Suzette Thurman, Chief Risk Officer, First State Super
It may seem contentious to advocate for a risk management approach that prioritises soft skills over technical skills and qualitative assessment models over quantitative, but traditional risk frameworks and people strategies must evolve if we are to keep pace with rapidly changing business, social and political environments.
For too long, businesses have focused on financial risks to the exclusion of all others. But this is just one part of an ever-broadening risk management puzzle. Ignoring or de-prioritising non-financial risks such as behavioral and reputational risk is not only foolish, but also short-sighted. Managing these risks is critical as they can lead to significant bottom line impacts.
Changing community expectations mean organizations are being held to much higher account than ever before, with companies now required to do much more than just the bare minimum to protect their good name and reputation. The rise of consumer activism has empowered buyers to send strong messages directly to companies. We’re increasingly seeing consumers voicing their displeasure on social media and using their wallets as a weapon.
We can no longer classify reputational harm as just a potential outcome of risk. Reputation is an invaluable organizational asset that can and should be built and protected. The challenge for risk officers is that reputational and behavioural risks are not easily managed by traditional risk models and strategies, as the potential impact is much broader than just numbers and dollars.
Managing these risks requires new skills and a new approach to facilitating risk across the business. Modern risk managers must now be good listeners and good communicators; people who demonstrate good judgment and exhibit high EQ as well as IQ. They must be able to work in partnership to build trust, knowledge and adherence across the organization – not just at the highest level.
Risk priorities need to be driven by the whole business - from Board to executive to employees – and integrated across the business. It is the responsibility of the entire leadership team to own the overarching risk management framework.
Employees must be encouraged to see risk as an enabler for change and progress, rather than an inhibitor
It cannot operate successfully if people work in silos.
The idea of risk ‘generalists’ is becoming increasingly obsolete. Risk managers must now be able to demonstrate in-depth knowledge and understanding of their partner business areas, in order to gain the level of respect necessary to successfully facilitate the partnership model, and build a positive risk culture across the organization.
Culture is critical when it comes to risk management. Organizations need to have a culture that supports and encourages people to speak up early if they see a potential risk. Near misses need to be captured to ensure risk factors can be better identified and managed going forward. Risk management is not just the responsibility of the risk team; it is an organizational responsibility and an individual employee responsibility.
This makes it critical for risk managers to provide regular opportunities for enterprise-wide feedback. All employees should be able to share how they perceive and plan to manage risk, as well as what they consider to be key threats and opportunities for the organization.
Particularly in large and dynamic businesses, it’s difficult, and at times impossible, for risk managers to be everywhere and to see everything at once. Risk management needs to be brought to the frontline, and individuals and teams provided with the necessary knowledge, guidelines and support to facilitate their own risk processes.
Employees must be encouraged to see risk as an enabler for change and progress, rather than an inhibitor. They must be encouraged to work in partnership with risk managers, to help future-proof businesses for the benefit of both the organization and the customer.
I would like to see us move to report on risks that are below appetite – not just above – and potentially encourage greater risk taking in appropriate areas. It’s about changing the mindset that risk management is all about avoidance. Instead we need to clearly communicate which risks we have no tolerance for (for example, fraud) and which risks are appropriate to take in order to reap rewards (such as strategic and investment related risks).
Language plays a big part here. We need to remove unnecessary complication and needless jargon, and apply a more positive focus to how we talk about risk. Perhaps we should even consider a name change for what we do – from ‘risk management’ to ‘risk facilitation’.
As well as being embedded in the organizational culture, risk management needs to flow into the strategic planning process. We need to demonstrate how identified risks are being addressed via our strategic planning–This can be both externally focused, such as through product development or innovation, and internally focused, such as through recruitment and resourcing.
In the superannuation industry, the current number one perceived risk is regulatory change. From small changes to major regulatory reform, it’s rare that our industry rotates through a financial year without facing some element of government change. Such an environment demands an agile approach to risk management, facilitated by extensive scenario testing and planning. The same applies for any industry where the frequency and pace of change is ever increasing – which, arguably, is every industry.