risk manager for the company
• the structure of risk management within the company and the role, responsibilities, reporting line
and committee involvement of the senior risk manager
• the contribution made by the senior risk manager to the success of the company, how this is
measured in terms of KPIs and specifc examples where the senior risk manager has made a
signifcant contribution
• views on the scope for improving the contribution of the senior risk manager, how risk
management is changing in the company and how issues associated with the risk management
“glass ceiling” are overcome
• fnally, the advice the senior risk manager would give to aspiring more junior risk managers,
and an indication of the level of seniority and compensation that are available to senior risk
managers.
5
Background of the risk managers
The senior risk managers interviewed had a wide range of backgrounds. However, these can be divided
into the three broad areas of (1) engineering; (2) line management; and (3) risk management. The risk
managers with a background in engineering were those employed by engineering companies where their
background and expertise was particularly relevant.
Several of the risk managers had signifcant experience of the sector where they were currently
employed. Indeed, some risk managers had an extended length of employment and a range of
experience with their current employer. Others had the same extended length of employment and range
of experience but with a range of different companies in the same sector. Some risk managers indicated
that experience of the sector within which they were employed was essential.
Other senior risk managers had a background in insurance or fnance, in particular insurance broking,
accountancy or audit. An in-depth understanding of the insurance industry enabled these risk managers
to move from insurance broking into a role that required detailed technical understanding of insurance.
These risk managers then took the opportunity of employment in an insurance role to extend their
infuence and responsibilities into broader risk management areas. For other senior risk managers,
knowledge of accountancy and internal audit formed the basis for them to develop into that broader risk
management role.
Securing the appointment
Given that the senior risk managers came from a range of different backgrounds, the next question was
about how the risk manager secured their current position. Again, a number of alternative approaches
emerged. For those senior risk managers who had worked in their business sector or were already
employed by their current employer, securing the role of senior risk manager was often achieved by
invitation, rather than a competitive interview process.
For other senior risk managers, the role was secured by having previous in-depth experience of technical
insurance and risk management issues. From the discussions, there appeared to be two distinct routes
into securing a senior risk manager role. One of those routes was based on thorough knowledge of the
sector and the risks inherent in the business sector. The other route was based on technical insurance
and risk management knowledge with the expectation that the senior risk manager would apply that
expertise within their new employer organisation.
Depending on the background and experience of the particular senior risk manager, and the role
that they were employed to fll, a different view was offered of the importance of industry experience.
However, there was no doubt that risk managers working in industrial or manufacturing organisations
were more likely to secure the role based on knowledge and understanding of the sector and the risks in
that sector.
4. Profile of selected senior risk managers
“My extensive operational knowledge, understanding and experience in the industry was one
of the main reasons that I was offered the role in group risk management.”
John Ludlow
6
5. Structure of risk management in the company
Risk manager responsibilities
The range of responsibilities placed on the senior risk managers interviewed varied considerably. A
common theme was that they were responsible for risk management processes and procedures within
the organisation, but not necessarily responsible for management of the risks themselves. However, this
was not universally true and several of the senior risk managers had direct responsibility for particular
types of risks.
The types of risks where the risk manager was responsible tended to be operational risks, such as health
and safety, business continuity or security. Other risks, such as those associated with the effciency of
processes and the quality of products or services were usually not the responsibility of the risk manager.
For the individual risk managers interviewed, this dual role of being responsible for some risks but not
others was not a diffculty and did not cause concern or confusion.
The critical issue emphasised by all senior risk managers was their primary responsibility for risk
management processes within the organisation. The level of accountability attached to this responsibility
varied from organisation to organisation, but there was a common understanding amongst all of the risk
managers that designing, facilitating and monitoring the risk management processes within the company
was a critically important part of their role.
Board involvement in risk
Most of the senior risk managers reported to the Chief Finance Offcer, with access to the chairman of
the Audit Committee, as required. Many of them attended audit committee meetings within the company,
but none were members of the audit committee, given that this is a non-executive director committee.
Signifcant importance was placed by the risk managers on risk escalation procedures and these would
often involve access to the audit committee and, when appropriate, the chairman of the company.
Despite exposure to the audit committee and, in many cases, the existence of a senior level risk
management committee, there was often a feeling that reports were routinely received at senior
meetings, but the level of engagement was not as high as they would wish. For those risk managers
who had achieved a higher level of engagement with senior management, an important factor was
moving away from presenting risk registers as a simple list of signifcant risks towards emphasising the
importance of those risks to the proftability of the company.
Those risk managers who felt that the message was well received, understood and implemented by their
senior management had developed networks of individuals and functions throughout the company to
support the risk management effort. The approach of developing formal or informal networks, groups
and committees with relevant senior individuals across the organisation was put forward by several
senior risk managers as the key to enhancing engagement at top management level. This was felt to be
important because it provided a critical mass in support of the risk management message.
“Recording lists of risks in a risk register does not automatically improve the management
of those risks – the risk manager needs to align risk management activities with business
success.”
