Risk-averse risk officers are killing organisations and risk management
Businesses exist because they are formed by entrepreneurs. They exist to earn a return for the business owners and shareholders.
Organisations exist to fulfil a specific social purpose and to satisfy a specific need of society. The potential for creating value for their customers and stakeholders is a key motive for all types of organisations including the public sector and not-for-profits.
Risk management increases the likelihood and extent of organisational success
To fulfil a specific purpose and to satisfy a specific need of society, organisations use risk management to increase the likelihood and extent of organisational success.
Risk management helps organisations identify their objectives and put in place actions to ensure that they achieve those objectives and become successful.
While negative or downside risks can be real threats to organisational existence (i.e., cybersecurity), positive risks or opportunities can increase organisational success.
Opportunity-seeking is a must for organisational leaders
To achieve organisational success, leaders and managers must take (calculated) risks or seek out opportunities to gain increased future returns or to meet the increasing requirements or expectations of their customers, stakeholders, shareholders, the public and even political masters.
Risks and opportunities are common in nearly every industry and sector.
Risk-taking and opportunity-seeking are often fundamental to the creation and existence of organisations.
The real role of the risk officer in organisations
If risk-taking and opportunity-seeking are vital ingredients for organisational success, then it stands to reason that for those organisations who chose to have Chief Risk Officers (or similar), they must find someone who can work alongside management to take on more risks or seek out more opportunities to become successful.
Apart from having the same leadership mindset and approach that risk-taking and opportunity-seeking are an integral part of management, risk officers must be able to add value by helping leaders and managers take thoughtful or calculated risks after taking all reasonable precautions and mitigations or actively seeking out potential opportunities to accelerate their success.
They must be able to push the boundaries and find practical solutions to overcome challenges to achieve the organisational strategic goals and vision and ultimately to increase the likelihood and extent of organisational success.
Or course, this is done within the confines of the regulatory framework within which the organisation is operating, always playing by the rules.
Kill those risk-averse nay-sayers
If risk-taking and opportunity-seeking are fundamental to organisational existence and success, we really don’t want is a risk officer who sees their role as the corporate police, nay-sayers, or constantly keeping ‘cowboys’ in management under control.
And certainly, we don’t want risk management to be operated from an internal audit lens either.
We do want a risk officer who can work with or work for management and not work against management to take calculated risks and seek out opportunities.
Risk officers must, therefore, be in the trenches fighting the war alongside members of the management team. They are not bystanders telling management not to do things because they perceive them to be dangerous.
If management comes to the risk officer to find solutions that can overcome a problem and increase the organisation’s success, the last thing we want is a risk offer to say that it is not my job.
Risk officers are constantly working against management
Unfortunately, we commonly find that risk officers are constantly working against management, not working with, or working for management. Many risk officers are de facto compliance officers.
Who wants nay-sayers or bystanders in their team anyway?
It is not surprising to find that risk officers are not invited to take a seat at the board room table because they are not team players who can work alongside management, enabling the organisation to succeed.
Don’t demand a seat at the table. Show your worth. Demonstrate value creation, not value destruction.
Hire risk officers with a can-do spirit
If management wants a team player whose role is to seek out opportunities and take calculated risks, then we need the right personality type to be their risk officer.
We want risk officers who are risk-takers themselves, someone who can find practical business solutions, weigh up the risk and rewards, and take all reasonable precautions and mitigations to succeed.
Having a can-do spirit is important. Being optimistic is critical to the role.
Asking auditors to also take on the risk officer role is a big mistake
I have nothing against auditors per se. They have an important role to play in the third line of the three-line model of corporate governance.
But organisations must not combine the second and third lines and have these two lines reporting to a Chief Audit and Risk Officer.
The success of risk management hinges on open and frank discussions about the potential risks and opportunities that management is considering, or the organisation is facing.
These important management discussions will not take place when your auditor is in the room. Period.
Auditors are usually conflicted
They want their independence. And they don’t want to audit their work if they must work with management to find practical solutions to overcome a challenge.
If they can’t be a trusted advisor to management working alongside executives, a Chief Audit and Risk Officer will not be performing their risk officer function effectively.
Therefore, it is best to split the auditor’s role from the risk officer’s role into two separate positions.
Risk officers must be trusted advisors to management
For risk management to mature and drive organisational success, we need to hire can-do optimistic risk officers who can work alongside executives and managers to take risks and seek out opportunities.
You need a person who sees their role as proactively helping management work to get approval for an exception rather than someone who challenges a decision because it goes against organisational policy. Being street-smart is a vital ingredient.
In short, you need a risk officer who has practical business and management experience, business sense, and a risk-taking and opportunity-seeking attitude to match.
That person is a champion, enabler, and trusted team member who is focused on organisational success.