Risk is a fact of life for businesses of all kinds – large and small. If we’re lucky, we might see it coming, so that we have an opportunity to formulate a coping strategy. But how can managers and employees be best prepared to deal with the unexpected? Iain Wright, CFIRM, Outgoing Chair of the Institute of Risk Management, has some informed observations on the subject.
Thank you for your time today, Iain. To start with, can you share some information with us about the IRM, and how your members dealt with risk mitigation with regard to COVID-19?
The Institute of Risk Management (IRM) is the leading international professional body for risk management. We are an independent, not-for-profit organisation that champions excellence in managing risk to improve organisational performance. We do this by providing internationally recognised qualifications and training, publishing research and guidance, and raising professional standards across the world. Our 8,000 members work in all industries, in all risk disciplines and across the public, private and not-for-profit sectors in more than 100 countries.
The role of risk management is to help organisations achieve their objectives in an uncertain world. In 2020, that world was turned upside down as a long-observed, although perhaps not sufficiently managed, risk – global pandemic – became a live issue.
We were pleased that nearly one thousand of IRM’s members and contacts around the world were able, at such a busy time, to contribute to our pandemic response survey.
Our aims were to find out how risk management functions were responding to the crisis, whether their plans were working, what had proved helpful to their response and what had not, how this situation might affect the development of the profession and what we should be learning from it.
We found that, out of the 959 respondents, 32% of organisations had not considered pandemic risk or anything similar before it happened. Only one-fifth of those who had considered pandemic risk hadn’t planned what to do, should it hit. I think that we will find that the organisations that coped best with the crisis were those which were able to react quickly to unfolding uncertain circumstances and I think there will be a high correlation between those organisations and those that had prepared for similar eventualities. War-gaming unrelated scenarios can help get an organisation’s DNA into a place where it improves its capability to respond to unforeseen events.
The full survey and report(s) are available on our website.
For the future, we expect to see a sharper focus on resilience and on strategic risk management. These topics have been around for some time but this period of crisis will focus attention on ensuring that organisations have the people and skills to raise their game to what will be required in ‘the new normal’.
We mustn’t allow the magnitude of the current crisis to obscure the other major (and interconnected) risks that we all face. We still need to tackle climate change, cyber-risk, supply chain disruption, and economic and geopolitical volatility, to mention just a few. The IRM, the Institute of Operational Risk (IOR – part of the IRM group) and our wider global risk management community stand ready and confident to lead the response.
How does your professional background in risk and investment industries help you navigate the complex world of intelligent risk management? How does this shape your vision for IRM as the organisation’s chair?
I am lucky that I have had a varied career, giving me insight into a number of types of organisation, including healthcare, charities, manufacturing, retail and financial services. And I have been lucky enough to work in external audit, corporate finance, stock exchange, financial service regulation and industry positions. Although I didn’t appreciate it in these terms in some of my previous roles, what I understand now is that all organisations face risks – and often they face common risks. What is important is how organisations and people identify risks, measure and monitor them, and put in place appropriate mitigation to bring that risk within an explicit risk appetite.
There are two aspects of my experience which, for me, shape what we are here to do at the IRM. First, I want us to provide a sound education to our students. Risk management is a discipline that requires education and training. At the IRM, we have world-leading qualifications and training programmes for all levels of risk professionals, and others who are interested in understanding more about risk management. The second thing is that this education should not inhibit, in fact should promote, wide-ranging thinking and open-mindedness. One of the important skills of risk managers is to connect various parts of (often voluminous) information which face us and make sense out of them. Having wide experiences allows some of us to do this but I appreciate that there are people starting their careers who will not have the advantage of those different experiences. Of course, some will have the opportunity to move in and out of risk as a career, but for those who stay in a risk role, we need to equip them with the ability to think widely and understand, assimilate and analyse wide-ranging data.
In what ways does a small company’s risk profile differ from risks faced by enterprise-level companies?
I’m not sure that the risks faced by different-sized companies do differ hugely in general. Of more importance is the nature of the business – the sectors within which it operates, the extent and location of its supply chains, exposure to international markets, and so on. Larger companies may be able to weather crystallising risks better than smaller companies, but that will depend on the nature of the risk and also the preparedness of the enterprise (in other words the maturity of its risk management). Small companies will find it harder to devote resources to risk management but that does not mean they can’t be effective in identifying and managing risks.
How can a company create an all-of-staff risk mitigation effort?
I think this comes down primarily to that nebulous concept of culture. Critical to ensuring that all staff contribute to mitigation is the right “tone from the top”, that is a clear direction on expected behaviours and how the enterprise will react to risk events. This must be backed up by senior-level behaviours – for example, there cannot be a culture of shooting the messenger when bad news is uncovered. When things go wrong, senior management need to be clear about expectations. They should support their teams who are managing the risk and create a culture where lessons can be learned to improve the organisation’s resilience going forward.
At what stage should a company consider creating the role of “chief risk officer”?
Some organisations, especially in financial services, need to have someone identified in this role of “chief risk officer”. However, the title is not important and I would suggest that all organisations, whatever their size and nature, will benefit from having someone of sufficient clout whose role it is to challenge whether the organisation is aware of the risks it faces, how those risks are changing, what the impact could be if those risks crystallised, and to prepare the organisation for such an eventuality as appropriate. That may be part of someone’s role in a small organisation or a role carried out by tens of people in large, regulated organisations.