Claes Martenson
7
Risk input to strategic decisions
During the interviews, questions were asked about the level of development and sophistication of risk
management processes within the company. All risk managers agreed that risk management input into
operations and the importance of insurance as a control measure was well understood. Several of the
risk managers said that project risk management had become better understood within the company and
routine risk management input into project identifcation and management had been achieved.
For some risk managers, moving the company to the stage where a risk assessment was required for
every business investment and project approval was a major step forward. It was generally agreed
that involvement of risk management in project selection and delivery achieved an increased chance
of successful completion of the project. In some cases, there were examples where projects had been
rejected because the risk assessment of the project indicated that the project itself was inappropriate
and the risks involved in the project signifcantly reduced the chances of success.
The involvement of risk managers in strategy decisions was much less common. Only a minority of
the senior risk managers felt that risk considerations formed an integrated part of strategic decisions.
Nevertheless, there were examples where risk assessment of various strategic options was required and
a risk reward analysis was undertaken for each of the strategic options. Risk managers who reported
that the company had engaged with risk management when making strategic decisions indicated that
this was based on the following factors:
• Development of infuential groups across the company who believe that risk management was
an important part of their responsibilities. These groups often included representatives from
various functions, including operations, treasury, tax, human resources, strategy and fnancial
planning
• Inclusion of risk factors and the value of risk management in discussions that focused on the
contribution made by risk management to achieving business success.
In these cases, the discussion about risk management was not concerned with risk identifcation
and the preparation of lists of risks, but it was concerned with the impact that risks could have on the
achievement of business targets. Top management discussions at this level of maturity were not about
risk management processes, or even about the output from those processes. The discussions were
about the importance of those outputs and their relevance to achieving business success.
8
Risk manager successes
For many of the senior risk managers, the measurement of success was based on their contribution to
the improved management of the risks for which they are responsible. Several of the risk managers
were able to identify improved performance in relation to business continuity planning, crisis
management, health and safety, environment and security as key measures of success. Related to this,
in many cases, was the ability to achieve reduced insurance costs.
In some cases, the risk manager was able to identify circumstances where a project had been delivered
more successfully because of the involvement of the risk manager in the project management team. In
one case, the risk manager indicated that the company had been able to return to a high-risk market
segment because of improved confdence in its risk management arrangements.
In all cases, the senior risk managers referred to an improvement in the risk awareness and risk
culture within their company. Although this was diffcult to measure, examples were quoted of greater
engagement on the part of managers and of circumstances where risks that had not been previously
identifed were now receiving appropriate attention.
Performance appraisal
For many of the risk managers interviewed, the key performance indicators (KPIs) that they had been
allocated were related to achieving improvements in operational risks standards. In most cases,
improvement to risk management processes was a measure that was used to appraise the performance
of the risk manager. Improvements to risk management process included improving the way in
which risk assessments are undertaken, ensuring that risk assessments were attached to (1) capital
expenditure proposals; and (2) available strategic options.
In particular, the involvement of the risk manager in project management teams was quoted as
both a success story and a KPI. Important examples of success in relation to project management
were situations where the company had undertaken a risk reward analysis and withdrawn from an
unsuccessful project at an earlier stage, rather than incur further wasted expenditure.
“Risk awareness enabled the company to optimise business opportunities, as well as withdraw
from unsuccessful projects at an earlier stage, because of enhanced understanding of risks by
the board”
Paul Taylor
For many risk managers, undertaking training programmes was an important part of their job. Several
said that they had the obligation to provide risk management training throughout the organisation and
the provision of risk training was a critical KPI. In all cases, the provision of successful risk management
training was seen as a fundamentally important component of improving the risk awareness within the
company. All risk managers expressed considerable satisfaction with the training opportunity they had
been given and the effectiveness of the training provided.
6. Contribution of the risk manager to company success
9
Frustrations of the role
A wide range of answers and comments were received when the risk managers were asked about
the frustrations involved in their job. There was a general feeling that risk awareness was not as well
developed as hoped and some of the risk managers expressed the view that the contribution of risk
management was not well understood at board level. For some risk managers, the exact opposite was
true and risk awareness was very mature. Generally, this had been achieved by developing risk teams
and risk networks combining operational and functional units across the company.
A specifc area mentioned by several of the risk managers was Information Technology and the diffculty
faced by the risk manager in persuading the IT department to engage with risk management. This was
expressed by one risk manager as the IT department wishing to retain all three roles in the three lines of
defence model used by many organisations. That is to say, the IT department was seeking to (1) keep
control of the operation of IT systems; (2) act as the specialists that support the development of new IT
initiatives; and (3) act as the auditors or monitors of compliance with IT and data security standards. At
the time of writing this report (June 2012), a separate Airmic initiative is investigating developments in
relation to cyber risks and the availability of suitable cyber insurance products.
On a lighter note, one of the risk managers commented that a frustration was that on occasions a
business manager would claim all the credit for improved risk management. In other words, the risk
manager would identify the issue and assist with the development and implementation of the solution.
