QUICK CHECKLIST

This quick checklist is designed to help risk managers mark their progress as they read through
the guide and implement the recommendations provided within as appropriate.

Check activities off as you complete them:
Define the overall risk profile

Objective 1:
Drive risk culture

Help set the tone at the top
Help define the risk-management roles and responsibilities
Remember to keep it simple
Involve staff as much as possible

Objective 2:
Help integrate risk
management into
business

Align risk management, strategic planning, budgeting, and performance management

Create a network of risk champions throughout the company
Provide risk-management training
Assist management in evaluating projects and opportunities using risk analysis
Facilitate open communication
Scan the horizon often, and remember to challenge assumptions

Objective 3:
Become a trusted
advisor

Inform the management about emerging risks
Conduct risk research upon management’s request
Establish a network of risk managers from peer companies
Fine-tune your own risk-management skills

CONTENTS
INTRODUCTION

1

OBJECTIVE 1: DRIVE RISK CULTURE

3

A.

Define the overall risk profile

4

B.

Help set the tone at the top

9

C.

Help define risk-management roles and responsibilities

12

D.

Remember to keep it simple

15

OBJECTIVE 2: HELP INTEGRATE RISK-MANAGEMENT INTO BUSINESS

16

E.

Involve staff as much as possible

17

F.

Align risk-management, strategic planning, budgeting, and performance management

18

G.

Create a network of risk champions

23

H.

Provide risk-management training

24

I.

Assist management in evaluating projects and opportunities using risk analysis

26

J.

Facilitate open communication

27

OBJECTIVE 3: BECOME A TRUSTED ADVISOR

29

K.

Scan the horizon often, and remember to challenge assumptions

30

L.

Inform the management about emerging risks

31

M.

Conduct risk research upon management’s request

32

N.

Have a network of risk managers from peer companies

33

O.

Fine-tune your own risk-management skills

34

CONCLUSION AND NEXT STEPS

35

APPENDICES

36

Appendix A – Risk-management roadmaps

37

Appendix B – Bibliography

39

ABOUT THE AUTHORS
COPYRIGHT

42

INTRODUCTION
Nowadays risk management is on
everyone’s corporate agenda; however,
this hasn’t always been the case. We
began our research into the topic
back in 2007. At the time, this was
prompted by the fact that many large
corporations across Eastern Europe were
establishing risk-management teams
and implementing risk-management
frameworks. Our 2007 study highlighted
that risk management was largely
driven by the requirements of stock
exchanges and was very basic in nature.
We identified a number of challenges,
mainly relating to weak risk-management
culture and confusion around the roles
and responsibilities that the boards of
directors, executive management, and
the risk-management teams play in the
overall management of the company’s
risks.
We also noted that back in 2007,
risk managers focused primarily on
fundamental activities, like developing
risk-management frameworks, conducting
risk assessments, and aggregating
risk reports. This resulted in a very
compliance-like—and sometimes overly
complex—process of risk identification
and analysis. It often took months to
get any meaningful results and quickly
became a box-ticking exercise. Business
units resisted what was perceived as a
“back office initiative,” claiming that risks
were already known and under control.
Nevertheless, the drive to have a robust
independent analysis of major risks, an
enterprise-wide view of the same, and
a reliance upon the quality of the riskmanagement process soon became

apparent to the boards of directors and
the executive management.
Today, as we continue to adapt to a highly
volatile environment, businesses across
Eastern Europe are becoming more
proactive about risk-management. As a
result, risk managers have been given a
much more prominent role in establishing
a robust risk-management culture within
organizations. In order to succeed, risk
managers need to re-emerge as trusted
strategic business advisors who are able
to communicate with shareholders and
management in a simple and compelling
business language and who can apply
the right risk-management tools that fit
the size, complexity, and culture of an
organization.
In our research, we were pleased to find
that the Eastern European companies
we interviewed have addressed the initial
challenges, helping risk managers to get
buy-in from the company and strengthen
the risk-management culture within the
organization.
The objective of this guide is twofold:
• To assist risk managers in building
a risk-intelligent culture within their
organizations and provide them with
some practical suggestions and tools
on how to achieve this in line with
the latest risk-management standard
ISO31000:2009; and

To help the board of directors fulfil its
governance duties and help the board
members build the right expectations
of what a true risk-intelligent culture
comprises.

SECRET RECIPE FOR RISK MANAGERS

1

INTRODUCTION
To achieve this objective, we have
revisited our own risk-management
experience, which we have acquired over
the course of ten years of risk consulting
to various businesses across Australia,
Singapore, Poland, Russia, Ukraine, and
Kazakhstan. Both authors have worked
as risk-management consultants and
corporate risk managers reporting directly
to Chief Risk Officers (CRO) and vicepresidents, have actively participated in
various discussions within the international
risk-management community to stay at
the forefront of the schools of thought
regarding risk management, and have
performed their own research of corporate
governance and risk-management
practices in 2006–2007, the results of
which were published in an international
journal.
We have also interviewed other risk
managers from large corporations in
Eastern Europe to leverage their practical
approaches in developing a risk-intelligent
culture and have prepared case studies of
risk-management practices in developed
countries. These are incorporated into our
practical guide.

2

Guide structure
This guide provides fifteen very specific
and actionable recommendations that
corporate risk managers will find useful in
building a robust and value-adding riskmanagement system. To provide a logical
structure, the authors have grouped the
fifteen recommendations into three highlevel objectives:

Drive risk culture
Help integrate risk
management into
business
Become a trusted advisor
A detailed description is provided for
each recommendation on the left side
of the page. The right side of the page
contains specific actions relating to each
recommendation. The authors encourage
the readers to first scan the main body of
the document and then refer to Appendix
A, which contains useful roadmaps
that help risk managers prioritize the
recommendations provided in the guide.
A quick checklist covering the content of
the guide is also provided for the reader’s
convenience on the first page.

A. DEFINE THE OVERALL RISK PRFILE
B. HELP SET THE TONE AT THE TOP
C. HELP DEFINE RISK-MANAGEMENT
ROLES AND RESPONSIBILITIES
D. REMEMBER TO KEEP IT SIMPLE

OBJECTIVE 1:
DRIVE RISK
CULTURE

SECRET RECIPE FOR RISK MANAGERS

3

A

DEFINE THE OVERALL RISK PROFILE

Risk management is first of all about creating a culture within the
organization that supports proactive management of risks and
encourages intelligent risk-taking. Developing a risk profile for an
organization is a logical place to start.
Below are some specific steps that risk managers may take to start
the risk-management journey. However, step “zero” should always be
a frank discussion with senior management, seeking to understand its
expectations from a risk profile and from risk management generally.
Take action:
1.

Review available
risk-analysis
methodologies

2.

Select a methodology
appropriate for the
current risk culture of
the organization

3.

Pilot test the selected
methodology with a
few stakeholders to
see if it is transparent
and simple enough

Select a risk-analysis methodology that would suit your company: It is
important to select a methodology that is both suitable for your business and simple
enough that employees accept it. Probably the simplest approach is covered in
the risk-management standard ISO31000:2009 and includes consideration of
consequences and their likelihood. However, this approach is by far not the only one.
For example, innovative companies that deal with high levels of uncertainties may find
it difficult to accurately quantify probability; hence, they may use a methodology that
is structured around risk vulnerability, controllability, and impact. Plenty of literature is
available on the subject that may help you select a risk-analysis methodology suitable
for your company.
Complexity of the risk-management methodology

Maturity of risk-management culture

Keep in mind that complexity of the risk-management methodology should be
proportional to the overall risk maturity of the organization. Therefore, if you are
tasked with selecting a methodology for an organization that is new to formalized
enterprise risk management or where employees have a distinctly risk-averse
culture, it would be highly inappropriate to select a complex and non-transparent
methodology. In fact, it may be appropriate to select a relatively straightforward
and simple approach—perhaps as simple as just highlighting the risks that your
company is most exposed to.
Analyze top risk vulnerabilities: Once the methodology is agreed to and
generally accepted by the stakeholders, it is time to identify and analyse potential
external and internal threats to the business.

IDENTIFY RISKS AND POTENTIAL THREATS
One of the most critical steps in the process is gathering information from which
to develop a draft risk profile. This information should be gathered using a
combination of a shelf data review, interviews, and expert opinion (these steps
are further explained below). The focus should be on understanding the nature
of events that have impacted the organization, as well as those events that
management has already considered through its business-planning activities.

4

A

DEFINE THE OVERALL RISK PROFILE

Key components of this step are:

Take action:

1.

