VIEW: On the voice of the risk profession
Written by Julia Graham, deputy CEO, Airmic
In recent years, the risk community has been calling for risk managers to have greater access to key decision making in their businesses – in other words having a voice at the top table. We are therefore delighted to see a growing band of evidence showing that the message is getting through. In a survey conducted by the Federation of European Risk Management Associations (FERMA) this summer, two thirds of the 634 respondents said they now report to board or top management level.
This message is supported by surveys of Airmic members which show that risk managers now find it dramatically easier to gain attention from the top. Last year, 43% cited lack of access to the board as a number one or two concern. In 2016, this had reduced to 18%. Respondents also reported greater support and leadership from the board on risk issues. This is still work in progress, but it is clear that businesses are increasingly appreciating the value of risk management.
But while the message is getting through to the top, research indicates that more is needed to embed risk management across businesses. Almost three quarters of Airmic members say their number one or two concern is risk management and risk education not being fully integrated with wider business units. Similarly, in a business resilience survey conducted by consultants Control Risks this year, 48% of respondents said they remain reliant on centralised governance and oversight instead of multi-disciplinary risk meetings.
Successful enterprise risk management requires an integrated approach: it is not possible for the risk function or senior management alone to be effective at detecting risks, and in particular identifying aggregations of risk across a business. One area, for example, where there is typically a lack of communication is between risk and IT functions. In a world where cyber risk is one of the biggest threats, this is no longer good enough. We often refer to the “risk glass ceiling” in companies where risk information fails to flow to the top. It is a great credit to the risk community that we are making cracks in the glass ceiling: now it’s time to work on the risk glass walls.