Viewpoints on the practice of risk management have changed dramatically over the past several years. The financial crisis of 2008 as well as other high-profile catastrophes like the Gulf Oil Spill have forced companies and boards to re-examine how they are addressing potential risks to their businesses. A recent study by the Economist Intelligence Unit highlights this fact as evidenced in the following excerpt.
Risk management can be a thankless task. Just ask Paul Moore, the former head of regulatory risk at HBOS, who claimed that he was sacked because he told the bank’s board that it was taking too much risk. In the wake of the financial crisis, stories that banks would sidestep risk managers in order to get deals done were legion. Risk managers with legitimate concerns about the business were ignored and regarded as a brake on growth.
Three years on, the perception of risk management has changed. In the financial services industry, there is a clear consensus that serious mistakes were made with either risk management or risk governance. In response, banks and other financial institutions are beefing up risk departments and creating new governance structures that add to the risk function’s authority and independence. Boards are creating risk committees and ensuring that non-executives are providing effective oversight of the company’s risk exposure. Chief risk officers are being granted powers of veto over decisions made by executive management and reporting directly into non-executive directors.
This renewed zeal for risk management extends far beyond the banking sector. Events such as the financial crisis, and more recently the oil spill in the Gulf of Mexico, have reminded senior executives that failures in risk management can prove to be extremely costly, not just to a company’s financial performance, but to their own careers and, sometimes, the lives of employees. The incentive to ensure that there is a clear and consistent approach to managing risk across the enterprise has never been greater.
However, although risk management is currently enjoying an unprecedented level of authority and visibility, it remains a function in transition. Examples of companies that take a genuinely strategic approach to their risk management remain few and far between. Communication between risk functions and the broader business can sometimes be fragmented, while an enterprise-wide culture and awareness of risk can be difficult to achieve.