I think the key thing here is that everyone needs to understand that they are a source of risk to their organisation. This is not bad – it is a fact that organisations in carrying out their daily business take on risk. Those risks may be due to the external environment, such as geopolitical risks, or risks that could lead to operational disruption, such as weather-related risks. They could also be due to things the organisation is doing and, in particular, weaknesses in controls. So, I would say that people should be aware of what they do and what risks are relevant in the context of their role, and ask whether the organisation is aware of those risks, and prepared. I also think a powerful part of risk management is people speaking to each other, in particular discussing areas of concern with their managers.
Can you give some examples of firms that thrived during the pandemic, and explain why they were able to survive the COVID-19 crisis?
I won’t single out any organisations here, but I have seen organisations come through the crisis successfully who quickly moved to support their people in making the big move to working from home, bringing in technology solutions and making the move to online interactions with customers and their people. We do hear a lot about office workers working from home but, of course, there are a number of people who have continued going to a workplace, often in very difficult circumstances – for example, healthcare, transport, energy, construction and extraction. Good communications and targeted investment in what helps people carry on working productively have been the difference between those who have come through strongly and those who haven’t.
After COVID-19, people might think spending money on risk management is pointless if it is impossible to prepare for a blind force that is beyond human control and understanding. What would your advice be here?
It is impossible to prepare for every eventuality and very few organisations will have been specifically prepared for COVID. However, organisations can prepare for business disruption and set up structures such as incident management teams that allow them to react quickly to unfolding events. Investing in data sources to keep abreast of changing circumstances is also an important part of risk management. I do come back to culture here – investing in ensuring that you have a culture within your organisation that means you are aware of and discuss risks that face you, you plan appropriate mitigation, you set indicators, so you can see risks unfolding, and you are ready to react should things go wrong. These are all worthwhile investments which don’t require you to plan for every specific risk that may impact you.
How will IRM’s training programmes change (if at all) after COVID-19? What do you think are the top emerging trends in enterprise risk management and how will IRM prepare for them?
We have moved all our training courses online. Our suite of Enterprise Risk Management, Financial Services Risk Management, Supply Chain and Digital Risk Management Certificates were already delivered by online supported distance learning, so they are available to anyone, anywhere in the world. Virtual delivery for training is likely to continue for the foreseeable future, as countries are at different stages of recovery, although we may move to offering a hybrid of face-to- face and online.
We believe that our suite of training is world-class, current and relevant. We are constantly seeking input from academics, practitioners and our members and stakeholders on providing leading relevant qualifications and training for all those who deal with risk in their jobs.
Enterprise Risk Management is relevant to any business, in any sector globally, and the broad church of our members and student community demonstrates that different companies and, indeed, sectors and countries are at different stages of risk maturity and implementing risk management strategies. Our portfolio offers something for everyone at every stage of their career.
If you could pick three of the top risks that CEOs are losing sleep over, what would those be?
I think the top three of many would include some or all of: threats to organisational resilience, impacts of the pandemic (health, people and economic) and climate change.
Given the turbulent nature of the business sector, what advice can you give aspiring young professionals in the industry to enable them to hit the ground running and keep going, even amidst all the disruptions?
If I have one piece of advice to young people (or, indeed, people of any age) thinking of a career in risk management or just interested in how effective risk management can make their organisation better, it will be to study the subject. Having a solid grounding in the topic will pay dividends in helping your organisation understand and manage its risks. I would also say that change is a constant, so build your personal resilience to deal with and, if possible, lead that change. Finally, build your own networks. This will help you navigate change and be effective in work, but it will also help combat any feelings of isolation you may have during difficult, turbulent times.
Regardless of line of work, risk is an everyday thing felt by everyday people. How do you approach uncertainties in such a way that it doesn’t hinder productivity and still inspires you to innovate? How does this translate into the work you do?
Build good risk management into everything you do. Don’t see risk as something that sits elsewhere in the organisation, perhaps in a team labelled “Risk Management”. I expect all my colleagues to talk about the risks in whatever they do, whether it is developing strategy, thinking about an acquisition, looking at building the talent in our organisation or going about their day-to-day jobs.
It can be argued that change, while inevitable, has shaken the very bedrock of society, because of the disruptive nature of the pandemic. As the leader of one of the most sought-after risk management platforms, how do you personally deal with change?
I try to live some of the things I have talked about earlier. I like to think ahead about the possibilities but also the pitfalls of the future. I like to think about what could happen. I talk to people about change and the future and, while we can certainly learn lessons from the past, I do not dwell on the past. Finally, I do try to get some down time. During the last year, that has meant getting out and walking more in my local area than I have done in the past. In more normal times, that may be watching a game of football at the London Stadium or meeting friends for a drink or dinner.
What are some words you live by? And finally, what does success mean to you?
Personal success to me means leaving the people, organisations and physical environments I interact with in a better place than when I started with them. Personal development has always been very important to me; education can open many doors. Our enrolment window for the December exams closes on 31 May 2021 and I’d encourage anyone looking to enhance their career to get qualified with the IRM. Risk management offers many opportunities across the globe and not just in banking and financial services.
Risk management has never been so important to the survival of businesses globally. Now is the time to ensure that your staff are current and competent.
About Institute of Risk Management
Our new professional Chair Stephen Sidebottom took over the role of IRM Chair on 1st June 2021. Stephen has over 30 years’ international experience of working in HR and Organisation Development primarily in global financial services and in both private and public sectors. He also has nearly 20 years’ experience on the boards of various membership associations.
The enrolment period for the December exams has been extended to 30 June 2021. Enhance your career and earning potential and learn from anywhere in the world by online supported distance learning. Don’t risk it, get qualified. www.theirm.org/quals