From Risk Management to Risk Leadership
As I engage with risk professionals around the world, I can’t help but notice a distinctive shift in risk management thinking and approach that is evolving. I have increased mature interactions, particularly in Europe, where risk management seems to be more intricately aligned with business objectives, transcending the mere compliance exercise often associated with risk management in the USA with Sarbanes Oxley.
The key to this is whether risk management is strategic or tactical to the business. Are we simply managing a list of risks and going through the motions? Are we strategically providing value in risk leadership to the organization to ensure that we minimize surprises to achieve the objectives of the organization?
During a recent Risk and Resilience Management by Design Workshop I facilitated, I interacted with a Chief Risk Officer (CRO) from a European life sciences company. His story encapsulates the transformation from traditional risk management to a more leadership-driven approach. Upon being appointed as the Chief Risk Officer, he had his first meeting with the CEO. In that crucial moment, the CEO asked: ”So, you are the new CRO. Tell me what that means to me?” In response, the CRO offered a succinct and powerful definition: ”My job is to ensure you have no surprises in achieving the organization’s objectives.” The CEO found this definition brilliant, considering it the best encapsulation of risk management he had ever heard.
The CRO’s assertion that his role is to manage uncertainty and ensure ”no surprises” in achieving organizational objectives reflects a proactive approach to risk leadership. While surprises may still occur, the Chief Risk Officer is tasked with minimizing uncertainty and ensuring that executives and the business are well-informed about potential risks to their objectives.
What sets this CRO’s response apart is the shift in risk accountability. Rather than burdening solely on the risk management function, the CRO emphasizes that risk management’s role is to facilitate, communicate, and engage on risk in the context of objectives. The onus of owning and driving risk decisions lies with executives and the broader business. In this paradigm, risk management serves as a support function, ensuring that risks are communicated within objectives, enabling informed decision-making. This is true risk leadership and not simply routine risk management of lists and repeated assessments.
ISO 31000 defines risk as ”the uncertainty on achieving objectives.” This European CRO’s narrative reinforces the idea that risk requires context and that context is provided by the organization’s objectives. Whether financial, operational, or ethical/ESG-oriented, objectives serve as the foundation for risk management. These objectives cascade from high-level entity objectives down to division, department, process, project, and asset-level objectives, forming the framework for risk management across various organizational levels.
Organizations need to strive for deeper value in risk management through risk leadership, where the CRO is providing insight into the ability of the organization to achieve its strategic as well as operational objectives.
This perspective on embracing and evolving risk management to a risk leadership role in the business transcends the conventional compliance-centric approach of the past. It emphasizes a holistic integration of risk with organizational objectives, transforming risk management into risk leadership. The narrative of the CRO above echoes a fundamental shift towards proactive risk management, where executives and the business take ownership of risk decisions, armed with the information needed to navigate uncertainties and achieve strategic objectives.
As organizations globally navigate an increasingly complex risk landscape, the European approach to risk leadership offers valuable insights. Embracing this perspective may enhance resilience and position organizations for strategic success in an ever-evolving business environment.
A guest blog by
Michael Rasmussen
Michael Rasmussen is a GRC Analyst & Pundit at GRC 20/20 Research, LLC. With over 30 years of experience, Rasmussen is an internationally recognized authority in governance, risk management, and compliance (GRC). As a sought-after keynote speaker, author, and advisor, he has helped countless organizations enhance their GRC processes and stay ahead of the curve.