This article assumes you have read What is risk management? (Everyone).
Risk specialists within management
If you are a risk specialist supporting management, you advise the decision makers and their teams on how to approach the organisational understanding of risk, and on taking action with that understanding.
You may well start with some basic education so that everyone knows what they are trying to do, and why that includes risk management.
You may well be involved in supporting the risk management activity with documentation, analysis, reporting, and so on, even workshop facilitation and data analysis. All of that could involve you doing some very detailed work on behalf of the organisation, possibly at your own desk in your own department. It will include calibrating the emphasis for each of your recommendations, somewhere between a disdainful silence and panicked midnight phone calls.
It may include evaluating other people’s risk management and assessments, and submitting independent assurance or warnings.
It will never involve taking decisions on risk.
Risk specialists in governance
If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them.
You will monitor and challenge the way that the organisation seeks to understand and act on the effects of uncertainty on its objectives.
|I recommend that you become an expert in the actual contents of ISO 31000. ISO 31000 is surprisingly short, and focused precisely on the value of risk management to organisation governance. It is written for people at your level. Arming yourself with it will be a much better use of your time than poring over ‘methodologies’, risk registers and scales that don’t answer your questions.|
The Chief Risk Officer
The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.
C-level status implies a few things not required of specialist staff at lower levels:
As with other C-level positions, particularly the Chief Financial Officer and the Chief Audit Officer, the expectations can be in conflict with each other.
Like other risk specialists, and unlike auditors, the Chief Risk Officer is not necessarily subject to clear rules about either independence, or about conformity with the CEO’s direction.
In organisations with a Chief Risk Officer, there is very likely to be an expectation for an integrated overview of risk across the whole enterprise, that is, for comprehensive Enterprise Risk Management. The Chief Risk Officer will be responsible for maintaining and reporting that overview.
Main article on What is risk management? (Everyone)
Recommended next articles:
|Some other main topics||
Discrete risk management processes within an enterprise
‘Enterprise Risk Management’ and risk management (coming soon)
All pages on What is Risk Management?