On January 23, RIMS hosted a webcast entitled “La
Evolución del Rol del Profesional de Riesgos.” This webcast was presented in Spanish and
discussed how the risk professional’s role has evolved to reflect great
visibility within an organization. This
program offered updated insights to the RIMS executive report, “The Evolving
Role of the Risk Professional” and had attendees from Central and South
Below highlights attendee questions, as presenters Leo
Constantino, Risk Management Inspector General, County of Los Angeles, and
Javier Mirabal, President, Mirabal Risk Management and ALARYS board member
categorize each question.
Q. What types of academic studies are most applicable to
leading a risk function? Engineering, law, or?
A. Because risk management is a discipline that
integrates different skills from different university (undergraduate,
postgraduate) degree programs, no single academic program covers the entire
risk management field. Risk professionals come from an array of different
university degree programs and almost all the programs offer topics that cover
specific skills (e.g., finance, statistics, business, management).
Roles of Risk Management, Internal Audit, and the Board
Q. In aligning internal audit with arm, isn't it also
important to make sure both departments are able to independently score the
risks? A medium ranked internal audit risk could be a high risk for the company
overall due to its impact.
A. The most important objectives of internal audit in
risk management is to offer relative assurance to the board that: a) the
company risk management policy is in place; b) this RM policy is applied by the
executive organizational structure (CEO-Top management, process owners and the
rest of the organization) in an effective and efficient manner and; c) the
residual risks that result in the
execution of the risk management framework across the organization are
aligned with their risk appetite and risk tolerance. In this case the internal
audit department has to evaluate which way may be most effective and efficient:
scoring each risk of the organization or monitoring the implementation and
execution of the RM framework.
Q. What are the areas of priority for
executing/implementing a risk management program within a company?
A. This depends on the type of company (goods, services,
size), the current maturity state of its risk management programs, and the
frequency, severity and types of losses it may have incurred in the last three
years. For example, a manufacturer with strong operational and safety controls
that has incurred few casualty losses and whose Total Cost of Risk (TCOR) is
acceptable at 2% probably needs to move along the maturity scale to an ERM
program. Conversely, a retailer who has grown 100% in the last two years
through acquisitions and has seen their operational TCOR rise from 3% to 8%
should focus on traditional risk management efforts (loss control, claims
management, safety), and build a foundation so they can eventually begin
working on an ERM program.
Selling ERM and
Q. In my organization, they say "we have plenty of
policies to define thresholds. Why do we need a separate risk management policy?"
How can we convince managers of the need for a risk policy and risk management
A. You may want to explore this topic with senior management
by asking further questions: Are the thresholds for compliance, assurance and
associated risks, or are they also thresholds for strategic and operational
risks? Do the thresholds have a range, or are they absolute, and do they allow
for informed risk-taking (upside risk scenario)? Unless the current policies and thresholds
allow the organization to differentiate between strategic/operational risks and
compliance/assurance based risks (which may well overlap) you can make a case
for adding Enterprise Risk Management-related thresholds that help manage risks
that specifically relate to your organization's strategic goals.
The Relationships between
Enterprise Risk Management, Strategic Risk Management and Compliance
Q. I don't see the difference between ERM and SRM,
strategic management should be part of strategic planning, or a great risk of
A. It all depends on whether the management of strategic
risks is included in the scope and design of ERM. While many organizations do
include strategic risks in their respective ERM risk registers, these risks may
not be integrated fully into the strategic planning process where decisions on
value creation as well as value protection are being made. Senior management
teams may not have embraced strategic risk management as a vital component of
enterprise risk management. This limits awareness of ERM’s structured
discipline and enabling capabilities to help the organization manage the risks
most directly related to achievement of the organization’s objectives.
Furthermore, without a disciplined strategic risk assessment, risks arising
from the plans to meet the objectives may be overlooked.
Q. At some point in this discussion, would you touch on
the move to resource and hire Chief Compliance Officers rather than Chief Risk
Officers and whether you feel the ERM umbrella can and should cover compliance
management sufficiently (or does compliance require a separate
structure/function apart from overall enterprise-wide risk management)?
A. Companies having an integrated approach of risk move
the management of compliance risk under the ERM framework/umbrella, but
companies having a silo’ed approach manage compliance risk as an independent
silo. What is it better? Depends on which risk management approach works best
for a particular organization, but the trend is that an integrated approach to
risk management is more useful for any value-added model.