Shelf data review: The purpose of the review is to provide an insight into
the background and current status of the organization’s operations. This
is a critical first step for any risk manager and must be completed before
fully engaging with the business, as you may find most of the necessary
information already captured and available for further analysis. This involves
the review of key documentation relating to the operation and its associated
risks, including:

2.

3.

A review of the sources of information contained within the
organization that may highlight particular risky events, such as:
• Historic losses or incidents maintained by the organization
• Pre-existing risk assessments and management plans that
may exist within the organization, including internal audit
risk assessments and reports, as well as any historic SWOT
analysis
• Strategic and operating plans and details of any scenario
analysis undertaken within the organization
• Budget models and underlying assumptions/sensitivities as
well as histories of reforecasts
• Financial reports
• Insurance coverage details and claims history
• History of litigation and contracting
• Historical board reports or management reports
• Historical regulatory filings
• Any existing key risk indicators (KRI) and key performance
indicators (KPI).

A review of industry risk information and sources of information
external to the organization, such as:
• Media articles on the organization
• Analyst reports on the organization and its competitors
• Ratings agency reports on the organization and its
competitors
• Insurance broker assessments
• Reports on industry outlook prepared by analysts.

A review of risk profiles of comparable/peer companies (available
through 10K disclosure for US companies, in annual reports, or on
company websites for major international corporations)

Where available, a review of key financial ratios of the company and
compare with a small peer group, as this exercise can also highlight
potential financial risks that the company may not be thinking about

As appropriate, additional insight obtained through the use of
external industry or functional experts

SECRET RECIPE FOR RISK MANAGERS

4.

5.
6.

5

Identify potential
threats (both internal
and external)
Ensure all major
external forces and
internal sources of
risk are taken into
account
Prioritize the identified
risks using the
selected methodology
For the risks assessed
as significant,
management should
develop and execute
an action plan to
address the risk
Draft and validate the
risk profile
Communicate the
company’s risk
profile to the relevant
stakeholders

A

DEFINE THE OVERALL RISK PROFILE

Interviews: A series of interviews should be conducted with selected senior
managers to validate the results of the shelf data review. These interviews
should:
• Enable to refresh risk areas for inclusion in the draft risk profile
• Raise awareness amongst participants of the benefits/process of risk
profiling
• Allow risk manager(s) to engage with stakeholders and determine the
level of organizational “buy-in” and support.

PRIORITIZE IDENTIFIED RISKS
This step needs to be taken for each identified risk in order to provide the basis
for determining the risks that require further “treatment” to reduce their impact.
Risk analysis is about developing an understanding of the risk. It helps
management determine whether risks need to be reduced (or treated) and the
most appropriate risk-treatment strategies and methods. Risk analysis involves
the consideration of the causes and sources of risk, the positive and negative
consequences of the risk, and the likelihood that those consequences can occur.
The overall level for each material business risk is analysed by determining
consequences of the risk eventuating and their likelihood. Existing risk controls
and their effectiveness (as perceived by management) should be taken into
account when considering how likely the risk event is to occur and the impact/
consequences the event will have on the business.
Different risk-analysis techniques suit different circumstances. The table below
lists a number of common risk-analysis techniques:
Degree of sophistication

Risk-measurement/analytical techniques

Key factors
HIGH
Statistical analysis (probabilistic models)
impacting
selection of riskScenario analysis/simulation
measurement
methodologies
Sensitivity analysis
• Severity or
volatility of
MODERATE
risk
Position reports (exposure/volumetric)
• Comlexity
Risk rating or scoring
• Availability of
data
Risk indicator analysis
• Desired
capability
Groupfacilitated qualitative prioritisation
• Cost of
MANAGE
THE MOST SIGNIFICANT RISKS
implementation
LOW

Individual qualitative self-assessment

Source: James DeLoach, Enterprise Risk Management, Prentice Hall

6

A

DEFINE THE OVERALL RISK PROFILE

MANAGE THE MOST SIGNIFICANT RISKS
Where the level of risk is above the company’s risk appetite, management should
develop and execute an action plan to address the risk in one of the following ways:
Where the level of risk is above the company’s risk appetite, management should
develop and execute an action plan to address the risk in one of the following ways:
• Transfer the risk through the use of contracts or insurance arrangements.
• Reduce the risk by adopting alternative approaches to achieving the same
objective or implementing appropriate risk controls.
• Accept the risk, and develop contingency plans to minimize the impact
should the risk eventuate.
Identify and monitor the interdependencies: The complexity and
interconnectedness of the global business environment makes it very difficult
to see how one set of events can affect another. The ability to understand
interdependencies and understanding the tools used to monitor them will help
the organization understand its critical dependencies, how long it can go without
them, and how it can improve its chances of survival.
Managing key connections requires an in-depth understanding of the
organization, knowing where vulnerabilities lie and making conscious decisions
about which ones to accept and which to mitigate. Without the resulting
transparency, the organization may be unprepared for either profound disruption
or opportunity.
One useful tool in performing in-depth risk analysis and identifying
interdependencies is a bow-tie diagram. In a bow-tie analysis, the causal factors
of a risk event are identified (without necessarily working all the way back to the
root causes) as well as the (potential) consequences of the risk event.
Bow-tie analysis is a technique often used to provide structure to a brainstorming
session. It is also often used to present or communicate key risks.

SECRET RECIPE FOR RISK MANAGERS

7

Take action:
1.

2.
3.

Identify and
document
interdependencies
between the
identified risks
Communicate the
interdependencies
to the risk owners
Keep track of
interdependencies
during risk mitigation
and monitoring

A
Take action:
1.
2.

Allocate risk owners
to all significant risks
Discuss with the
owners possible risk
mitigations and the
resources required

Take action:
1.
2.

Test how well the
company currently
controls known risks
Discuss with the
risk owners whether
additional risk
controls need to be
implemented

DEFINE THE OVERALL RISK PROFILE

Allocate ownership for the top risk vulnerabilities: Once significant risks or
vulnerabilities have been identified, management should develop and execute
an action plan to address them. Any action designed to reduce the risk exposure
should be owned by a member of the management team and the responsibilities
and timeframes should be documented.
Check how effectively known risks are currently being controlled: One of
the low-hanging fruit is to analyse how well identified risks and vulnerabilities are
currently being controlled. Some risks are known and are easy to identify—take a
simple example of foreign exchange. If the company has loans in foreign currency
or has international sales or obligations, it has exposure. Risk managers can
provide significant value by analysing the extent of the exposure and identifying
whether there are any hedging or other controls currently in place. Other
known risks include any risks that may have quantifiable legal or compliance
implications, such as insurance or safety, for example.

8

B

HELP SET THE TONE AT THE TOP

Define corporate risk-management policy: For many organizations, it may
be appropriate to document management’s view of risk management in a
policy document. A company’s risk-management policy should be designed to
document the company’s risk-management approach, its willingness to accept
risk, accountabilities for managing risk, and the resources and processes
dedicated to the management of risk. It should ideally include and be reflective of
a set of objectives that guide and shape risk-management activities, and it should
outline how performance against these objectives will be measured.
An article published by Michael Rasmussen on October 5, 2010 (“Enterprise Risk
Management Policy Structure”) provides an outline of what should be included
in a risk-management policy. The organization’s policy and descriptions should
not be “boilerplate.” They should reflect the actual activities undertaken by the
company and its attitude and approach to managing material business risks..
Facilitate the assessment and communication of the company’s risk
appetite: This is another crucial step to get executive management on board.
One of the key elements of risk culture is consistent risk language and common
understanding of risk appetite. This is unlikely to get formulated in a vacuum,
as employees and managers come from different backgrounds and may have
different perceptions about what level of risk should be tolerated by the company.
The most practical approach is to break down the key risks faced by the
organization into three groups:
• Completely intolerable or “zero tolerances”
• Tolerable, if the risk creates value for the shareholders and we can measure it
• Tolerable, if the risk creates value but it’s difficult to measure
As a bare minimum, risks that fall into the “zero tolerance” category should
be clearly communicated across every level within the organization. Examples
could include health and safety risks or fraud and other issues that are simply
not tolerated by the executive management. Other risks, like foreign exchange
exposure and turnover of key employees, can be quantified and as such,
quantifiable measures should be put into place to detect when the level of risk is
exceeding the desired threshold.
Again, it is important for employees (whose performance may have an impact on
the achievement of these targets) to understand them. Some risk exposures may
have a purely reputational impact and be more difficult to quantify. In this case,
qualitative thresholds may be set, like in the case of supplier risk. However, any
risk thresholds that are set for the company should be clearly communicated to
the management and staff. More importantly, controls should be put into place to
monitor these.
Both the board and senior management should have a clear understanding of
what the company’s risk tolerance is and the extent to which they wish to manage
risk. This should be reconsidered at least annually.

