Whilst risk management has been around in various shapes and forms for thousands of years, the role of the Risk Officer or Chief Risk Officer in larger organisations, as a trusted advisor to the board and management and the leader of risk management and resilience activities, is relatively new compared to other professions like accountants, lawyers, and auditors. Even today, the role continues to evolve to meet the everchanging business demands and environment.
The demand for a highly versatile and more strategic risk professional has been increasing steadily over the last 30 years. But in recent years, there has been a rapid acceleration in demand due to the uncertainties and risks experienced during the COVID-19 pandemic, increasing frequency of cyber-attacks, more challenging geopolitical and cultural issues, growing regulatory requirements and the need to consider climate change risk impacts.
Let’s take a walk down memory lane to see how the role of the Risk Officer has evolved over 30 years and some of the contributing factors.
Pre-1990: Risk Management by Silos
Before the 1990’s, relatively few organisations had a designated Risk Officer or a formal risk management function. In most cases, the management of risk was built into systems and processes.
Formal risk assessments were often in paper based forms and checklists at project, function or activity level. The main tool for identifying major risks was the ‘threat’ identification piece in the SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis.
At a decision-making level, the Six Thinking Hats approach created by Edward de Bono in the mid-80s was a popular way of looking at issues and decisions from a variety of perspectives. The six hats were different colours, and the black hat was about being cautious and assessing risks that required employing critical judgment and identifying concerns.
More ‘sophisticated’ risk management functions, policies, plans, systems, techniques and processes could be found, but often in silos and only in a few sectors:
- Large, international financial service organisations employed Risk Officers who were responsible for approving higher risk loan contracts, overseeing investment/trading positions and monitoring large financial transactions. In the 1970’s, financial institutions used Monte Carlo simulations to value and analyse financial instruments and investment portfolios by simulating the various sources of uncertainty affecting their value.
- Big and complex manufacturing, engineering, and mining organisations employed a Safety Officer who was responsible for the safety of people and engineers were responsible for the equipment, quality output and continuity of production.
- Public and private sector organisations seeking Quality Management System (QMS) accreditation under the ISO 9000 family of quality standards which were first published in 1987, had to develop formal risk management processes and plans to obtain certification.
- Risk-based auditing was alive and well. It required auditors to identify and evaluate the risks and controls at process and activity level.
Risk management existed, but it was ad-hoc and not well understood across the business with little oversight by the governing body.
Early 1990’s: A New Standard Emerges
As more organisations were looking to achieve quality management accreditation and apply QMS, there was a big knowledge gap in respect to risk management. There were very few risk management books and risk management practitioners around in the early 1990’s. There was no Google and no YouTube for resources and tips!
Many organisations started to develop their own risk management approach and guidelines with mixed results.
In 1993, the first role of Chief Risk Officer was established at GE Capital and James Lam is reported as the first Chief Risk Officer. Over the next 5 years, larger financial institutions followed by recruiting Risk Officers.
In 1995, Standards Australia released AS/NZS 4360:1995 Risk Management Standard. This was the world’s first popular and most widely used risk management standard until 2009 when AS/NZS 4360 transformed into an updated international standard, ISO 31000:2009 Risk management – Principles and guidelines.
AS/NZS 4360 did not mandate the role of a Risk Officer per se, it just guided an organisation in designing and implementing an appropriate risk management framework. For the first time, a Standard was available to help answer the question – how should we think about and manage risk more proactively and more formally?
Following its publication, many organisations started to apply the AS/NZS 4360 Standard. The Standard was referenced widely in risk management guidelines by industry and professional bodies. It became the ‘go-to’ Standard to help manage risk.
So the new AS/NZS 4360:1995 Risk Management Standard helped to define how risks should be managed, but organisations often lacked the resources, skills, expertise and experience in risk management.
Who had the skills to help? Where would future risk resources and the Risk Officer come from?
Late 1990’s: Growing Need but Limited Talent Pool
By the late 1990’s, the adoption of technology had accelerated. The ‘Tech Boom’ was on! US technology stock equity valuations fuelled more investments in internet-based companies and the dotcom bubble was growing exponentially. Organisations introduced personal computers, local servers and business processes changed as they move away from pen and paper to computers and hard disks.
It was now a great time for technology-based organisations like Apple, Microsoft, WorldCom and Enron in the US and OneTel in Australia.
However, a large talent pool of risk management professionals who understood the depth and breadth of enterprise-wide risks to support the new and more complex world did not exist. The risk management talents were often in the audit division of large accounting firms, large financial institutions and large insurance brokers.
