What is risk management? It’s not what ‘risk managers’ do

If you are a risk specialist supporting management, you advise the decision makers and their teams on how approach the organisational understanding of risk, and on taking action with that understanding. If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them. The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

What to read first: What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.
Risk specialists within management

If you are a risk specialist supporting management, you advise the decision makers and their teams on how to approach the organisational understanding of risk, and on taking action with that understanding.

You may well start with some basic education so that everyone knows what they are trying to do, and why that includes risk management.

You may well be involved in supporting the risk management activity with documentation, analysis, reporting, and so on, even workshop facilitation and data analysis. All of that could involve you doing some very detailed work on behalf of the organisation, possibly at your own desk in your own department. It will include calibrating the emphasis for each of your recommendations, somewhere between a disdainful silence and panicked midnight phone calls.

It may include evaluating other people’s risk management and assessments, and submitting independent assurance or warnings.

It will never involve taking decisions on risk.

Risk specialists in governance

If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them.

You will monitor and challenge the way that the organisation seeks to understand and act on the effects of uncertainty on its objectives.

I recommend that you become an expert in the actual contents of ISO 31000. ISO 31000 is surprisingly short, and focused precisely on the value of risk management to organisation governance. It is written for people at your level. Arming yourself with it will be a much better use of your time than poring over ‘methodologies’, risk registers and scales that don’t answer your questions.
The Chief Risk Officer

The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

C-level status implies a few things not required of specialist staff at lower levels:

  • Direct personal accountability to the Board, or to the alternative governance authorities.
  • An expectation of working in harmony and unity with the rest of senior management (the C-suite).

As with other C-level positions, particularly the Chief Financial Officer and the Chief Audit Officer, the expectations can be in conflict with each other.

Like other risk specialists, and unlike auditors, the Chief Risk Officer is not necessarily subject to clear rules about either independence, or about conformity with the CEO’s direction.

In organisations with a Chief Risk Officer, there is very likely to be an expectation for an integrated overview of risk across the whole enterprise, that is, for comprehensive Enterprise Risk Management. The Chief Risk Officer will be responsible for maintaining and reporting that overview.


Drill-down articles

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Previous article for Risk Specialists

What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Parent articles

What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *