The Changing Role of the Risk Manager in Organizations - From Gatekeeper to EA Strategic Partner
Health emergencies, geopolitical crises, and cyberattacks have increased dramatically across the globe. Organizations must ensure that they take adequate precautions to safeguard their operations, data, and systems. During the MEGA EA Exchange 2022 digital conference, MEGA International GRC Product Marketing Manager Cyril Amblard-Ladurantie spoke with François Beaume, the Vice President of Risk and Insurance at Sonepar and the Vice President of Digital Transformation at AMRAE. The two specialists discussed the importance of the role of risk managers in modern organizations.
Is the 21st Century the Era of Risk Management?
The world is a risky place right now. From geopolitical tension to rising inflation, climate change and cyber-attacks, organizations must face a multiplicity of risks on a daily basis. According to Cyril Amblard-Ladurantie, risk-taking has always been part of doing business and interlocking economy has supercharged the complexity of managing risk. Organizations rely on risk managers not only to protect them from harm, but also to turn those threats into valuable opportunities.
“Risk management is not only a key enabler of human activities in private and public organizations but also for all of us in our daily activities. Risk management is not a one-man show. It involves a group of people. It must be a collective activity. The risk manager is there to organize things, but not to be a substitute for others,” says François Beaume.
The Role of the Risk Manager
François states that risk management is a collective game. “We provide the methods, tools, support, and data for people in the field in order for them to have better decision-making processes, better ways of tackling risk, and more consistency in their actions.
Successful corporations are the ones that last. And to last, you need to adapt. Adaptation is what matters with regard to risk management.”
The impact of Covid-19 on risk managers was significant: there was a ‘before and an after’ Covid-19 for the risk management world:
“Since Covid, risk managers have been able to demonstrate that they are an operational function. They can tackle crises with efficient methods. The pandemic crisis has been a way for them to demonstrate that they perform a key function, either internally to the other operational departments, but also for management, shareholders, and other external stakeholders, that they are a key function”.
Risk managers can provide insightful data, analysis, and strong support for various fields.
Coping with the Complex Multiplicity of Risk
After alluding to the multiplicity of risks, the question is how to deal with this complexity.
“It's not an easy job. The world is changing. We are changing, our economy is digitalizing, and we have new habits new ways of living, and new expectations. All of that must be understood, identified, and treated in our daily activities.
The speed of change has increased. The world is no longer frozen. The pace of change has technically increased. And for risk managers like us, it's very complex to tackle in a similar manner that scope of intervention that is in expansion and the pace of evolution”, says François.
“When you are a risk manager, you must be able to achieve your goals. Cybersecurity-related risks are at the top of any risk map. You also have the impact of the changing world. Geopolitical tensions, social unrest, macroeconomic changes, inflation. All of that is pushing risks forward – and, in a way, changing the risk landscape.”
There are many interconnections where risks are intertwined, much more so than in the past. It's quite complex for us as risk managers to let's say, illustrate, notify, and organize these interactions and interrelations.
Managing IT Security and Cybersecurity Risks
From a practical point of view, given that risks are intertwined, how to manage IT security and cybersecurity?
“We manage them jointly. The basic finding is that cyber risk is not only technical. To manage it, you need to build up a mix of human resources specialists, legal and compliance specialists, insurance specialists, and commercial people in charge of the commercial side of the activity and so on. All these people have a part to play. The risk manager and the chief information security officer are the ones that will organize the response to the cyber risk. It's definitely collective in terms of understanding and responding”.
It can also be complicated to make the connection between an IT issue and the impacts it will have on a business. The challenge is to connect IT threats and their impact on a business. To François :
“Part of the daily job of the risk manager and his team is to go beyond the evidence and interact with specialists and experts to have a consensual view of the risk and its consequences. As risk managers, we need to understand our counterpart’s vocabulary and understand the underlying principle of the risk to open communication channels. The outcomes of these types of discussions include the risk assessment, the risk evaluation, and the notification of potential mitigation plans. All of that is based on exchanges”.
What Makes an Effective Risk Manager?
Even without any background in cyber security, getting the expertise is possible. François Beaume explains how :
“I learned on the job. My background is as a biologist. Nothing related to security. But this is usually the case for risk managers. Risk managers come from various backgrounds, such as legal, compliance, and commercial. This increases the depth of knowledge within the profession. For corporations, it adds an interesting value. Risk managers can view issues with another pair of eyes, a different framework.
A risk manager is, if not always, then very frequently, not an expert in the issue at hand. He or she must train themselves before coming to the meeting. To do so, they look at different training sessions to understand a given risk's vocabulary and underlying factors to be a positive counterpart in the discussion. Risk managers are trained on the spot and by other departments, such as the IT department, who explain what's going on, what the drivers are, and why reacting one way is better than reacting another.
A risk manager is not always, at least very often, an expert in the field at hand. He or she must practice before coming to the meeting. Training sessions are necessary to understand the vocabulary of a given risk and the underlying factors in order to be a positive speaker in the discussion. Risk managers are trained on-site and by other departments, such as IT, who explain what is happening, the determining factors, and why it is better to react in one direction rather than another.
The Federated Approach to Cyber Security
The question is: What are the benefits of having a federated approach for an audience that is still in a siloed world, and what advice to start a federated approach to cybersecurity management?
“The single best piece of advice I can give is to practice risk management. Risk management is a silo-breaker activity. By doing so, either by the risk manager or internally, the approach will be to repeatedly question evidence or things that are taken as a given. It would help if you put everything on the table collectively to move forward and assess the current situation, the risk, the opportunities, the existing mitigation actions, and the respective efficiency.
The key is also to identify areas where there is room for improvement, risk areas where time and energy will need to be invested, and how to invest that time and energy to develop a roadmap that will be sustainable in the long run. This will bring the next level that the organization wants to achieve collectively.
The Global View of Risk Management Trends
To conclude the discussion, François shares his experience with other associations worldwide and what is for him the global vision of risk management.
“AMRAE is a French Risk Managers Association. We are part of the Federation of European National Risk Management Associations with members in Italy, Spain, and the UK. European risk managers share the same global concerns about cybersecurity and risk management. The trends that we have been discussing are also valid outside France.
We work with PARIMA, a pan-Asian Pacific risk management association. The European Federation is called FERMA. The same trends are of concern - the magnitude is different, but the basic principles are similar. We are also in discussion with RIMS, the risk management society in the USA, and a worldwide risk management federation called IFRIMA. We all share similar viewpoints, especially regarding cyber risks. The impacts these issues have varies from country to country, but the basic trends are similar.”