The business manager would then claim all of the credit for the improvements that had been made.
The conclusion of that risk manager was that, whilst the praise would have been appreciated, the
improvement in risk management standards was the required outcome and who receives the praise is
less important.
10
Recent developments
There was general agreement amongst the senior risk managers interviewed that risk management
continues to mature as a discipline. Some suggested that the development of the international risk
management standard ISO 31000 had helped this increasing maturity. Whatever the reasons, there
was agreement that the need for enhanced risk management and the associated benefts that can be
achieved were better understood in all organisations.
The senior risk managers were of the opinion that risk management within projects had now become
frmly established and the benefts associated with this would continue to be delivered. In terms of the
changes that are anticipated over the next two years, the importance of setting global risk management
standards across the whole company has become more important, even if it is diffcult to achieve.
Another recent development that was welcomed by the risk managers was the increased importance
given to brand protection. The risk managers agreed that protection of the company brand was of
paramount importance and the benefts of bringing a risk-based approach to this brand management
were becoming better understood.
One of the risk managers mentioned that the importance of concentrating on brand perception in order
to improve business performance was fundamental to the long-term success of the company. In these
cases, the need to embed risk management within brand protection and brand extension activities was
fully understood in the company.
Improved contribution
When asked what steps could be taken to improve the contribution made by the risk manager and how
that contribution is understood, a range of responses was received. The overall feeling was that risk
management activities need to be embedded into the “business as usual” model. This would ensure that
the risk management process was relevant, effective and robust. The feeling was that there should be
a concerted effort to move away from the compliance / assurance approach towards an approach based
on risk management as an underpinning process that contributes to business success.
The opinion was also strongly expressed that risk managers should focus on the business benefts that
enhanced risk management delivers. Improved risk management processes do automatically achieve
improved business performance and risk managers should be aware of this fact. A challenge put forward
by one risk manager was that it is necessary to identify the core business processes and ensure that risk
management contributes to the effciency and effectiveness of these core processes.
Another factor mentioned was that risk management activities need to be proportionate to the risks faced
by the organisation and tailored to the particular attributes of the company. Therefore, risk managers
need to understand the organisation and the business sector within which it operates, so that appropriate
risk management processes can be developed and the output from those processes can be aligned with
business success. This means that the standard or “off the peg” risk management processes offered by
some consultants will not be successful in every organisation.
7. Increasing the contribution of the risk manager
11
“Glass ceiling”
There was discussion of the risk management “glass ceiling”. This concept was discussed in the
“Roads to Ruin” research recently published by Airmic. The “Roads to Ruin” report states that one of
the frequent causes of business failure is that risks are often clearly understood by business managers
and specialist functions, such as the risk management and internal audit departments. However, this
understanding is not present at board level because of:
• failure to provide appropriate information to the board
• failure of the board to understand the information that is available; and/or
• failure of the board to critically examine the information provided.
One of the specifc reasons mentioned by the risk managers for the existence of the glass ceiling was
that risk management activities in many organisations are not aligned to the business imperatives and
the overall success of the company. As well as aligning risk management activities to business drivers,
the risk manager should seek to get involved in all relevant aspects of the company. One risk manager
pointed out that there is no glass ceiling when the risk manager is visibly contributing towards the
outcomes that the board is seeking to achieve.
A theme put forward by several of the risk managers was that their infuence was increased by the
formation of groups, committees or project teams. One particular risk manager said that developing
teams across head offce functions was the key to increasing the infuence of the risk manager. The
view expressed was that it is more diffcult for the executive committee or board to ignore the opinions of
a group of people, especially when members of the executive committee or members of the board were
part of these groups.
The message offered was clear, do not seek to manage the risks within the risk management department
or keep the information about the key signifcant risks as a list within a low visibility risk register. This
approach will result in the risk management activities becoming almost invisible because they are not
aligned with the business success indicators.
“Improving risk management standards is simple when the business case is explained and
the location manager understands the benefts – and risk training helps to achieve this
understanding.”
Julia Graham
12
Action now
The senior managers were asked what advice they would give to more junior risk managers who have
some experience, but are perhaps less than halfway through their careers. The most commonly offered
advice was that a risk management qualifcation is a very useful addition to a CV. It was generally felt
that as the employment market becomes more competitive, a qualifcation in risk management will be an
important differentiator.
However, the point was made that a risk manager should not be obsessed with the theory of the risk
management process, but should be much more concerned with the benefts attached to the output from
the process. Therefore, the qualifcation obtained has to be relevant and the aspiring risk manager has
to be capable of applying the theory to real business situations.
In relation to technical skills beyond those concerned with risk management, the general advice offered
was that risk managers need greater business and fnance understanding. It was suggested that a
qualifcation in a key business discipline, such as fnance, would increase the effectiveness of a risk
manager. The view was expressed that risk management activities should not only be aligned with
business activities, but must deliver a substantial contribution to business success. Accordingly, risk
managers need business understanding and fnancial awareness and, in the opinion of many of the
senior risk managers interviewed, considerable sector knowledge.