Risk management education as we know it today, didn’t really exist either. Risk management education was in pockets and contextualized to an industry or membership association. The Institute of Internal Auditors was founded in 1941 and the Risk and Insurance Management Society, Inc. (RIMS) was founded in 1950. Both provided some form risk management training that were incorporated into one or two modules of study. At the time:
- Insurance professionals understood the concept of risk and physical hazards but limited in operational risks.
- Banks were brilliant at quantitative risk analysis and modelling.
- Engineers understood technical design, production risk and project risk very well.
- Information technology professionals were security conscious, but the risks were mainly internal and around availability, physical and access controls. The Y2K bug was around the corner and the internet was still evolving. Organisations were becoming more interconnected, but hackers were still teenagers only interested in accessing government departments for the thrill of it and not for the data.
- Accountants had a great understanding of financial risks and some basic knowledge of operational and strategic risks via the business planning process.
- Internal and external auditors (who were often qualified accountants) were seen as best positioned to help. This was thanks to their training and experience in risk-based audit methods. Although not perfect, auditors were recognized and respected for their ability to assess company wide risks and monitor control effectiveness. Internal auditors had one more advantage – they worked across many departments, projects and functions in an organisation and could see broader risks and their connectivity.
The lack of risk management talent meant that risks continued to be managed in their silos and in most companies, there was no formal risk function or person responsible for looking at risks across the organisation. Often, there was no one specifically designated to helping management understand, evaluate, manage and monitor the big risks.
With the new dotcom technology bubble came more opportunity, more innovation and more risk taking. But there is a new risk management standard in Australia and New Zealand gaining popularity around the world and an array of professionals who can think and manage specific areas of risk.
What can possibly go wrong?
Early 2000’s: The Scandals of the Noughties
The spectacular collapse of Barings Bank in 1995 highlighted not only the importance of managing risk, but the importance of risk oversight and the need for strong internal controls to manage operational risk in a world now relying more on technology with an appetite for taking even more risk. Remember banks are the masters of quantitative risk analysis! Is that enough?
Barings Bank was founded in 1762 and was one of England’s oldest and best capitalised merchant banks. Money wasn’t an issue. It was the bank used by the Queen of England. However, it took one person, halfway across the world (in Singapore) who circumvented normal accounting, internal controls and audit safeguards to send the bank into bankruptcy. Dutch bank ING later purchased Barings Bank in 1995 for the nominal sum of £1.
But it wasn’t until the new millennium (the noughties) that we saw a spate of high-profile collapses that included Enron, WorldCom, Swissair, Kmart, Arthur Anderson, Parmalat, CINAR, FlowTex, MG Rover, HIH and OneTel. These failures had an adverse impact on people, the economy, the stock market, politicians and stakeholder confidence.
After these collapses, the political and social tolerance for future failures reduced significantly. We saw regulators around the world strengthen risk management and governance practices through various instruments including legislation, prudential standards and guidelines. For example:
- The Sarbanes Oxley Act was introduced in the United States in 2002.
- Introduction of Prudential and Reporting Standards in Australia in 2002, Singapore and United Kingdom.
- Strengthening of risk management practices for listed companies through the release of the Corporate Governance Principles and Recommendations in 2003.
- Rating agencies start evaluating risk management systems as part of their credit rating assessment.
- COSO, a Committee of Sponsoring Organizations of the Treadway Commission, used the concept of Enterprise Risk Management for the first time when they published in 2004 the Enterprise Risk Management—Integrated Framework.
- Increased oversight responsibilities for the governing body/Board over risk management governance and practice.
One of the first publications about enterprise risk management is published by James Lam in 2003 – Enterprise Risk Management: From Incentives to Controls. The book becomes a best seller and an important reference point to all aspiring future Risk Officers.
The bar has now been raised. This required organisations to establish more formal, structured and proactive processes around risk management. Something that is now well beyond the previous siloed approach to risk thinking.
The new approach required a more strategic approach to risk management that required leadership, structure and resources.
Can risk management save the world? Not quite!
Late 2000’s: The Global Financial Crisis
Whilst the US based Sarbanes Oxley Act of 2002 did well to minimise the risk around inaccurate financial reporting (the root problems with Enron and WorldCom), the focus of the Act was too narrow. A very simple interpretation of the Act is “take whatever risk you like, just make sure your annual accounts are correct, let someone know if they’re not, otherwise you will end up in jail for a long time!”. Feel free to read the entire Act when you have time. Yes, it is a narrow and siloed approach to risk management.
