Risk Management in 2022 and Beyond
Risk management is a dynamic and developing discipline. The basic principles remain constant. Its application, though, has to recognize the context in which it is operating. That context in 2022 will reflect a business environment that is increasing in complexity due to the twin impacts of climate change and digitization.
Here, I identify three aspects that CRO’s should consider in 2022:
- Take a positive and proactive role in your organization
- Become integral to your organization’s response to climate change, and
- Demonstrate and enhance your professionalism.
Following the early stages of the pandemic, having got this far, the value of good risk management will be evident to all. Hopefully, the speed with which new techniques for remote working were employed and processes reconfigured was a testament to the hours of pre-planning and corporate ‘muscle memory’ honed from test exercises.
In the spirit of not ‘wasting crises’ in 2022, the CRO needs to leverage the goodwill that they will have built up. Assigning a value to risk management is hard in the best of times but the work of the risk manager will have demonstrated that value to all. It is time for risk management to consolidate its place in the organization. The best way to make sure it is at the ‘top-table’ and remains there is to pursue an enterprise-wide approach that continues to add value to the organization. This can best be achieved by being an enabler of activity. The risk manager has to apply the risk management process to the opportunities facing an organization in order to increase the chances of success of those opportunities.
Maintaining an emphasis on seeing risk as “positive” rather than a ‘constant threat’ and aligning the risk management process more to the strategic direction of an organization is critical. Looking back on when I first took exams, we concentrated on hazards – and damage to property in particular. Let’s face it, in the intervening period the risks we are dealing with have changed, and these pure hazard risks have diminished slightly – or should have, but more of that below.
Recent events have illustrated the reality of the significant risks we face: the occurrence of a pandemic and the impact of the climate crisis to name but two. In the case of climate change, we witnessed wildfires, tropical heat in Western Canada, catastrophic flooding in Europe and more ‘unusual events’ than before in this past year. The need for a robust ERM initiative to be adopted by organizations has never been greater. This is the second aspect to concentrate on in 2022. Risk managers must be integral to the organizations’ response to reducing carbon damage and developing a net-zero approach. Failure to do so as a society will raise existential risks and the way individual organizations respond will be a key consideration in their dealings with stakeholders. These are the risks the CRO needs to grapple with and devise controls and mitigations across their organization.
Of course, pure hazard risks remain although I suggested above that they should have diminished or been better controlled. In the 1990’s I personally dealt with a fire loss that destroyed a food factory within 30 minutes, killed two firemen and cost over $100 million. That fire shouldn’t have occurred or spread so quickly and we should have known about the risk.
The catastrophic spread of that fire was due to combustible panelling, in this case, internal panelling. I distinctly recall raising it as an issue with other food manufacturers as a warning to the industry. Our concerns were met with horror at the increased costs any change in ‘the way we do things here’ would incur. Whilst I moved onto other things, I understand that food manufacturers were gradually forced to install improved panelling to reduce the risk of such fires occurring.
In Grenfell Tower, 72 poor souls were lost due to what appears to be an appalling series of mistakes being replayed again and again, this time involving external panelling. Lessons were not learnt from previous incidents and, from what we know of the enquiry’s proceedings to date, risk management was poorly implemented: Knightsbridge Borough Council appear to have paid lip service to managing risk, the London Fire Brigade (LFB) was too insular to upgrade methods used in other Brigades and the contracting profession even seem to have ‘bent the rules’ to meet profit targets.
Quite frankly, managing these types of hazard risks in 2022 should be so well understood by now it should be a maintenance issue. I suspect the findings of the enquiry when published, hopefully next year, will send a tremor through the entire building industry and housing sector. I am sure it will have an impact on the way estates are managed, buildings maintained and fires (which will inevitably still occur) be fought.
We can take a lesson from Grenfell into 2022 before the publication of phase two’s findings. That is about demonstrating and practising professionalism. In Grenfell, it seems that the risk assessment both locally and from the LFB failed. There will be many reasons for that but the third area for risk professionals in 2022 must be to enhance their expertise and professionalism in line with the ever-increasing expectations placed on organizations.
We are seeing more people with the job title chief risk officer (CRO). I remain to be convinced that all those with such a title have the appropriate qualifications to be able to demonstrate their competence. In some sectors, this will be a regulated position and therefore subject to some scrutiny as to effectiveness. It seems to me, however, to be ad hoc and inconsistent. It cannot be right that a matter with such serious implications as risk management is the province of the enthusiastic amateur.
Passing the IRM’s Diploma is the best way to show professionalism of course, but if a senior risk professional failed to take our exams the Senior Executive Route to membership of the IRM provides a robust process to prove competence by providing details of background and undertaking a 90-minute interview. There is really no excuse not to demonstrate professionalism, and it may be in the future that failure to do so when a risk materializes will itself provide a legal basis for a claim.