The value of sector experience was strongly emphasised by most of the risk managers interviewed and
was seen as part of being credible as a candidate for a risk manager job in the particular sector. The
view was put forward that an aspiring risk manager may wish to select a specifc business sector and
develop real knowledge of the business drivers within that sector. Another important aspect that was
mentioned was the importance of project management skills. It was pointed out by several of the senior
risk managers that business is rapidly changing and that the ability to manage change and, in particular,
manage the risks associated with change is becoming a highly valued skill.
In addition to technical, fnancial, sector and business skills, the other important area that was repeatedly
mentioned was interpersonal or “soft” skills. In particular, communication and relationship skills were
considered to be vital. Communication skills include written and oral skills, presentation and public
speaking skills, as well as committee and meeting participation skills. Relationship skills were mentioned
as important in terms of infuencing, negotiating and confict resolution. The importance of interpersonal
skills was further reinforced by the advice from one of the risk managers that aspiring risk managers
should develop formal and informal networks of colleagues, as well as attend and participate in
appropriate technical and sector conferences. In summary, the view was put forward that risk managers
should develop leadership skills and retain an attitude of “never stop learning”.
8. Advice to aspiring risk managers
“Risk managers should not only be involved with existing systems and activities, but they must
also have the skills to make a contribution to delivery of projects and changes to business
processes”
Nicola Harvey
13
Rewards later
The risk managers were asked about the rewards available to risk managers who aspire to the most
senior risk management positions. Given that the risk managers who were interviewed were not from
the fnance sector, the comments offered and the reward packages discussed may not apply directly to
that sector.
Overall, the appropriate seniority for a very senior risk manager was described by one of the
interviewees as “half a step below executive committee”. It was acknowledged that this status will
vary considerably between business sectors, depending on the nature of the role and the nature of
the regulator in that sector. Highly regulated sectors, such as fnance, energy, extractive industries,
transportation and chemicals (for example) will have different approaches to risk management. This may
result in the senior risk manager being positioned at a higher level in the company.
Overall, the view was that a total employment package in excess of £150,000 (as at June 2012)
represents an achievable aspiration for a risk manager who is seeking to secure a top risk management
position. The total employment package includes salary, bonus, benefts, pension contributions and, if
available, share options.
6 Lloyd’s Avenue
London
EC3N 3AX
T: +44 (0)20 7680 3088
F: +44 (0)20 7702 3752
www.airmic.com
doc_460461638.pdf
Purpose of risk management activities to reduce the likelihood of a crisis arising and ensure that adequate arrangements are in place to manage a crisis if it occurs. One of the risks identified was the presence in a company of a “glass ceiling” that represented a barrier to the sharing and understanding of risk information.
REPORT
Review of the Changing Role of the Risk Manager
Report into the developing role and responsibilities of the Director of Risk Management /
Chief Risk Offcer and how their contribution to business success can be increased
2
In 2011, Airmic published a report entitled “Roads to Ruin” that investigated the causes and subsequent
management of a number of corporate crises. A series of underpinning risks were identifed during the
Roads to Ruin research that would increase the likelihood of a crisis arising and/or the ability of the
company to manage that crisis. It is the purpose of risk management activities to reduce the likelihood of
a crisis arising and ensure that adequate arrangements are in place to manage a crisis if it occurs. One
of the risks identifed was the presence in a company of a “glass ceiling” that represented a barrier to the
sharing and understanding of risk information.
Airmic members are employed as risk managers within their employer organisations. They are in the
best position to ensure that their company avoids the situations suffered by the Roads to Ruin case
studies. Airmic undertook a series of telephone interviews with eight senior risk managers who were
fulflling the role of Director of Risk Management or Chief Risk Offcer within their company. This report
describes the outcomes and conclusions from those interviews. It is intended to assist Airmic members
in their professional development and to support members in the execution of their roles. Supporting
members in this way is one of the key strategic objectives for Airmic.
During these structured telephone interviews, questions were asked about the wide range of challenges
faced by and activities undertaken by risk managers. Areas of discussion included the following:
• role and responsibilities of the risk manager
• structure of risk management in the company
• how to overcome the “glass ceiling” in the company
• contribution of the risk manager to company success; and
• advice that the risk manager would give to more junior colleagues.
There were many commonly held views expressed during the interviews. The overall intention of the
review was to identify the route to becoming a senior risk manager and then maximising the opportunity.
The key conclusions that were reached during this review can be summarised as follows:
• to secure a senior risk management position, the individual needs substantial business sector
experience and/or substantial risk management expertise
• to achieve a sustainable level of input that is valued by the company, the risk manager should
concentrate on making a direct contribution to business success
• to increase effectiveness within the company and overcome the diffculties associated with the
“glass ceiling”, the risk manager needs to develop alliances and groups or teams
• the risk manager needs to develop a higher level of risk awareness in the company and the
opportunity of providing training courses and workshops is critically important
• increasingly, the successful risk manager will require a formal qualifcation in risk management,
as well as signifcant interpersonal skills, especially communication and relationship skills.