Meanwhile, other global law makers and regulators had taken a broader and more strategic approach to risk management. For example, following the HIH collapse in 2001, the Australian Prudential Regulation Authority (APRA) required all financial institutions to adopt a more comprehensive and broader risk management approach covering all risk categories in 2002. The risk framework could be risk based, use the AS/NZS 4360 Risk Management Standard to help and have a formal plans, systems and procedures with clear responsibilities for activities. It was basically saying “manage all your risks very well, or we will take your license to operate away from you”.
Well, thanks to the Global Financial Crisis (GFC) between 2007 and 2009, we know which one of the above approaches was more effective. During the GFC, we saw very large US based financial institutions like Lehman Brothers, IndyMac, Bear Stearns, AIG and Washington Mutual collapse due to very poor risk-taking and deficient investment practices. Sure, the Sarbanes Oxley Act was successful in reducing the risk of creative accounting, but it failed to encourage better enterprise-wide risk management practices.
The lesson here is clear, risk management is only as good as the weakest link and a broader risk management approach is always better.
The Risk Officer Today
As you can see, the role of the Risk Officer is relatively new, but it has been around for many decades now.
There has been a shift from a siloed approach to managing risk to a more structured, proactive and integrated risk management approach and broader oversight of risks by management and the governing body.
The adverse consequences from the spectacular corporate failures of the last 30 years have also shaped risk management practices and reinforced the need for a dedicated Risk Officer today.
Just like any other field of management, it is not perfect. The Risk Officer helps the governing body and management navigate the issues.
Fortunately for many organisations, the role of a dedicated Risk Officer or Chief Risk Officer is now well entrenched into many well run and successful organisations. Sure, an effective risk management framework and a capable Risk Officer who leads risk management does not mean that nothing will ever go wrong, but done well, it does help reduce the frequency and impact of the big risks and nasty surprises.
Today, the Risk Officer or the Chief Risk Officer in larger organisations, is the designated leader for enterprise-wide risk management responsible for a number of activities that include:
- Designing, operating, embedding, maintaining and continually improving the enterprise risk management framework.
- Monitoring the risk management framework and practices to ensure it operates as designed.
- Providing analysis, advice and support to the Board, Audit and Risk Committee and all lines of management on risk management matters,
- Encouraging a proportionate and balanced approach to risk taking, but also have the courage to call out decisions that involve excessive risk taking beyond the capacity, appetite, values and capability of the organisation.
- Co-ordinating the delivery of appropriate and relevant training to enhance risk management capabilities across the organisation and promote a positive risk, compliance and control culture.
- Reviewing and enhancing key risk management related documents including risk registers, incident registers, risk profiles, policies, plans, risk appetite statement, procedures and authorities to realign to the changing environment and business needs.
The specific activities of the Risk Officer outlined above are not exhaustive and will vary on the nature, size and complexity of the organisation as well as stakeholder requirements. The important point here is the Risk Officer now has a seat at the table with the governing body and management.
A capable Risk Officer can build positive relationships across the organisation, promote the benefits of managing risks, support managers and help navigate risk and uncertainty using both simple and complex risk assessment techniques.
Whilst the Bureau of Labour Statistics US predict that hiring for Risk Officer positions will rise by 11% through 2022, sadly, not all large, complex and growing organisations see a need for a formal risk management function or a dedicated Risk Officer. Risk management is often one of many responsibilities for the Company Secretary, Audit Manager, Governance Manager or the Finance Manager. That doesn’t mean that these organisations are necessarily worse off, but it can make effectively managing risks more challenging as it competes with other activities, management time, priorities and resources.
Broad Based Skills are Key to Success
According to Willis Towers Watson, the majority of Risk Officers agree that having only exceptional analytical skill is not sufficient. The most successful Risk Officers are able to combine analytical skills with highly developed commercial, strategic, leadership and communication skill to be able to drive change and make a difference in an organization. Risk Officers typically have post graduate education with over 20 years of experience in accounting, economics, legal or actuarial backgrounds.
In another study by Morgan McKinley, a successful Risk Officer must be able to deal with complexity and ambiguity and understand the bigger picture.
How we can help you take better risks
We are here to help strengthen your risk management capabilities, systems and processes. Our risk management capabilities include:
- Providing an interim Chief Risk Officer to backfill a vacancy.
- Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
- Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
- Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
- Conducting risk workshops covering strategic, operational and project risks.
- Conducting risk culture assessments.
- Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.
Take risk management to the next level and contact us to discuss your needs.