The changing landscape of risk management

Victoria Robinson, head of Marketing and Communications from the Institute of Risk Management, looks at the ways that risk management is changing, and, as a result, how the public sector needs to adapt to those changes

Are we about to see a fourth industrial revolution? Our recent Risk Agenda 2025 research highlighted technological change as the biggest driver of uncertainty for organisations today. From self-driving cars to online medical consultations, new technologies including the internet of things, blockchain, artificial intelligence, robotics and data analytics are starting to transform how things are done and present us with a new landscape of opportunity and risk. Change has always been with us, but there is a feeling that what we are facing now is more extreme. This arises from both the speed of developments and the profound impacts they are likely to have on business models and on human activity.

Our research also uncovered that less than 40 per cent of the risk management community feel well equipped to understand these changes and support their organisations in this area. Part of our response to this is ‘Don’t panic!’ – the basic principles of good risk management will stay the same – the fundamental approach of building resilient organisations with robust processes, a healthy risk culture and strong risk communications will still be very much required, albeit able to move at a faster clock speed. The context, however, is certainly shifting with new risks to address and the potential for new tools and techniques to help.

Later this year, the Institute of Risk Management (IRM) will be launching its new Certificate in Digital Risk Management. This qualification has been designed to equip risk practitioners and others to apply their skills in an increasingly digital world. We are working with leading academic and practitioner experts to develop world class study material which will cover how new technologies and digitalisation are disrupting businesses and changing the risk environment for organisations of all types. It will look at how to carry out digital risk assessments, provide a detailed grounding in cyber security principles and practices and also look at the ethical issues surrounding both privacy and machine learning.

The qualification will, naturally, be delivered and examined globally on a fully online basis. It will be a relatively quick qualification to obtain, involving a multiple choice question examination and about 180 hours of study over approximately six months. It has been designed on a standalone basis to provide both a supplementary ‘future-proofing’ qualification for our existing members as part of their continuing professional development and also as an introduction to the subject for those from other disciplines. Enrolment will open in Autumn 2018, and this will be publicised widely at that time, although you can get yourself added to our pre-registration list by contacting IRM. We are also interested in identifying potential examiners, question setters and module coaches, drawing on the skills that we have in our community. A combination of great risk management skills together with an up-to-date knowledge of the digital risk landscape should be an unbeatable combination for tomorrow’s risk management jobs.  

Less than 40 per cent of the risk management community feel well equipped to understand technological changes and support their organisations in this area. Here, we speak to IRM members around the globe about key drivers effecting risk management in the public sector.

Francis Lee: general manager, Internal Audit,
Urban Renewal Authority, Hong Kong

Enterprise Risk Management (ERM) is crucial and here’s why. The first training lesson I received on the topic of corporate failure when I joined Arthur Andersen as an external auditor over two decades ago included two primary reasons why companies failed: fraud and cash flow. Some years later, Arthur Andersen ceased to exist. There have been numerous after-the-fact articles analysing the failure of the once prominent global accountancy firm as it went down in history. Perhaps the fate of the company might become different if they practiced what they preached and taken ERM seriously.

In today's global, interconnected environment, a holistic ERM needs to be practiced. Comprehensive use of ERM will optimise the risks organisations are exposed to, enabling them to attain the sustainable future growth and the profitability they desire. When facing numerous uncertainties, including fraud, compliance, data security and the loss of reputation, organisations need to act quickly to avoid leaving themselves exposed to costly and brand-damaging breaches. Establishing an effective ERM framework will build the confidence of the stakeholders while bolstering the future of the organisation. In other words, ERM is essential.

Being a senior member for one of Hong Kong's statutory bodies, my key responsible functions include ERM and Internal Audit. My interests in ERM date back over a decade ago when I worked at the Risk Advisory and Group Audit Department in the global headquarters of Roche Group in Basel, Switzerland. The world-class risk knowledge and training I received at Roche Group initiated an interest to begin implementing ERM. The experiences there prepared me as I took up the position as the head of Risk Management to establish a formal ERM framework at the largest Real Estate Investment Trust (REIT) in Asia - the Link REIT, a blue-chip company listed on the Hong Kong Exchange.

At the Link REIT in particular, some of my roles included collaborating with the board of directors on the set-up of a formal risk governance structure, establishment of the ERM policies and procedures, developing key risk indicators, and revamping of their risk management section of the annual reports. What I enjoyed most in this position at REIT was to support the board of directors and the management as they began to change their risk culture while they grew their risk-awareness and initiated applying ERM in various aspects of operations, including their strategic decision-making process.

Lettie Pringle: Risk & Safety Co-ordinator, NHS Borders

There is no typical day within this role. The variety of work within this role is unbelievable and the diversity of the healthcare system makes sure it never becomes boring. It covers everything from financial, clinical, political and reputational risks to name a few. Healthcare has micro businesses within it, so your role can range from being involved with project management risks of estates to supporting risk owners with risks relating to service delivery such as physiotherapy, laundry and facilities management.

I support everyone from front line staff such as nurses and medics to directors and executives, helping them understand their role and risk management processes of NHS Borders, assisting them through each stage of the process from identifying risks to reviewing them. It is always vital to remember why you are doing the role; to improve and maintain the safety of those who use the services within healthcare and those who provide it. I have great pride in the risk management processes we implement as the decisions made from these help keep patients, staff and the public safe and reduce organisational liabilities.

Communication is so important in risk management. I love meeting people and getting different opinions about risks they face. Speaking to people enhances not only their own knowledge base, but also your own and provides personal opportunities to improve and learn. Networking with internal and external stakeholders always helps give a perspective on risk that you may not have considered.

Culture within healthcare is orientated towards patient care, encouraging staff to widen their scope into clinical and corporate risks and ensuring there is an understanding of the importance of these types of risks to deliver a service can be challenging. For example, the importance of analysing risks around workforce and sustainability and the impact this can have on the delivery of care of a patient and patient safety. Overall, whilst it is imperative that a proportional response to risk is given, it can be difficult when you are dealing with people’s health impacts.

There is no exact route for a career in risk and resilience, especially in the public sector, naturally there are lots of ex-emergency services and ex-military in the industry. If you have a passion for understanding complex issues and enjoy designing simple solutions that people understand and might use then this could be a career for you.

Start to widen your knowledge and outlook, you don’t have to be an expert in every area but it helps to have a good general knowledge of risk and what is happening in the world. Don’t be put off a career in risk or resilience just because you didn’t study a related subject at university. I believe the risk profession benefits from people from a diverse range of career background and with some life experience, as can be seen by the wide variety of IRM members and students globally.