The conclusions set out above are not entirely unexpected. Nevertheless, the outcomes from the
interviews reinforce the importance of involvement and communication on the part of the risk manager.
Airmic will continue to investigate the developing role of senior risk managers and this report is part of
the continuing commitment by Airmic to support the professional development of risk managers.
1. Executive summary and conclusions
3
2. Structure of report and acknowledgements
1. Executive summary and conclusions
2. Structure of report and acknowledgements
3. Objectives and scope of the review
4. Profle of selected senior risk managers
5. Structure of risk management in the company
6. Contribution of the risk manager to company success
7. Increasing the contribution of the risk manager
8. Advice to aspiring risk managers
Airmic is grateful to the senior risk managers who agreed to take part in this review. The contents of this
report represent the general impressions gained during the conversations. Other than specifc boxed
out comments, none of the comments or opinions have been assigned to any individual risk manager. In
undertaking this review, telephone conversations were held with the following risk managers:
• Arnout van der Veer, Chief Risk Offcer, Reed Elsevier Group PLC
• Claes Martenson, Risk Manager, Solvay Chemical Company
• John Ludlow, SVP Global Risk Management, InterContinental Hotels Group
• John Summers, Chief Risk Advisor, Rio Tinto plc
• Julia Graham, Chief Risk Offcer, DLA Piper UK LLP
• Nicola Harvey, Group Risk Director, Christie’s International plc
• Paul Taylor, Director of Risk Assurance, Morgan Crucible plc
• Tony Dimond, Director of Insurance and Risk Management - Northern Europe and Asia
The review was undertaken by Airmic to discover the nature and extent of the contribution made by
senior risk managers to the success of the company that employs them. In some cases, the senior risk
manager is designated as the Chief Risk Offcer for the company. In other companies, the title varies but
is often Group Risk Manager. The individuals who were interviewed as part of this review are referred to
throughout this report as “senior risk managers”.
4
3. Objectives and scope of the review
The review was undertaken by way of telephone conversations with the eight senior risk managers
listed on the previous page. The discussions were structured according to an agenda that is the same
as the contents of this report as set out in the Executive Summary. The overall intention was to gain
an understanding of the role, responsibilities and contribution of each of the senior risk managers
interviewed, including:
• the background of the individual risk manager, the nature of the employer and the particular
attributes that enabled the individual to secure the role of senior risk manager for the company
• the structure of risk management within the company and the role, responsibilities, reporting line
and committee involvement of the senior risk manager
• the contribution made by the senior risk manager to the success of the company, how this is
measured in terms of KPIs and specifc examples where the senior risk manager has made a
signifcant contribution
• views on the scope for improving the contribution of the senior risk manager, how risk
management is changing in the company and how issues associated with the risk management
“glass ceiling” are overcome
• fnally, the advice the senior risk manager would give to aspiring more junior risk managers,
and an indication of the level of seniority and compensation that are available to senior risk
managers.
5
Background of the risk managers
The senior risk managers interviewed had a wide range of backgrounds. However, these can be divided
into the three broad areas of (1) engineering; (2) line management; and (3) risk management. The risk
managers with a background in engineering were those employed by engineering companies where their
background and expertise was particularly relevant.
Several of the risk managers had signifcant experience of the sector where they were currently
employed. Indeed, some risk managers had an extended length of employment and a range of
experience with their current employer. Others had the same extended length of employment and range
of experience but with a range of different companies in the same sector. Some risk managers indicated
that experience of the sector within which they were employed was essential.
Other senior risk managers had a background in insurance or fnance, in particular insurance broking,
accountancy or audit. An in-depth understanding of the insurance industry enabled these risk managers
to move from insurance broking into a role that required detailed technical understanding of insurance.
These risk managers then took the opportunity of employment in an insurance role to extend their
infuence and responsibilities into broader risk management areas. For other senior risk managers,
knowledge of accountancy and internal audit formed the basis for them to develop into that broader risk
management role.
Securing the appointment
Given that the senior risk managers came from a range of different backgrounds, the next question was
about how the risk manager secured their current position. Again, a number of alternative approaches
emerged. For those senior risk managers who had worked in their business sector or were already
employed by their current employer, securing the role of senior risk manager was often achieved by
invitation, rather than a competitive interview process.
For other senior risk managers, the role was secured by having previous in-depth experience of technical
insurance and risk management issues. From the discussions, there appeared to be two distinct routes
into securing a senior risk manager role. One of those routes was based on thorough knowledge of the
sector and the risks inherent in the business sector. The other route was based on technical insurance
and risk management knowledge with the expectation that the senior risk manager would apply that
expertise within their new employer organisation.
Depending on the background and experience of the particular senior risk manager, and the role
that they were employed to fll, a different view was offered of the importance of industry experience.
However, there was no doubt that risk managers working in industrial or manufacturing organisations
were more likely to secure the role based on knowledge and understanding of the sector and the risks in
that sector.