SECRET RECIPE FOR RISK MANAGERS

9

Take action:
1.
2.

3.

4.

Draft risk-management
policy based on your
template
Interview selected
senior managers to
validate key drivers
and values relating to
risk management
Update the riskmanagement policy
and validate with the
CEO/board
Publish the riskmanagement policy on
the corporate website

Take action:
1.

Identify and clearly
communicate “zero
tolerances”

2.

Include controls
measuring “zero
tolerances” into the
company’s employee
performance reviews

3.

Identify key risks and
set quantitative and
qualitative measures
against them

4.

Include both
monitoring and
forward-looking
indicators to track
company risk appetite

B
Take action:
1.
2.

3.

4.

Examine existing
Board agenda
Identify current
items that may
be used to trigger
risk management
conversation
Interview selected
Board members to
understand their
needs in terms of
risk management
information
Prepare for the first
meeting and be
present to answer
questions, agree
format and frequency

Take action:
1.

2.

3.

4.

Review existing board
and board committees’
agendas to identify any
risk-related items
Select a concise list of
risk issues that would
benefit from board’s
review
Pilot test the
introduction of riskmanagement items
on the agenda with
a selected few board
members
Include riskmanagement matters
as a standing item on
the board’s agenda

HELP SET THE TONE AT THE TOP

Include risk messages on the board of directors’ agenda: This is an important
step in getting the board’s buy-in and educating board members to the riskmanagement language that could be potentially adopted by the company. The key
point to remember is that some sensible output has to be generated by the riskmanagement team before risk messages can be placed on the board’s agenda.
Another important point is that it is much more valuable to spend ten or fifteen
minutes every meeting talking about risk matters than one hour once a year. Last
but not least, the board members’ core competencies should be developed and
maintained. It may be much more valuable for the company to spend the board
members’ time discussing emerging strategic risks, rather than talking about an old
and well-understood operational or compliance issue.
What you actually place on the board’s agenda is entirely up to you. You could
allocate fifteen minutes to discuss general risk-management topics (this is
usually more suitable for more mature organizations), or facilitate a more focused
discussion on a particular emerging risk in order to reach agreement on next steps.
Create a separate risk committee, or expand the responsibility for
risk oversight to an existing board-level committee: Risk oversight is an
important element of risk management, and someone with a sufficient degree
of independence should be given the overall responsibility for ensuring that
significant risks have indeed been identified and appropriate action is being taken
by the management to protect and enhance shareholder value. In the ideal world,
the responsibility for risk oversight (and specifically for regular review of the state
of risk management) should be shared by the full board.
In reality, however, there are quite a number of companies where risk-oversight
responsibilities are given to existing board-level committees (such as turning the
audit committee into an audit and risk committee) or given to a separate brandnew committee. This is usually a step taken by companies that have reached a
certain level of risk maturity.

10

B

HELP SET THE TONE AT THE TOP

Promote risk management both internally and externally: Once the company
achieves tangible results by managing certain risks well, share this information
both internally and externally. This can be done by presenting at various industry
events or publishing small articles in relevant magazines. This will reinforce a
positive risk-management image, both within the company (by creating pride) and
externally.

Take action:

Create a “no blame” environment: At every opportunity you should encourage
staff to raise risk issues: This can be done by giving out your contact information
and spending time walking the floor and talking to the staff.

Take action:

Motivate the staff to proactively identify and prevent risks. You may consider
introducing special awards. Discuss this with the senior management to get support
and buy-in. Create a “no blame” policy, and communicate it across the company.

2.

SECRET RECIPE FOR RISK MANAGERS

11

1.
2.
3.

1.

Identify opportunities
to present
Discuss these
opportunities with the
management
Present at external
opportunities

Communicate your
contact details and talk
to staff often
Create and
communicate “no
blame” policy

C

HELP DEFINE RISK-MANAGEMENT
ROLES AND RESPONSIBILITIES
Clearly defining roles and responsibilities is critical for establishing a
robust risk-management culture. We have established the following
five recommendations to provide you with some practical advice
on how companies can ensure that risk-management is everyone’s
responsibility.

Take action:
1.

2.

3.

4.

Design a riskgovernance model
that is aligned with
existing governance
arrangements in the
company.
Define and
document riskmanagement roles
and responsibilities
in a risk methodology
document, position
descriptions, and
committee charters
Provide adequate
training in riskmanagement roles
and responsibilities
for different levels
Review existing
business processes
to determine whether
minimal adjustments
could be made
to integrate riskmanagement culture
into day-to-day
activities

Define a risk-governance model suitable for your company: Making sure that
risk-management roles and responsibilities are clearly defined and understood by
all levels of management and staff is critical to the success of risk-management.
One way to approach this is by implementing a risk-governance model. This was
recommended to us by one of the risk managers we interviewed. This supports
our view that ethical compliance (which is more about hidden information) does
not solve a principal–agent dilemma here. Stakeholders should be looking not
only for hidden information, but for evidence of risk-management actions. It is
important to appoint and enable the right professionals with the right set of skills.
For example, it is important that a chief risk officer (CRO) understands the core
principles of business, ethics, risk management, and compliance.
A risk-governance model could be built upon the concept of three lines of
defence:
• Frontline or business: Executives, business unit management, and staff are
responsible for timely risk identification, management, and reporting. They are
also responsible for applying tools and techniques designed for managing
risks.
• Risk-management functions: Risk-management teams (including dedicated
teams responsible for dealing with safety, insurance, and financial risks)
are responsible for methodology development, facilitation, education,
guidance, and support. Sometimes, the risk-management team also plays
a role of quality control and aggregation of risk information. This is more
common sense, as the risk management team is not involved in day-to-day
management decisions and it would be unreasonable to expect the risk team
to be responsible for proactively managing risks.
• Internal audit team and the board: Independent bodies like the internal audit
team and the board provide an independent oversight that the organization’s
risk-management is in fact working as documented in the policies and
procedures, and key corporate risks are being managed.
Together, the three lines of defence provide a sound foundation for establishing
robust risk-management within the company. More recommendations on how to
roll out the risk governance model are provided below.

12

C

HELP DEFINE RISK-MANAGEMENT
ROLES AND RESPONSIBILITIES
Document risk-management roles and responsibilities in both job
descriptions and committee charters: The first step in establishing a riskgovernance model is to document risk-management roles and responsibilities.
The common practice—as was confirmed in our interviews—is to document riskmanagement roles and responsibilities in a risk policy or methodology document.
This is, however, of limited use, as the risk-management policy could be treated
by the employees as a “technical risk-management document” that is irrelevant
to the usual business practices. A good idea is to keep risk-management
methodology documents in plain and simple English. An even better idea is to
draft risk-management roles and responsibilities for different levels (say, each of
the three lines of defence), validate them with management, and include them
in job descriptions and committee charters. As was identified by one of the
companies we interviewed, this has proven to be much more effective than just
listing risk-management responsibilities in a methodology document.
Adjust existing business process documentation to reflect riskmanagement responsibilities: Speaking with a large group of risk managers at
a forum held by a large risk-management consulting firm also helped us identify
another recommendation that will help to cement risk-management roles and
responsibilities. Instead of putting risk-management roles and responsibilities
as an add-on to existing business processes, try to truly embed them. Let’s
review an example that was successfully implemented by one of the companies
we interviewed: Instead of documenting in a risk-methodology document that
a risk assessment had to be completed for any project of a certain size, the
company changed its project approval procedure, requiring a risk assessment
to be prepared and reviewed before a project could be signed off on. No new
“risk-management” document was created; instead, the long-standing project
management procedure was modified to reflect the new organizational riskmanagement culture.
Check the management and staff’s “risk temperature” at least annually, or
include risk-related questions in other behavioural assessments. All risk
managers we interviewed believe that periodically checking the company’s level
of risk-management culture maturity actually helps to reinforce and strengthen
the culture. Numerous tools exist in the market that are designed to test riskmanagement culture; however, a simple comparison against the elements of
better risk-management, provided in the appendix to ISO31000:2009, could
be sufficient. Regularly discussing culture and attitude to risk amongst senior
management and the board and communicating these expectations to other staff
is an important foundation of risk management.

Take action:
1.

2.

3.

4.

