Research into leadership in risk management in Europe indicates that it is gradually becoming a board-level item and an integral part of organisational strategy. While banks for example have embedded it into their operations since their inception, in other sectors the importance of risk management has taken longer to come to the fore. Common categories of risk considered include strategic, financial, IT, legal and reputation, in descending order of importance. However, there’s more to risk management than calculating potential loss and taking out insurance policies. Like cholesterol, it turns out that there is good risk as well as bad.
The findings from managers in FERMA (the Federation of European Risk Management) and PRIMO (public sector associations) show that 56 per cent of respondents confirmed an increase in resources for risk-related training for CRO (chief risk officer) level and above. On the other hand, compensation and communication still have to catch up. Only 12 per cent said executive pay was influenced by performance in risk management; only 17 per cent agreed that communication between the CRO and other C-level officers was ‘comprehensive’. 29 per cent on the other hand indicated that senior management was reticent about hearing only bad news.
Perhaps a different perspective on risk can help for that last point. Although strategic risk management (SRM) has traditionally focused on what could go wrong, the approach of enterprise risk management (ERM) embraces all risk: bad and good, what can go wrong and what can go right. In other words, ERM opens up the field to both threats and opportunities, for a kind of ‘super-business continuity’. If risk managers extend their activities to cover both kinds of risk, and if their organisation is supportive, they can also research and help the organisation exploit ‘good risk’ leading to good reward.