Some say that in a perfect world, there is no need for a separate Risk Organization. But that is probably not true.
Think about the Hierarchy of Corporate Needs:
Hierarchy of Corporate Needs
Growth of Value
Most successful larger organizations have a separate Sales department. There certainly are firms that go around saying that “Sales are everyone’s job”, but they invariably have people who’s only job is Sales.
Move along to Profits and the picture shifts somewhat. Often there is one department that has responsibility for pricing, another for assisting with managing expenses and the largest component is the folks who are responsible for tracking profits – the accounting department. Again, many firms also say that “Profits is everyone’s job”, but they do assign many people to jobs that deal primarily with Profits.
So, that brings us to Security, which is the flip side of Risk. Security needs a parallel structure to what you find for Profits. The system of work assignments for Profits has evolved over many years.
Many firms have set out to create a Risk system on a much, much shorter time frame. One approach would be to say that since Losses are the opposite of Profits, then assign the responsibility for Security to the same people who have that responsibility for Profits. But what is likely to happen there is that attention to Profits will most often trump attention to Risk. That is natural, since Profits are higher up the Hierarchy of Corporate Needs than Risk. In addition, measuring Profits is most often done in arrears and Risk can best be managed when measured in advance. In fact, when responsibility for Risk is given to the folks who are experienced in managing Profits, they often make the mistake of trying to manage Risk by looking backwards.
So certainly to get started, and probably for the foreseeable future, Risk will need its own organization.
One of the most important aspects of a Risk organization is the assignment of responsibility for Risk. In many firms it is best to assign responsibility to a Line manager that controls the business that creates the risk. The person with responsibility should be a person who does periodically stand before the board. They should be asked to say to the board regularly where things stand with respect to managing their Risk.
As with Profits, there is a need for an independent role of Risk measurement. Usually that role is given responsibility for both prospective measurement of Risk exposures as well as the analysis of losses.
When people talk about independence for Risk, the place where that is really needed is between the responsibility for managing Risk and the responsibility for measuring Risk and assessing losses. The same way that is done for Profits. No one would consider assigning Profit management to the folks who measure Profits.
Tags: Risk ManagementYou can comment below, or link to this permanent URL from your own site.