SECRET RECIPE FOR RISK MANAGERS

13

Select a risk-management
benchmark that you think
would be appropriate
for your organization.
ISO31000:2009 would
suit most companies
Perform a selfassessment to set the
current state to measure
against
Chose the desired
state of risk culture that
would be appropriate for
your company and the
frequency of assessment.
Perform periodic riskculture surveys

C
Take action:
1.

2.

Develop a set of
risk-management
KPIs for each level
in accordance with
the company’s risk
governance model
(executive, business
unit management,
risk- management,
internal audit, etc.)
Review the existing
annual performance
review process, and
develop a strategy for
incorporating riskmanagement KPIs into
the process. This has
to be done together
with HR and followed
by an extensive
communication
program

3.

Track employee
performance against
risk-management KPIs
for the first year as a
trial

4.

Reward positive
signs of riskmanagement culture
and reinforce good
risk-management
behaviour beginning
with year two. Signs of
poor risk management
should be identified
and fixed

HELP DEFINE RISK-MANAGEMENT
ROLES AND RESPONSIBILITIES
Include assessment of risk-management roles and responsibilities into
the annual staff performance review process. Once the risk-management
roles and responsibilities have been documented in the risk-methodology
document, job descriptions, and committee charters, they need to be reinforced
by appropriate KPIs and assessment during annual/semi-annual performance
reviews (depending on company’s procedure).
As we have mentioned before, risk management is everyone’s responsibility:
however, as experience shows, extra responsibility is rarely accepted without
appropriate motivation. This was supported by our findings from our interviews
with our sample companies. The companies that have formalized riskmanagement KPIs have shown significantly greater progress in developing a riskmanagement culture within the organization than those that have not.
Risk-management KPIs should be set in accordance with the risk-governance
model, as discussed above. This means that there usually are different KPIs for
different levels within the company. For example, a KPI for the CEO could include
an annual review of risk appetite and risk-management policy, reporting to the
shareholders, and so on, while a KPI for staff would include timely risk reporting,
appropriate risk escalation, and risk mitigation.

14

D

REMEMBER TO KEEP IT SIMPLE

This is the golden rule of risk-management: keep it simple! As a risk manager,
your objective is to help your company implement a risk-management process
that is part of the corporate governance system. Risk-management initiatives
should be clear to everyone and easy to embed into normal business
activities; otherwise, you will most likely meet great resistance or ignorance.
Talking the accepted business language rather than using risk-management
terminology often helps increase the effectiveness of risk-management
communication. Using risk-management measures like VaR, EaR, and so on
may be appropriate when speaking with the CFO or other financial officers, yet
they might be a turn-off to the marketing director or corporate lawyers.

CASE STUDY
One of the strongest examples of risk-culture growth we have observed
took place at one of Australia’s airports, which happens to be the busiest
airport in the Southern Hemisphere by plane movement.
For almost two years, we (at the time working as risk consultants) would
meet with the management team every quarter to discuss and map
out the major company risks. Normally, we would conduct a series of
interviews, where we would track the progress of the risk mitigations that
we had previously designed and agreed upon. A summary report would
be prepared, showing the progress in managing the known risks plus any
emerging risks that had come to management’s attention. Then we would
gather the management team together for a joint discussion around what
the risks were and how well the company was able to deal with them.
Then the financial crisis hit and—without noticing—the management team
shifted from quarterly risk reviews to real-time risk management. Just one
remarkable example was when the airport’s CFO decided to conduct a risk
analysis of their key customers, as he was alarmed that financial crisis may
impact the customers’ financial stability and, in turn, the airport’s revenues.
He followed the analysis with an action plan to counteract the potential
impact on the company.
There were other examples as well where the management team identified
emerging risks and took active steps to prevent them. Now, imagine what
a risk specialist working at the company full-time can do to shift the CEO’s
perspective of risk management.

SECRET RECIPE FOR RISK MANAGERS

15

E. INVOLVE STAFF AS MUCH AS POSSIBLE
F. ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
G. CREATE A NETWORK OF RISK
CHAMPIONS
H. PROVIDE RISK-MANAGEMENT TRAINING
I. ASSIST MANAGEMENT IN EVALUATING
PROJECTS AND OPPORTUNITIES
USING RISK ANALYSIS
J. FACILITATE OPEN COMMUNICATION

16

OBJECTIVE 2:
HELP INTEGRATE
RISK-MANAGEMENT
INTO BUSINESS

E

INVOLVE STAFF AS MUCH AS POSSIBLE

Take action:

At the end of the day, the success of risk-management is all about corporate
culture. To make sure that the process is not alien to the staff, risk managers
need to involve the employees in the process from the very beginning. This
means involving them in the way that is accepted in the company (e.g.,
workshops and/or individual meetings). Make sure that all important riskmanagement messages from the board or the senior executive team are
communicated throughout the company. Where particular risks affect several
business units, facilitate collaboration between the units to agree on the risks’
causes, consequences, magnitude, and actions.

1.
2.

3.

It is considered good practice when a risk manager does the preliminary risk
research, comes up with some suggestions for potential vulnerabilities and
risk-management strategies, and then brings in the management and staff to
actualize the risk identification, assessment, and mitigation.

SECRET RECIPE FOR RISK MANAGERS

17

Identify internal
stakeholder groups
Consider how each
group can be involved
to provide the most
value
Don’t overcomplicate
it, but keep track
of the important
stakeholders, as it
is easy to lose sight
sometimes

F
Take action:
1.

Review the current
decision making
process and any
templates used

2.

Update the template
to include risk analysis
(it can be complex or
simple depending on
your needs)

3.

Provide adequate
training/ guidance to
the users of the form

4.

Pilot test and
implement

ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
Risk-management plays an important role in developing a robust strategy. It is
instrumental in challenging strategic plans and prompting executives to think
about the other side of the coin. Risk-management objectives help a company
reasonably articulate which risks associated with strategy the company is
prepared to take on and which risks the company should manage at all costs, or
when the company should alter its strategy if the unacceptable risks cannot be
managed.
Opportunities exist to achieve a better alignment among risk-management,
strategic management, and business-planning processes. This could involve
establishing more transparent links between strategic risks and strategic
objectives, considering outcomes of strategic risk profiling in preparation of
strategic planning assumptions, and incorporating risk-mitigating strategies in the
organization’s business plans.
The starting point for embedding risk-management is to link the risk-identification
process to the company’s strategic and business plan objectives, using risk
assessment as an element in strategic and business plans. Risk and performance
are managed and monitored in an integrated manner to help achieve better
overall governance.
Practically, risk-management objectives can be aligned to strategic objectives
through:

Articulating risk appetite;

Identifying major risks to strategy and informing the strategic plan;

Performing a scenario analysis of major strategic uncertainties in the middleterm horizon;

Developing actions to mitigate major current risks and prepare to address
emerging ones;

Including the costs of risk-management actions in budgets;

Assigning accountability for the risk-management actions and including those
in the executives’ performance metrics.

Effective risk-management provides increased confidence that we can deliver
desired outcomes, manage risks and threats to an acceptable degree, and
make informed decisions about opportunities. Alignment of risk-management to
strategic planning, budgeting, and performance management can deliver a range
of benefits by:

Improving planning processes by enabling the key focus to remain on the core
business and helping to ensure the continuity of service delivery;

Reducing the likelihood of potentially costly “surprises;”

Preparing for challenging events and improving overall resilience;

Prioritizing budgeted resources;

Optimizing performance through efficiencies in service delivery, major change,
and quality-assurance initiatives; and

Contributing to the development of a positive organizational culture of improved
governance, clear purpose, and roles and accountabilities for all staff.

18

F

ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
ALIGNMENT TO STRATEGIC AND BUSINESS PLANNING

Take action:
1.

Understanding how risks align with the planning processes enables us to
effectively integrate risk management into our governance and management
structures. Risks are dealt with as part of any planning and implementation
process, including strategic planning, business case evaluations, and major
projects. Key risks are also an important part of the funding plan submissions to
the treasury (for state enterprises).

2.

Strategic risk-management applies to the process of considering and managing
the strategic risks on the executive risk profile, which may impact the company as
a whole.

3.

Strategic risks are those that may have a direct and significant impact on the
plans. The strategic risks are managed by the executives collectively and each
member of the executive committee individually.

Business plan risk management applies to the process of considering and
managing risks to the delivery of major projects and services. Business plan risks
include tactical and operational risks. Risks associated with major projects and
initiatives relate to the delivery of infrastructure projects.

