What is risk management? It’s not what ‘risk managers’ do (Specialists)

If you are a risk specialist supporting management, you advise the decision makers and their teams on how approach the organisational understanding of risk, and on taking action with that understanding. If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them. The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

This article assumes you have read What is risk management? (Everyone).


Risk specialists within management

If you are a risk specialist supporting management, you advise the decision makers and their teams on how to approach the organisational understanding of risk, and on taking action with that understanding.

You may well start with some basic education so that everyone knows what they are trying to do, and why that includes risk management.

You may well be involved in supporting the risk management activity with documentation, analysis, reporting, and so on, even workshop facilitation and data analysis. All of that could involve you doing some very detailed work on behalf of the organisation, possibly at your own desk in your own department. It will include calibrating the emphasis for each of your recommendations, somewhere between a disdainful silence and panicked midnight phone calls.

It may include evaluating other people’s risk management and assessments, and submitting independent assurance or warnings.

It will never involve taking decisions on risk.

Risk specialists in governance

If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them.

You will monitor and challenge the way that the organisation seeks to understand and act on the effects of uncertainty on its objectives.

I recommend that you become an expert in the actual contents of ISO 31000. ISO 31000 is surprisingly short, and focused precisely on the value of risk management to organisation governance. It is written for people at your level. Arming yourself with it will be a much better use of your time than poring over ‘methodologies’, risk registers and scales that don’t answer your questions.
The Chief Risk Officer

The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

C-level status implies a few things not required of specialist staff at lower levels:

  • Direct personal accountability to the Board, or to the alternative governance authorities.
  • An expectation of working in harmony and unity with the rest of senior management (the C-suite).

As with other C-level positions, particularly the Chief Financial Officer and the Chief Audit Officer, the expectations can be in conflict with each other.

Like other risk specialists, and unlike auditors, the Chief Risk Officer is not necessarily subject to clear rules about either independence, or about conformity with the CEO’s direction.

In organisations with a Chief Risk Officer, there is very likely to be an expectation for an integrated overview of risk across the whole enterprise, that is, for comprehensive Enterprise Risk Management. The Chief Risk Officer will be responsible for maintaining and reporting that overview.

Further Reading

Main article on What is risk management? (Everyone)

Recommended next articles:

Discrete risk management processes within an enterprise (Everyone)

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

Stream supplements: Risk Specialists Executives Australian Government CRMA CRISC

Some other main topics Discrete risk management processes within an enterprise

‘Enterprise Risk Management’ and risk management (coming soon)

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *