At a recent client meeting on SCRM I asked the senior SC executive how much contact he or his team had with the Chief Risk Officer of the firm. The answer was “not much” and then “it’s usually to provide input into an ERM update for the board.” Besides that reporting discussion, I asked, does the corporate risk team have an active role in helping manage supply chain and procurement risks on a day to day basis. His answer, which is typical, was a solid “no.”
In thinking about this discussion I was reminded of the report published in the UK by AIRMIC (“Association of Insurance and Risk Managers in Industry and Commerce”) in 2011.(1) The report, “Road to Ruin. A Study of Major Risk Events: Their origins, impact and implications,” is a good read for anyone wishing to understand the common elements that seemingly disconnected risk events have shared in the last decade. Among the many causes that the authors note for the failures they examine, one common point across most of them was that the risk team in place (supposedly to prevent these types of issues) was more often than not unable to comprehend the operational aspects of the function whose risks they were supposed to help manage. As the authors note:
Many risk managers and internal auditors will feel uncomfortable working in the areas highlighted in this report unless they have been able to gain the skills and experience necessary to question and discuss corporate strategy and senior management’s leadership styles in an effective way. Furthermore, many of these risk areas are difficult for risk managers and internal auditors to explore, let alone report on.
I can validate this phenomenon with my own experience as a QA partner on projects and contracts in my own professions . It takes a great program manager to understand the risks of a complex program. It takes a great IT architect to spot the flaws in a system design. It takes someone with great mathematical skills to spot errors in the technical aspects of an analytic service. This phenomenon suggests that the best risk managers in any field are this who themselves have mastered the field. Yet how often is that the case? How many people charged with overseeing risk a major product companies have truly mastered the many and complex operational aspects of that business? In other words, how many CRO’s are former CEO’s CFO’s or COOs? That does not mean that every CRO needs to be a former C-level operations executive but there would be nothing wrong if they were. And if they are not, then it is the firm’s challenge to help that person truly understand the aspects of the operational environment whose risks must be understood and managed.
As the authors go on to note in the recommendations section:
At least some risk professionals will need to extend their skills so that they are – and feel – competent to identify, analyse and discuss risks emerging from their organisation’s ethos, culture and strategy, and their leaders’ activities and behavior.
In addition to the skills issue, there is also the issue of status. Taking on powerful executives and reigning in unwise risk-taking is not something a middle level manager can usually do. What better person to play that role than a recently retired CEO or CFO perhaps? Indeed, perhaps a better use for ex-CEOs would be making many of them CRO rather than having them act as “consultants.” In sum, the AIRMIC study is worth a careful read by any SCRM professional. Disparate failures often have common causes, and this report is a solid analysis that points to many smart and implementable changes companies can take to avoid being one of the cases in the next such publication.