On January 23, RIMS hosted a webcast entitled “La Evolución del Rol del Profesional de Riesgos.” This webcast was presented in Spanish and discussed how the risk professional’s role has evolved to reflect great visibility within an organization. This program offered updated insights to the RIMS executive report, “The Evolving Role of the Risk Professional” and had attendees from Central and South America.
Below highlights attendee questions, as presenters Leo Constantino, Risk Management Inspector General, County of Los Angeles, and Javier Mirabal, President, Mirabal Risk Management and ALARYS board member categorize each question.
Skills and Education
Q. What types of academic studies are most applicable to leading a risk function? Engineering, law, or?
A. Because risk management is a discipline that integrates different skills from different university (undergraduate, postgraduate) degree programs, no single academic program covers the entire risk management field. Risk professionals come from an array of different university degree programs and almost all the programs offer topics that cover specific skills (e.g., finance, statistics, business, management).
The Respective Roles of Risk Management, Internal Audit, and the Board
Q. In aligning internal audit with arm, isn't it also important to make sure both departments are able to independently score the risks? A medium ranked internal audit risk could be a high risk for the company overall due to its impact.
A. The most important objectives of internal audit in risk management is to offer relative assurance to the board that: a) the company risk management policy is in place; b) this RM policy is applied by the executive organizational structure (CEO-Top management, process owners and the rest of the organization) in an effective and efficient manner and; c) the residual risks that result in the execution of the risk management framework across the organization are aligned with their risk appetite and risk tolerance. In this case the internal audit department has to evaluate which way may be most effective and efficient: scoring each risk of the organization or monitoring the implementation and execution of the RM framework.
Implementation Strategies
Q. What are the areas of priority for executing/implementing a risk management program within a company?
A. This depends on the type of company (goods, services, size), the current maturity state of its risk management programs, and the frequency, severity and types of losses it may have incurred in the last three years. For example, a manufacturer with strong operational and safety controls that has incurred few casualty losses and whose Total Cost of Risk (TCOR) is acceptable at 2% probably needs to move along the maturity scale to an ERM program. Conversely, a retailer who has grown 100% in the last two years through acquisitions and has seen their operational TCOR rise from 3% to 8% should focus on traditional risk management efforts (loss control, claims management, safety), and build a foundation so they can eventually begin working on an ERM program.
Selling ERM and Demonstrating Value
Q. In my organization, they say "we have plenty of policies to define thresholds. Why do we need a separate risk management policy?" How can we convince managers of the need for a risk policy and risk management system?
A. You may want to explore this topic with senior management by asking further questions: Are the thresholds for compliance, assurance and associated risks, or are they also thresholds for strategic and operational risks? Do the thresholds have a range, or are they absolute, and do they allow for informed risk-taking (upside risk scenario)? Unless the current policies and thresholds allow the organization to differentiate between strategic/operational risks and compliance/assurance based risks (which may well overlap) you can make a case for adding Enterprise Risk Management-related thresholds that help manage risks that specifically relate to your organization's strategic goals.
The Relationships between Enterprise Risk Management, Strategic Risk Management and Compliance
Q. I don't see the difference between ERM and SRM, strategic management should be part of strategic planning, or a great risk of failure exists.
A. It all depends on whether the management of strategic risks is included in the scope and design of ERM. While many organizations do include strategic risks in their respective ERM risk registers, these risks may not be integrated fully into the strategic planning process where decisions on value creation as well as value protection are being made. Senior management teams may not have embraced strategic risk management as a vital component of enterprise risk management. This limits awareness of ERM’s structured discipline and enabling capabilities to help the organization manage the risks most directly related to achievement of the organization’s objectives. Furthermore, without a disciplined strategic risk assessment, risks arising from the plans to meet the objectives may be overlooked.
Q. At some point in this discussion, would you touch on the move to resource and hire Chief Compliance Officers rather than Chief Risk Officers and whether you feel the ERM umbrella can and should cover compliance management sufficiently (or does compliance require a separate structure/function apart from overall enterprise-wide risk management)?
A. Companies having an integrated approach of risk move
the management of compliance risk under the ERM framework/umbrella, but
companies having a silo’ed approach manage compliance risk as an independent
silo. What is it better? Depends on which risk management approach works best
for a particular organization, but the trend is that an integrated approach to
risk management is more useful for any value-added model.