The key to success is to include a strategic risk agenda for the annual senior
executive strategy sessions. This is where the CRO or risk manager should
manifest himself/herself as a strategist, being able to facilitate challenging
conversations with senior executives. These discussions may involve a range of
areas: major strategic uncertainties to strategic objectives (including emerging
risks and opportunities), consideration of how these may evolve in the middle term
(scenario planning), and what strategies a company may need to develop to seize
opportunities or deal with a potential downside (e.g., mitigate it or change the
strategy). Considering the “risk upside” may involve a risk-based approach to the
prioritization of opportunities and evaluating opportunities as part of the strategic
risk-assessment process.
The executives should achieve an agreement on major risks at the entity-level,
prioritize them, and agree on a management approach; initiate implementation of
risk-mitigating actions; and collectively analyse a report on the major risks and the
company’s progress on the actions on a regular basis. Outcomes of strategic risk
profiling should be considered in finalizing strategic planning assumptions and
incorporating risk-mitigating strategies into divisional business plans.
It is important that this link to strategic and business planning is maintained
throughout the business period (e.g., a financial year). The effectiveness of riskmanagement actions can be demonstrated through:

Monitoring key risk-mitigating actions and reporting on the progress to the
executive; and

Delivery of the business plans and effectiveness of the key business
processes.
SECRET RECIPE FOR RISK MANAGERS

19

Include a strategic risk
profile discussion on
an executive strategy
session agenda
Articulate parameters
of risk appetite
and agree to them
individually with
executives beforehand
Prepare an executive
risk discussion paper
that includes:
Results of the
environmental scan for
the main current and
emerging risks.
Obtain risk-monitoring
reports from the
business units and
analyse the status
of risk-mitigating
actions. Highlight
changes in the internal
environment that might
impact the risk profile.
Refresh the company’s
risk profile, highlighting
major current and
emerging risks that are
above the company’s
risk appetite, and
provide comments on
the changing nature
of these risks and the
status of the mitigating
actions.
Develop two to four
scenarios around
major emerging
risks to discuss how
the company could
benefit from applying
risk-management
principles.

F

ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
ALIGNMENT TO BUDGETING
Risk information helps identify resourcing requirements and assists in the
prioritization of available resources as follows:

Risk information and estimates of resource requirements for the mitigation of
major risks are included in program and project proposals and considered by
the executive.

Risk-management resourcing implications are included in the business unit
plans and the corporate plan and approved by the executive.

The risk-management resource implications are included in the funding plan
(for state-owned enterprises) and approved by the executive.

The budget prioritization process takes into account the company-wide and
business unit risk profiles.

The risk-management framework allows the escalation of risks throughout the year,
with any financial considerations being subject to the executive and the board of
directors’ decision as appropriate. However, the identification and assessment of
risks will not necessarily be a trigger for additional funding. If additional funding
is available, then this can be used to accommodate the risk-treatment activities
required to manage the areas of high risk. In most cases, however, the reduction
of the risk exposure in a particular area will be accommodated by reprioritizing the
available activities, resources, funds, or other investment into that area.

20

F

ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
RISK MANAGEMENT AND PERFORMANCE MANAGEMENT

Take action:

Risk-management objectives are linked with performance management at all
levels of the organization. Appropriate risk culture is supported by ensuring that
risk-management objectives and overall performance objectives are aligned. This
is supported in the following ways:

The executives (members of the executive board) and their direct reports’
performance agreements incorporate risk-management objectives such as
high and extreme risks, target (or acceptable) risk ratings, risk-management
strategies, KPIs, and due dates.

Identification of the “people component” of major business risks—leadership,
knowledge, capabilities, behaviour, staff turnover, succession planning,
training and development, and culture. Relevant risk-management strategies
are developed to address the root causes of these risks.

1.

2.

3.




4.

SECRET RECIPE FOR RISK MANAGERS

21

Review the members
of the executive board
and their direct reports’
KPIs and performance
agreements and—if
necessary—update
them to include high and
extreme risks, current
risk-mitigating activities,
and future initiatives to
be implemented
Align risk-management
objectives and other
performance objectives
to ensure they are not
contradicting
Analyse the risk profile
and identify the “people
component” of the risk.
The following areas
should be in focus:
Leadership,
commitment, and
support
Knowledge and
capabilities
Behaviour and
development
Ethical risk (ensure that
policies, practices, and
communication support
ethical behaviour).
Ensure that
performance
agreements, KPIs,
and risk-treatment
strategies effectively
address these
components

F
Take action:
1.

Review the current
decision making
process and any
templates used

2.

Update the template
to include risk analysis
(it can be complex
or simple depending
upon your needs)

3.

Provide adequate
training/ guidance to
the users of the form

4.

Pilot test and
implement

ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
ALIGNMENT TO DECISION MAKING
To slowly shift the corporate culture toward risk-management, it is important
to steer away from the perception that risk-management is detached from the
business. One of the most useful, yet simple, ways of doing this is to integrate
elements of risk analysis into decision making. This can be done in a way that
suits your company best. Here are two examples:

Major business decisions can be put through the risk-management team,
so that appropriate risk analysis can be done and attached to the decision
proposed. This will help to present a much more complete picture to the
management and the board; however, this is also quite time-consuming
and demanding, so the pros and cons need to be carefully considered. The
volume of transactions/decisions would be a key factor in deciding whether to
adopt this process or not.

A minor adjustment can be made to the document template currently used
for submitting key decisions to management or the board. By including
a section on the “risks associated with the proposed decision,” the risk
manager can encourage staff to actively think about the downsides of any
proposed decision and document them.

Other examples may include:

Investment decisions. By adopting a probabilistic approach to investments,
companies can avoid many of the pitfalls inherent in more traditional
evaluations. Instead of a single net present value (NPV) point estimate,
companies can determine the probability of a whole range of outcomes,
including the probability of a negative NPV. The range of probabilities can
then be compared with those associated with alternative project structures.

Financial decisions. Most financial policy decisions involve risk trade-offs
that should be viewed within the context of enterprise cash flow and value
trade-offs. Too often, these decisions are based on arbitrary debt/equity
guidelines or target credit ratings instead of cash-flow-at-risk and value-at-risk
principles.

Operational decisions. Decisions on a company’s manufacturing footprint,
supply chain design, outsourcing, and inventory policy involve significant riskreturn trade-offs that can also benefit from an enterprise risk perspective.

22

G

CREATE A NETWORK OF RISK CHAMPIONS

Another useful technique that is being adopted by companies with mature risk
cultures is establishing a network of risk champions. Risk champions are the
“glue” between the risk-management team and the business unit staff. Risk
champions could either be a representative from the management team or a staff
member, although in each of these cases, the roles would differ. The management
risk champion would be responsible for driving the risk-management agenda
and reinforcing risk culture within his/her business unit. The staff risk champion
would be responsible for coordinating risk-identification activities, working with
risk owners to define risk-mitigation actions, monitoring their execution, and
aggregating risk reports.
There is no one-size-fits-all approach in regards to risk champions. For some
smaller companies, it may be appropriate to have one or two risk champions
supporting the core risk-management team. People who are naturally motivated
toward risk-management are usually given this extra opportunity. It goes without
saying that extra responsibility should be reinforced with extra motivation as well.
You will find more information about this in the risk and reward section below.
For larger organizations, it may be required to allocate a risk champion for every
geographic location where the company is present, or even a risk champion for
each major line of business. As our experience shows, having a network of risk
champions within each business unit usually proves to be excessive and overly
time-consuming.

SECRET RECIPE FOR RISK MANAGERS

23

Take action:
1.

Define roles and
responsibilities to
be fulfilled by risk
champions

2.

Determine
appropriate number
of risk champions

3.

Provide adequate
training to allow risk
champions to fulfil
their new duties

4.

Develop an
appropriate
motivational package
for risk champions
(this could be extra
recognition at the
annual performance
review or a slight
salary increase)

H
Take action:
1.

2.

3.

4.

Draft the riskmanagement curriculum
for the company,
including training for new
staff, senior management
and the board, and risk
champions
Build risk-management
training into the existing
training schedule for the
company. You will need
to coordinate with your
HR team
Consider riskmanagement certification
programs for the riskmanagement team itself
Consider annual
certification for employees
in high-risk areas

Take action:
1.
2.
3.
4.