4. Profile of selected senior risk managers
“My extensive operational knowledge, understanding and experience in the industry was one
of the main reasons that I was offered the role in group risk management.”
John Ludlow
6
5. Structure of risk management in the company
Risk manager responsibilities
The range of responsibilities placed on the senior risk managers interviewed varied considerably. A
common theme was that they were responsible for risk management processes and procedures within
the organisation, but not necessarily responsible for management of the risks themselves. However, this
was not universally true and several of the senior risk managers had direct responsibility for particular
types of risks.
The types of risks where the risk manager was responsible tended to be operational risks, such as health
and safety, business continuity or security. Other risks, such as those associated with the effciency of
processes and the quality of products or services were usually not the responsibility of the risk manager.
For the individual risk managers interviewed, this dual role of being responsible for some risks but not
others was not a diffculty and did not cause concern or confusion.
The critical issue emphasised by all senior risk managers was their primary responsibility for risk
management processes within the organisation. The level of accountability attached to this responsibility
varied from organisation to organisation, but there was a common understanding amongst all of the risk
managers that designing, facilitating and monitoring the risk management processes within the company
was a critically important part of their role.
Board involvement in risk
Most of the senior risk managers reported to the Chief Finance Offcer, with access to the chairman of
the Audit Committee, as required. Many of them attended audit committee meetings within the company,
but none were members of the audit committee, given that this is a non-executive director committee.
Signifcant importance was placed by the risk managers on risk escalation procedures and these would
often involve access to the audit committee and, when appropriate, the chairman of the company.
Despite exposure to the audit committee and, in many cases, the existence of a senior level risk
management committee, there was often a feeling that reports were routinely received at senior
meetings, but the level of engagement was not as high as they would wish. For those risk managers
who had achieved a higher level of engagement with senior management, an important factor was
moving away from presenting risk registers as a simple list of signifcant risks towards emphasising the
importance of those risks to the proftability of the company.
Those risk managers who felt that the message was well received, understood and implemented by their
senior management had developed networks of individuals and functions throughout the company to
support the risk management effort. The approach of developing formal or informal networks, groups
and committees with relevant senior individuals across the organisation was put forward by several
senior risk managers as the key to enhancing engagement at top management level. This was felt to be
important because it provided a critical mass in support of the risk management message.
“Recording lists of risks in a risk register does not automatically improve the management
of those risks – the risk manager needs to align risk management activities with business
success.”
Claes Martenson
7
Risk input to strategic decisions
During the interviews, questions were asked about the level of development and sophistication of risk
management processes within the company. All risk managers agreed that risk management input into
operations and the importance of insurance as a control measure was well understood. Several of the
risk managers said that project risk management had become better understood within the company and
routine risk management input into project identifcation and management had been achieved.
For some risk managers, moving the company to the stage where a risk assessment was required for
every business investment and project approval was a major step forward. It was generally agreed
that involvement of risk management in project selection and delivery achieved an increased chance
of successful completion of the project. In some cases, there were examples where projects had been
rejected because the risk assessment of the project indicated that the project itself was inappropriate
and the risks involved in the project signifcantly reduced the chances of success.
The involvement of risk managers in strategy decisions was much less common. Only a minority of
the senior risk managers felt that risk considerations formed an integrated part of strategic decisions.
Nevertheless, there were examples where risk assessment of various strategic options was required and
a risk reward analysis was undertaken for each of the strategic options. Risk managers who reported
that the company had engaged with risk management when making strategic decisions indicated that
this was based on the following factors:
• Development of infuential groups across the company who believe that risk management was
an important part of their responsibilities. These groups often included representatives from
various functions, including operations, treasury, tax, human resources, strategy and fnancial
planning
• Inclusion of risk factors and the value of risk management in discussions that focused on the
contribution made by risk management to achieving business success.
In these cases, the discussion about risk management was not concerned with risk identifcation
and the preparation of lists of risks, but it was concerned with the impact that risks could have on the
achievement of business targets. Top management discussions at this level of maturity were not about
risk management processes, or even about the output from those processes. The discussions were
about the importance of those outputs and their relevance to achieving business success.
8
Risk manager successes
For many of the senior risk managers, the measurement of success was based on their contribution to
the improved management of the risks for which they are responsible. Several of the risk managers
were able to identify improved performance in relation to business continuity planning, crisis
management, health and safety, environment and security as key measures of success. Related to this,
in many cases, was the ability to achieve reduced insurance costs.
In some cases, the risk manager was able to identify circumstances where a project had been delivered
more successfully because of the involvement of the risk manager in the project management team. In
one case, the risk manager indicated that the company had been able to return to a high-risk market
segment because of improved confdence in its risk management arrangements.
In all cases, the senior risk managers referred to an improvement in the risk awareness and risk
culture within their company. Although this was diffcult to measure, examples were quoted of greater
engagement on the part of managers and of circumstances where risks that had not been previously
identifed were now receiving appropriate attention.
