Ask yourself this simple question – do we want to engage a risk management resource that fits within our salary expectations and limitations, or get the right level of expertise and skills that will maximise value?
Hopefully, it’s the latter. But so many organisations go for the former, employing inexperienced risk management resources that simply don’t have the depth of experience to deliver best outcomes for the organisation that engages them. Why would you employ an inexperienced risk manager on a full-time basis when you could engage highly skilled risk management experts on a part-time basis for less, and get far more value by doing so?
It’s about thinking outside the conventional employee box and thinking about doing it better – differently.
You might think the opportunities for risk management are as good as they have ever been. Every day we see advertised risk management roles across a wide range of organisations, across all sectors, and in both the 1st and 2nd line. But what exactly are organisations looking for when they advertise these roles? In many cases the roles are looking for extensive expertise but don’t offer remuneration consistent with that expertise. When you look into the details of other supposedly senior roles, it’s evident that there is a disconnect with required experience, the importance of effective risk management, or perhaps a simple failure to understand where the role fits within an organisation.
Whilst the differences in risk management roles between the 1st and 2nd lines should be obvious; there are many aspects to how roles, and the experience and skills required for them, differ in the 2nd line alone.
We often work with organisations who have committed to a risk management journey aimed at increasing the effectiveness and maturity of their risk management capability. In many cases these organisations have no dedicated 2nd line risk management role. It doesn’t take long for them to start the discussion about what that role should look like and plan to engage a resource. But the potential to get this wrong is high.
There is a completely different skill set associated with the development or enhancement of risk management capability v ongoing risk management. The very concept of risk management is not a difficult one to understand, but organisations that are embarking on the journey for improved effectiveness and maturity really need to understand the change management implications. A risk manager who has no experience in the development and implementation of risk management is unlikely to be a good fit for such organisations. If they find the right person for the role, it’s extremely unlikely expectations on salary will align.
One of the greatest mistakes organisations make is the creation of a centralised risk function (i.e. the 2nd line in the 3 Lines Model) is to create an environment in which the business (1st line) abdicates its responsibility for their risks to the risk management team. We are frequently engaged by organisations where this has happened seeking support to rectify the subsequent stagnation of risk management across the business as a result.
Risks belong to the business (1st line) and creating an expectation that they belong to the risk management team (2nd line) will adversely influence organisational risk culture and effectiveness. You might not think it would happen often, but you would be wrong - it happens a lot, and once it happens it’s simply a matter of time before the wheels fall off. You don’t need a big risk management team – you already have that in the business where the risks reside and are managed.
At ABM Risk Partnership, developing the resources required to meet the risk management needs of the business is part of the roadmap we develop for our clients. It’s about ensuring the right level of skills and experience for each stage of the roadmap journey. In the early stages this often includes playing the role of the Chief Risk Officer (CRO) for the organisation through the development and implementation stages. That often shifts into an ongoing resource requirement as risk management becomes embedded into the day to day of the organisation’s operations. But not all organisations want, or need a CRO, or for that matter a dedicated risk management resource. ABM often provides that role in a co-sourced capacity, providing its expertise and skills to fill the gap where needed. It’s not a forever role, as the needs of organisations change and the need for a risk management resource needs to be monitored.
Here are some of the functions that ABM provide in a co-sourced capacity:
Risk Management Leadership
Governance & Reporting
Risk Management Co-Ordination
Risk Analysis / Deep Dive (Scenario)
Project Risk Management
Opportunity Risk Management
Development / Enhancement of Risk Management Framework (incl. Risk Management Policy, Risk Appetite Statement, and Risk Metrics (Threats, Opportunities, and Projects))
Establishment or refining of Risk Registers for Business Units and the Organisation as a whole
Risk Management capability development – enhancing the competency of individuals, teams, and the organisation to manage risk
So, if you’re thinking about how to advance your risk management capability consider a co-source strategy as an alternative. Buy in the expertise that aligns to your organisational needs and maximises value.
From risk comes opportunity.