Identify learning priorities
for the board (if any)
Develop the program
Include the annual
development plan for the
board
Consider using external
facilitators

PROVIDE RISK-MANAGEMENT TRAINING

Risk-management is not a “one-off” activity—it has to be sustained through
regular communication and training. In this section, we have grouped key
recommendations that will help build strong risk-management communication
channels and provide good training. These recommendations will reinforce and
strengthen the risk culture within your company.
Include risk-management in the training for new hires: Dealing with
uncertainty and managing risks may sound like common sense, but it’s not
straightforward for everyone. Nor should it be, as employees come from
different backgrounds and experiences. Hence, it is especially important once
the company has started on the path of formalized risk-management that all
employees who join the company are taught the foundation. One of the risk
managers we interviewed confirmed that an introduction to risk management
needn’t be lengthy—in fact, it could be as quick as ten minutes and cover only
the basics like risk-management policy, key roles and responsibilities, and the
frequency of major risk events (e.g., quarterly risk assessments, semi-annual risk
reports, and so on).
Provide training to executives and the board of directors: It is equally as
important to provide adequate risk education to the top management and the
board. We have already mentioned that it is critical that the company leadership
all speaks the same risk language and shares an understanding of the firm’s
risk appetite. This is an important action, as noted by all the risk managers we
interviewed. Executives and the board must share the vision of risk-management
created by the risk-management team, and this is only achievable by providing
sufficient education and guidance at the top level. Consider using external
facilitators to provide the most impactful and powerful training. (Unless, of course,
you yourself are a wizard at facilitation.)
Provide training to risk champions: Risk champions are very important to the
successful rollout of risk management within the organization. As soon as risk
champions are nominated, they are given extra risk-management responsibilities.
In order for them to fulfil their new responsibilities, they must be adequately
trained. Risk-management training has to provide a good foundation and include:

Risk-management terminology;

Risk-management roles and responsibilities;

Risk-management processes;

Risk reporting; and

The indicators of a positive risk-management culture, etc.
It may also be appropriate to provide additional training to the risk-management
team itself. Various certifications are available from international risk-management
bodies, which can help significantly raise the competency level of riskmanagement staff.

24

PROVIDE RISK-MANAGEMENT TRAINING

Make training competency based: A minor but important point—training is
an investment decision for a company, like any other. It costs money to develop
training, invite trainers, and take staff away from their day-to-day work. Just like
any other investment, the company should track the return on investment from
training. As suggested by one of the risk managers we interviewed, any riskmanagement training provided by the company should be competency based,
so that management can see whether the lessons have been learned and the
risk culture of the organization has improved.
Consider annual certification for employees in high-risk areas: Another
useful suggestion is to consider annual risk-management certification for
employees in high-risk areas. This will help ensure that employees working in
areas like trading, hedging, insurance, safety (this is, by the way, done already
in most organizations), high operational risk, etc., possess the necessary riskmanagement skills required to fulfil their job responsibilities. The certification
may include knowledge of relevant legislation or standards and internal
company procedures related to risk-management.

SECRET RECIPE FOR RISK MANAGERS

25

H

I
Take action:
1.

2.

Identify financial,
reputational, safety,
environmental, etc.,
risks associated with
the project
Identify and test key
external drivers that
may affect the project
in the future

ASSIST MANAGEMENT IN EVALUATING
PROJECTS AND OPPORTUNITIES
USING RISK ANALYSIS
There is value in applying risk analysis during the evaluation of major projects or
other management decisions. If such an opportunity arises, risk managers should
seek the responsibility for conducting such analysis.
Analyses should be comprehensive, yet easy to read and understand. The risks
need to be analysed from different perspectives, including financial implications,
reputations, safety, environment, and so on. It would also help to document and
analyse any key external drivers that may impact the project.
The downside, of course, is that every project will require risk-management review
and thus will take up most of the risk-management team’s time. This is probably
not preferred; however, it is entirely up to you.

26

J

FACILITATE OPEN COMMUNICATION
Speak the business language: Bryan Whitefield said it best in his newsletter:
"Identify all the stakeholders you need to influence. Identify the order in which you
wish to tackle them. It is always best to get senior management’s buy-in first;
however, sometimes that just isn’t possible, and you have to win over their key
influencers before you can tackle them. Make sure you have a clear strategy.
Identify their main motivators, hobbies, and interests. Your best opportunity for
engaging someone who does not already know you and trust you is to ignite his/
her interest through something he/she is already passionate about.
Risk-management has so many intangibles. You need to do your best to
make what you want to achieve seem tangible to your target audience.
People comprehend best when you provide them with both visual and verbal
descriptions—so draw a picture and tell a story. Choose examples that are most
likely to relate to the motivators, hobbies, and interests you have identified.
Speak their language—I call it moving from “risk speak” to “c-suite speak”
when engaging senior executives. Too often we simply blurt out what we know
is needed in what we might consider to be simple risk language; however, it
may mean almost nothing to our audience. Try talking “inherent risk” with a
CEO. You know—the world without controls. You would probably agree that a
better approach would be to discuss the need to identify where the organization
may be able to save some compliance costs by understanding which of the
company’s current controls are the most important and which are not."

Take action:
1.
2.
3.

4.

Identify all the
stakeholders you need
to influence
Identify their main
motivators, hobbies,
and interests
You need to do your
best to make what you
want to achieve seem
tangible to your target
audience
Speak their language

Source: Risk e-Views Vol 4, December 2010, Risk Leadership: How to be Heard, Bryan
Whitefield, Director, Risk Management Partners

Include risk messages in external company communications: Riskmanagement disclosure is very important. Increasingly, stakeholders look to
companies to provide evidence of effective management of not only the financial
risks, but also other nonfinancial material business risks in such areas as
community affairs, human rights, employment practices, health and safety, and the
environment.
It is recommended for disclosures to include the following items:
• A summary of the company’s risk-management policy on the company’s
website in a section clearly titled “corporate governance”
• A corporate governance statement for the annual report, including:
• An overview of your company’s risk-management processes
• Progress made since last year in managing risks
• The governance structure in place to manage risks
• Any major achievements in managing risks.

1.
2.

3.

The following disclosures are optional, and you may choose to exclude them from
the annual report, as they may be considered commercially sensitive information:
• Details of the company’s risk profile
• Details of the risk mitigations
• Historical losses from specific risks
When a company discloses information elsewhere in the annual report or on its
website, it can cross-reference that information to avoid duplicating disclosures.
SECRET RECIPE FOR RISK MANAGERS

Take action:

27

Identify key external
reports published by
your company
Consider including
risk-management
topics into the external
reports (i.e. riskmanagement section
in annual report, risk
management section
in the reports prepared
for the government
agencies)
Include both the
information regarding
the current processes
designed to identify
and manage risks and
the specific risks that
may be relevant to the
reader

J
Take action:
1.

Identify existing silos

2.

Inform everyone
about the company’s
risk profile

3.

Document lessons
learned, and share
them across locations
and divisions

4.

Share positive
examples of riskmanagement with
everyone in the
company

Take action:
1.

2.

Develop a simple
escalation mechanism
for reporting emerging
risks (provide contact
details on the intranet,
or develop a very
simple and short form)
Communicate the
escalation mechanism
to all staff

FACILITATE OPEN COMMUNICATION

Share information about key risks between divisions: Many
organizations practice risk-management in “silos” and do not consider
the possibility of risk interactions and risks in combination. Of course,
silos (and the expertise within them) are a necessary component of
effective risk-management, but the key for risk managers is to facilitate
good communication. Risk managers need to help build a mechanism to
escalate those risks, identify a key risk owner to compile and view those
risks in a “portfolio” view, and analyse them across those silos. The goal
is not to break the silos down; it’s to foster communication among and
between them.
This can be facilitated by:

Distributing the corporate risk reports to all company staff

Posting all significant risk communications on the corporate intranet

Including risk messages in company-wide communications, such as
magazines and newsletters

Sharing key lessons learned from realized risks between divisions of
locations

Sharing positive examples of risk management with everyone in the
company.

Create simple methods for risk escalation: Employees are an
invaluable source of information about emerging risks. It is common for
junior and middle staff to talk about problems and pain points long before
they become real problems for the company.
To take advantage of this source of information, risk managers need
to establish a simple and transparent escalation process. It should be
easy for an employee to call or e-mail the risk manager to share his/her
concerns about an emerging risk. IT’s equally as important to notify the
staff that such escalation mechanisms exist.
Treat this reporting line as an early warning system, and praise the people
who participate.