Performance appraisal
For many of the risk managers interviewed, the key performance indicators (KPIs) that they had been
allocated were related to achieving improvements in operational risks standards. In most cases,
improvement to risk management processes was a measure that was used to appraise the performance
of the risk manager. Improvements to risk management process included improving the way in
which risk assessments are undertaken, ensuring that risk assessments were attached to (1) capital
expenditure proposals; and (2) available strategic options.
In particular, the involvement of the risk manager in project management teams was quoted as
both a success story and a KPI. Important examples of success in relation to project management
were situations where the company had undertaken a risk reward analysis and withdrawn from an
unsuccessful project at an earlier stage, rather than incur further wasted expenditure.
“Risk awareness enabled the company to optimise business opportunities, as well as withdraw
from unsuccessful projects at an earlier stage, because of enhanced understanding of risks by
the board”
Paul Taylor
For many risk managers, undertaking training programmes was an important part of their job. Several
said that they had the obligation to provide risk management training throughout the organisation and
the provision of risk training was a critical KPI. In all cases, the provision of successful risk management
training was seen as a fundamentally important component of improving the risk awareness within the
company. All risk managers expressed considerable satisfaction with the training opportunity they had
been given and the effectiveness of the training provided.
6. Contribution of the risk manager to company success
9
Frustrations of the role
A wide range of answers and comments were received when the risk managers were asked about
the frustrations involved in their job. There was a general feeling that risk awareness was not as well
developed as hoped and some of the risk managers expressed the view that the contribution of risk
management was not well understood at board level. For some risk managers, the exact opposite was
true and risk awareness was very mature. Generally, this had been achieved by developing risk teams
and risk networks combining operational and functional units across the company.
A specifc area mentioned by several of the risk managers was Information Technology and the diffculty
faced by the risk manager in persuading the IT department to engage with risk management. This was
expressed by one risk manager as the IT department wishing to retain all three roles in the three lines of
defence model used by many organisations. That is to say, the IT department was seeking to (1) keep
control of the operation of IT systems; (2) act as the specialists that support the development of new IT
initiatives; and (3) act as the auditors or monitors of compliance with IT and data security standards. At
the time of writing this report (June 2012), a separate Airmic initiative is investigating developments in
relation to cyber risks and the availability of suitable cyber insurance products.
On a lighter note, one of the risk managers commented that a frustration was that on occasions a
business manager would claim all the credit for improved risk management. In other words, the risk
manager would identify the issue and assist with the development and implementation of the solution.
The business manager would then claim all of the credit for the improvements that had been made.
The conclusion of that risk manager was that, whilst the praise would have been appreciated, the
improvement in risk management standards was the required outcome and who receives the praise is
less important.
10
Recent developments
There was general agreement amongst the senior risk managers interviewed that risk management
continues to mature as a discipline. Some suggested that the development of the international risk
management standard ISO 31000 had helped this increasing maturity. Whatever the reasons, there
was agreement that the need for enhanced risk management and the associated benefts that can be
achieved were better understood in all organisations.
The senior risk managers were of the opinion that risk management within projects had now become
frmly established and the benefts associated with this would continue to be delivered. In terms of the
changes that are anticipated over the next two years, the importance of setting global risk management
standards across the whole company has become more important, even if it is diffcult to achieve.
Another recent development that was welcomed by the risk managers was the increased importance
given to brand protection. The risk managers agreed that protection of the company brand was of
paramount importance and the benefts of bringing a risk-based approach to this brand management
were becoming better understood.
One of the risk managers mentioned that the importance of concentrating on brand perception in order
to improve business performance was fundamental to the long-term success of the company. In these
cases, the need to embed risk management within brand protection and brand extension activities was
fully understood in the company.
Improved contribution
When asked what steps could be taken to improve the contribution made by the risk manager and how
that contribution is understood, a range of responses was received. The overall feeling was that risk
management activities need to be embedded into the “business as usual” model. This would ensure that
the risk management process was relevant, effective and robust. The feeling was that there should be
a concerted effort to move away from the compliance / assurance approach towards an approach based
on risk management as an underpinning process that contributes to business success.
The opinion was also strongly expressed that risk managers should focus on the business benefts that
enhanced risk management delivers. Improved risk management processes do automatically achieve
improved business performance and risk managers should be aware of this fact. A challenge put forward
by one risk manager was that it is necessary to identify the core business processes and ensure that risk
management contributes to the effciency and effectiveness of these core processes.
Another factor mentioned was that risk management activities need to be proportionate to the risks faced
by the organisation and tailored to the particular attributes of the company. Therefore, risk managers
need to understand the organisation and the business sector within which it operates, so that appropriate
risk management processes can be developed and the output from those processes can be aligned with
business success. This means that the standard or “off the peg” risk management processes offered by
some consultants will not be successful in every organisation.
7. Increasing the contribution of the risk manager
11
“Glass ceiling”
There was discussion of the risk management “glass ceiling”. This concept was discussed in the
“Roads to Ruin” research recently published by Airmic. The “Roads to Ruin” report states that one of
the frequent causes of business failure is that risks are often clearly understood by business managers
and specialist functions, such as the risk management and internal audit departments. However, this
understanding is not present at board level because of:
• failure to provide appropriate information to the board
• failure of the board to understand the information that is available; and/or
• failure of the board to critically examine the information provided.
One of the specifc reasons mentioned by the risk managers for the existence of the glass ceiling was
that risk management activities in many organisations are not aligned to the business imperatives and
the overall success of the company. As well as aligning risk management activities to business drivers,
the risk manager should seek to get involved in all relevant aspects of the company. One risk manager
pointed out that there is no glass ceiling when the risk manager is visibly contributing towards the
outcomes that the board is seeking to achieve.
A theme put forward by several of the risk managers was that their infuence was increased by the
formation of groups, committees or project teams. One particular risk manager said that developing
teams across head offce functions was the key to increasing the infuence of the risk manager. The
view expressed was that it is more diffcult for the executive committee or board to ignore the opinions of
a group of people, especially when members of the executive committee or members of the board were
part of these groups.
The message offered was clear, do not seek to manage the risks within the risk management department
or keep the information about the key signifcant risks as a list within a low visibility risk register. This
approach will result in the risk management activities becoming almost invisible because they are not
aligned with the business success indicators.
“Improving risk management standards is simple when the business case is explained and
the location manager understands the benefts – and risk training helps to achieve this
understanding.”
Julia Graham
12
Action now
The senior managers were asked what advice they would give to more junior risk managers who have
some experience, but are perhaps less than halfway through their careers. The most commonly offered
advice was that a risk management qualifcation is a very useful addition to a CV. It was generally felt
that as the employment market becomes more competitive, a qualifcation in risk management will be an
important differentiator.
However, the point was made that a risk manager should not be obsessed with the theory of the risk
management process, but should be much more concerned with the benefts attached to the output from
the process. Therefore, the qualifcation obtained has to be relevant and the aspiring risk manager has
to be capable of applying the theory to real business situations.
In relation to technical skills beyond those concerned with risk management, the general advice offered
was that risk managers need greater business and fnance understanding. It was suggested that a
qualifcation in a key business discipline, such as fnance, would increase the effectiveness of a risk
manager. The view was expressed that risk management activities should not only be aligned with
business activities, but must deliver a substantial contribution to business success. Accordingly, risk
managers need business understanding and fnancial awareness and, in the opinion of many of the
senior risk managers interviewed, considerable sector knowledge.
The value of sector experience was strongly emphasised by most of the risk managers interviewed and
was seen as part of being credible as a candidate for a risk manager job in the particular sector. The
view was put forward that an aspiring risk manager may wish to select a specifc business sector and
develop real knowledge of the business drivers within that sector. Another important aspect that was
mentioned was the importance of project management skills. It was pointed out by several of the senior
risk managers that business is rapidly changing and that the ability to manage change and, in particular,
manage the risks associated with change is becoming a highly valued skill.
In addition to technical, fnancial, sector and business skills, the other important area that was repeatedly
mentioned was interpersonal or “soft” skills. In particular, communication and relationship skills were
considered to be vital. Communication skills include written and oral skills, presentation and public
speaking skills, as well as committee and meeting participation skills. Relationship skills were mentioned
as important in terms of infuencing, negotiating and confict resolution. The importance of interpersonal
skills was further reinforced by the advice from one of the risk managers that aspiring risk managers
should develop formal and informal networks of colleagues, as well as attend and participate in
appropriate technical and sector conferences. In summary, the view was put forward that risk managers
should develop leadership skills and retain an attitude of “never stop learning”.
8. Advice to aspiring risk managers
“Risk managers should not only be involved with existing systems and activities, but they must
also have the skills to make a contribution to delivery of projects and changes to business
processes”
Nicola Harvey
13
Rewards later
The risk managers were asked about the rewards available to risk managers who aspire to the most
senior risk management positions. Given that the risk managers who were interviewed were not from
the fnance sector, the comments offered and the reward packages discussed may not apply directly to
that sector.
Overall, the appropriate seniority for a very senior risk manager was described by one of the
interviewees as “half a step below executive committee”. It was acknowledged that this status will
vary considerably between business sectors, depending on the nature of the role and the nature of
the regulator in that sector. Highly regulated sectors, such as fnance, energy, extractive industries,
transportation and chemicals (for example) will have different approaches to risk management. This may
result in the senior risk manager being positioned at a higher level in the company.
Overall, the view was that a total employment package in excess of £150,000 (as at June 2012)
represents an achievable aspiration for a risk manager who is seeking to secure a top risk management
position. The total employment package includes salary, bonus, benefts, pension contributions and, if
available, share options.
6 Lloyd’s Avenue
London
EC3N 3AX
T: +44 (0)20 7680 3088
F: +44 (0)20 7702 3752
www.airmic.com
doc_460461638.pdf