28

K. SCAN THE HORIZON OFTEN, AND
REMEMBER TO CHALLENGE THE
ASSUMPTIONS
L. INFORM THE MANAGEMENT ABOUT
EMERGING RISKS AND FOCUS ON
THREATS
M. CONDUCT RISK RESEARCH UPON
MANAGEMENT’S REQUEST
N. ESTABLISH A NETWORK OF RISK
MANAGERS FROM PEER COMPANIES
O. FINE-TUNE YOUR OWN
RISK-MANAGEMENT SKILLS

OBJECTIVE 3:
BECOME A
TRUSTED ADVISOR

For more information on Becoming a Trusted Advisor in Risk, please
visit Bryan Whitefield’s website, www.rmpartners.com.au

SECRET RECIPE FOR RISK MANAGERS

29

K
Take action:
1.

Identify key
assumptions used
during company
planning

2.

Develop a program
for periodically testing
these assumptions
(you may consider
using key risk
indicators)

3.

Identify a set of
plausible scenarios

4.

Regularly (at least
semi-annually)
perform stress testing
and scenario analysis

SCAN THE HORIZON OFTEN, AND
REMEMBER TO CHALLENGE THE
ASSUMPTIONS
Risk managers need to look beyond the boundaries of the firm and consider
what is happening elsewhere. In recent years, businesses around the globe
have become increasingly interdependent, which brings great benefits in both
efficiency and innovation, but also increases companies’ exposure to risks–in
many cases, risks they don’t even know about. Risk managers need to go
beyond the known issues to look at links and interdependencies. Scenario
analyses may be used for all types of risk with both short- and long-term
time frames. With short time frames and good data, likely scenarios may be
extrapolated from the present time. For longer time frames or with weak data,
a scenario analysis becomes more imaginative.
By understanding current assumptions about the business environment
and the existing business model and describing their antitheses, enterprise
leaders can identify the characteristics of major shifts in advance and whether
they are beneficial or adverse.
This topic has been covered very well in the book The Black Swan by Nassim
N. Taleb. Two more recent studies by the Corporate Executive Board and
Deloitte Touche Tohmatsu indicated that over 65 percent of the time it is the
external/strategic risks that cause the most damage to companies. This is a
significantly larger percentage than from financial risks or operational failures.

30

L

INFORM THE ANAGEMENT ABOUT
EMERGING RISKS AND FOCUS ON
THREATS
One of the fundamental skills that any risk manager needs to possess is the
ability to communicate emerging risks to senior management. This means
having the right processes in place to scan the environment to identify the
emerging risks, package the information appropriately, and present it in a
timely manner.

Take action:

In order to get the message across, the communication to senior
management should include the following:

Threat overview

Immediate, medium-term, and long-term implications for the company
(ensure that both financial and nonfinancial consequences are covered)

Speed of the threat
(how much time does the company have to respond?)

Existing readiness (how prepared is the company?)

Proposed solution/action, including responsibilities and timeframes

SECRET RECIPE FOR RISK MANAGERS

31

1.

Once the emerging
risk has been
identified, validate it
with a superior

2.

If the perceived
threat is judged to be
significant, prepare
the communication
and present it to senior
management

M
Take action:
1.

Seek to understand
the background
behind the request

2.

Conduct the necessary
research and provide a
response

CONDUCT RISK RESEARCH UPON
MANAGEMENT’S REQUEST
Sometimes management may request specific research into a particular
threat. For example, they may believe that the company’s exposure to FX
fluctuations is growing too quickly and ask you to investigate the full extent
of the perceived problem and provide possible solutions.
Requests like this are always good news and highlight that risk-management
skills are in demand. Should you receive such requests, go ahead and do
them. If specific skills are required, you may be able to bring consultants
on board to help you investigate the problem. Usually, this request is most
effective after you have conducted some preliminary analysis first.

32

N

HAVE A NETWORK OF RISK
MANAGERS FROM PEER COMPANIES
Now here is a good idea–do not reinvent the wheel! Whenever possible,
learn from others by establishing a network of risk managers from peer
companies. You will invariably meet others while attending various riskmanagement conferences throughout the year. Stay in contact with them,
learn from each other, and share experiences.

Take action:

Obviously, every country is different. The risk conferences and events that
I had an opportunity to attend in Russia were absolutely useless in terms
of new knowledge. However, they did serve as a wonderful networking
platform.

SECRET RECIPE FOR RISK MANAGERS

33

1.

Try and meet risk
managers from peer
companies

2.

Network during
external riskmanagement events

3.

Stay in contact, share,
and learn from each
other

O
Take action:
1.

Learn as much as
possible about your
business by attending
meetings and studying
internal reports and
industry publications

2.

Continue to develop
your risk-management
skills by staying upto-date on the latest
thought leadership
(large consulting
firms regularly publish
articles)

3.

Consider riskmanagement
certification

4.

Be familiar with
the common riskmanagement
standards

FINE-TUNE YOUR OWN
RISK-MANAGEMENT SKILLS
Risk-management is a very dynamic discipline, and you need to stay up-to-date
on the current developments. However, fine-tuning your risk-management skills is
as much about learning new risk-management techniques as it is learning about
business in general. The days of the risk manager/methodology guru are over.
Senior management now expects risk managers to both help identify emerging
threats and work together with the business to develop mitigation plans. As a
result, risk managers need to be very coherent in the specifics of the business
and industry they work in.
This means that attending conferences relating to your industry is equally as
important as attending risk-management events. It is crucial as risk managers that
you understand industry-wide issues and challenges.
If you feel it would significantly boost your value to the company, you may
consider obtaining the appropriate risk-management certification. Some
examples include FRM (financial risk manager; Global Association of Risk
Professionals), ERP (energy risk practitioner; Global Association of Risk
Professionals), or PRM (professional risk manager; Professional Risk Managers’
International Association).
Keep track of the relevant risk-management standards and publications. Some of
the core materials that you need to be familiar with include:

Global Risk Report, published annually by the World Economic Forum

ISO31000:2009

ISO/IEC31010:2009

ISO 73:2009

King III

ASX Principles

Basel III

Solvency II

Guidance for boards and audit committees (monitoring the effectiveness of
internal control, internal audit, and risk-management systems)

Assessing the Adequacy of Risk Management Using ISO 31000 from The
Institute of Internal Auditors

Practice Standard for Project Risk Management from the Project
Management Institute

BS 25999:2003, Business Continuity Management, Business Continuity
Management

CobiT (Control Objectives for Information and Related Technology), and so on.

Risk-management consulting firms often provide free risk-management
newsletters. It’s also a good idea to sign up for one or two of these.

34

CONCLUSION AND NEXT STEPS
We sincerely hope that you found this guide useful. You are almost done reading it. So let us
quickly recap some of the key points:

Risk-management is as much about the tools and techniques as it is about the cultural change
and the mindset of employees. In order to strengthen the risk-culture risk managers should
start by defining the overall risk profile, while helping to set the tone at the top and defining the
risk-management roles and responsibilities. And remember overcomplicating may do more
damage to risk-culture than good.

It is critically important to avoid positioning risk management as a separate and independent
activity. Risk managers should help integrate risk management into business. This can be
achieved by involving staff as much as possible into the risk management process, integrating
elements of risk analysis into strategic planning, budgeting, and performance management,
creating a network of risk champions, providing risk-management training and assisting
management in evaluating projects and opportunities using risk analysis

Risk managers should aim to become a trusted advisor to the company senior management
and the Board. Some tips include regular scanning of the horizon for emerging and external
risks, critically testing management assumptions and brining in in a risk perspective to the
discussion wherever possible.

In the appendix we have provided two indicative roadmaps that help prioritise the 15 action points
covered in the guide depending on the risk-maturity of your organisation. Implementing risk
management is not an overnight process, it is a journey. We hope you enjoyed your journey so far!
An honest warning: there will be a time when you will experience pressure to produce quick results.
Stay true to the risk- management profession! Breakdown your work into two streams:

“Here and now” – help management identify and manage immediate threats or risks that have
been neglected before. The good news for risk managers (the not-so-good for the business)
is that there will always be risks that are poorly managed or completely ignored.

“Future value” – don’t lose focus on the development of risk-culture within the organisation. It
may take time for senior management and employees to embrace the positive aspects of riskmanagement, however the payoff will be great.

Good luck and thank you for taking the time to study this guide!

SECRET RECIPE FOR RISK MANAGERS

35

A RISK-MANAGEMENT ROADMAPS
B BIBLIOGRAPHY

36

APPENDICES

APPENDIX A –
RISK-MANAGEMENT ROADMAPS
FOR THOSE NEW TO THE RISK-MANAGEMENT ROLE

Based on experience, we provide the following sequence of activities for anyone
who is new to the risk-management role or is a risk manager starting to develop a
risk-management system at a new company. This, of course, is only an example
and is subject to the specifics of your company.
For illustration purposes, we also mapped some activities as being relatively easy
and not too time-consuming to implement, while others are more complex and
may require appropriate preparation.

SECRET RECIPE FOR RISK MANAGERS

37

APPENDIX A –
RISK-MANAGEMENT ROADMAPS
FOR THOSE TRYING TO RAISE THE RISK-MANAGEMENT PROFILE IN THE COMPANY

Based on our experience, we provide the following sequence of activities for
risk managers who are trying to raise the risk-management profile within their
company or are just trying to reinvigorate the team. This, of course, is only an
illustrative example and is subject to the specifics of your company.

38

APPENDIX B – BIBLIOGRAPHY

AM Best and Towers Perrin (2008). AM Best ERM criteria.
www.towersperrin.com

Australian Securities Exchange, 2007. Principles of Corporate Governance
and Best Practice Recommendations. www.asx.com.au

Buchanan, D.A. and Huczynski, A. (2010), Organisational Behaviour, 7th ed.,
Pearson Education Ltd.

Carey, A. (2004), Corporate Governance. A Practical Guide. [online].London
Stock Exchange plc & RSM Robson Rhodes LLP., London.
http://www.londonstockexchange.com.

Chryssides, G. and Kaler, J. (1996), Essentials of Business Ethics, McGrawHill International (UK) Limited, England.

Davies, H. and Lam, P.L. (2001) Managerial economics. 3rd ed., Bell & Bain
Ltd., Glasgow.

Deloitte. (2006). Risk Intelligence in the Age of Global Uncertainty. Prudent
Preparedness for Myriad Threats.

Demidenko, E. and McNutt, P. (2010), “The ethics of enterprise risk
management as a key component of corporate governance” International
Journal of SocialEconomics, Vol. 37 No. 10, pp. 802-815.
http:// www.emeraldinsight.com/0306-8293.htm

Economist Intelligence Unit. (2009), Managing risk in Managing risk in perilous
times. Practical steps to accelerate recovery. http://www.eiu.com

European Corporate Governance Institute (n.d.), Codes of Corporate
Governance in different countries. http://www.ecgi.org/codes/all_codes.php.

European Union (2006), “Article 41. Audit Committee”, 8th Company Law
Directive

2006/43/EC (2006). http://www.8th-company-law- directive.com/Article41.htm.

Expert RA (2010), Risk Management System Quality Rating,
www.raexpert.ru/ratings/risk/scale/

Hampel Committee on Corporate Governance (2003), The Combined Code
on Corporate Governance. London Stock Exchange, London.
http://www.londonstockexchange.com.

Hickson, D.J. and Pugh, D. (2003), Management Worldwide. 2nd ed., Penguin
Global, London.

SECRET RECIPE FOR RISK MANAGERS

39

APPENDIX B – BIBLIOGRAPHY

International corporate governance network (2005), ICGN Statement on
Global Corporate Governance Principles. http://www.icgn.org.

ISO. (2009). Risk management - principles and guidelines. International
Standard 31000. First edition 2009-11-15, ISO, Switzerland

IFRS (2010). IFRS 4 Phase II, Exposure Draft Insurance Contracts.
www. ifrs.org

KPMG (2009). Never again? Risk management in banking beyond the credit
crisis. http://www.kpmg.com

KPMG. (2011). Risk Management. A Driver of Enterprise Value in the
Emerging Environment. http://www.kpmg.com

Lam, J. (2003) Enterprise Risk Management: from incentives to controls, John
Wiley & Sons, Inc., New Jersey.

McNutt, P. (2005), Law, Economics and Antitrust, Edward Elgar Publications,
Cheltenham, UK.

McNutt, P. and Batho, C. (2005), “Code of Ethics and Employee
Governance”, International Journal of Social Economics, VOL.32 No.8,
pp656-666.

McKinsey&Company. (2011) Governance since the economic crisis. Global
survey results. http://www.mckinsey.com

Monks, R. and Minow, N. (2003), Corporate Governance. 3rd ed., Blackwell
Publishing, Oxford.

New York Stock Exchange (2003) Standards for Corporate Governance
303A.09
http://www.nyse.com/Frameset.html;
http://www.nyse.com/about/listed/1101074746736.html;
http://www.nyse.com/pdfs/section303A_final_rules.pdf

PriceWaterhouseCoopers and Centre for Study of Financial Innovation.
(2010). Banking Banana Skins 2010. Russia. http://www.pwc.ru

RBCC (2006), Capital Markets: The next move for Russian business Bulletin,
Issue. 3, February, pp. 24-25.

Ricketts, M. (2002), The Economics of Business Enterprise An Introduction to
Economic Organisation and the Theory of the Firm, 3rd ed., Elgar Publishing.

Risk e-Views Vol 4, December 2010, Risk Leadership: How to be Heard,
Bryan Whitefield, Director, Risk Management Partners.

40

APPENDIX B – BIBLIOGRAPHY

Standard and Poor’s. (2010) Approach To Assessing Insurers’ Enterprise Risk
Management Refined In Line With Industry Improvements, RatingsDirect on
the Global Credit Portal, www.standardandpoors.com/ratingsdirect

Standard and Poor’s. (2010) Expanded Definition Of Adequate Classification
In Enterprise Risk Management Scores, RatingsDirect on the Global Credit
Portal, www.standardandpoors.com/ratingsdirect

Standard and Poor’s. (2010) Insurers In EMEA See The Value Of Enterprise
Risk Management. RatingsDirect on the Global Credit Portal,
www.standardandpoors.com/ratingsdirec

The Banking Committee on Banking Supervision, (2010), Basel III and
Financial Stability. http://www.bis.org

The Committee of European Insurance and Occupational Pensions
Supervisors (CEIOPS), (2009). Solvency II Directive.
http://ec.europa.eu/internal_market/insurance/solvency

The Russian Federal Commission for Stock Markets (2003), The FCSM Code
for Corporate Governance [online]. www.fcsm.ru; www.copr-gov.ru.

The Institute of Internal Auditors. 2004. The Role of Internal Auditing in
Enterprise-wide Risk Management. [online], FL USA., September:
www.theiia.org

Towers Perrin (2008). Highlights and Implications of A.M. Best’s New ERM
Methodology.

Vedomosti (2005), “Russia: Going Global”, Forum, The Wall Street Journal &
Financial Times Magazine, November.

Vysotskaya, O. and Demidenko, E. (2005), “The Audit Committees in the 21st
century”. The Russian Economy. 21st century. No. 20.
http://www.ruseconomy.ru/index20.html.

World Economic Forum (2011). Global risks 2011, Sixth Edition.
www.weforum.org

SECRET RECIPE FOR RISK MANAGERS

41

ABOUT THE AUTHORS
ALEXEI SIDORENKO, is a risk-management specialist
with over 8 years of strategic and risk consulting
experience across Australia, Russia, Poland and
Kazakhstan, focusing on a variety of industries including
oil and gas, energy, consumer goods, transportation
and infrastructure, telecom, real estate and investment
corporations, as well as government departments and
state parliaments.
Currently working at Skolkovo Foundation, Alex is working
as a risk manager supporting the development of the
largest innovation centre across CEE, responsible for
education, risk analysis and reporting for the Foundation
staff and more than 300 start-up companies across fields
of energy efficiency, biomedicine, space and telecom,
IT and nuclear. Alex regularly presents at various riskmanagement conferences across CEE.
In 2011 Alex has co-authored global risk-management
methodology for PricewaterhouseCoopers. In 2009 Alex
has co-authored the risk-management guide for small and
medium size businesses, published by Australian Stock
Exchange.

ELENA DEMIDENKO, ACCA (Association of Chartered
Certified Accountants, UK), MBA (Manchester Business
School, UK), ACCA, risk- management consulting
specialist with over 6 years of Governance and Risk
Consulting experience and more than 12 years of overall
work experience across Singapore, Australia, Russia
and Europe. A member of academic staff at Manchester
Business School, UK

42

Copyright
This document is subject to copyright which is retained by the authors. No part of it may in any form or by any
means be reproduced, adapted, transmitted or communicated without the prior written permission of the authors.
This document is provided as general information only and does not consider your specific objectives, situation
or needs. You should not rely on the information in this document or disclose it or refer to it in any document. The
authors accept no duty of care or liability to you or anyone else regarding this document and we are not responsible
to you or anyone else for any loss suffered in connection with the use of this document or any of its content.

Sign up to vote on this title
UsefulNot useful