Risk Management as a Career: A Guide for BCM Professionals

For those with a suitable temperament and skill set, a career in risk management can be rewarding due to the field’s broad scope, consequential nature, and rising prominence. In this week’s post, we’ll look at what a risk manager does and the skills it takes to excel in this role. 

Related on MHA Consulting: What’s Ahead in the World of Enterprise Risk Management 

Defining Risk Management 

Our current environment of rising global uncertainty is leading many organizations to increase the resources they devote to risk management.  

As a reminder, risk management is the process of understanding the hazards facing an organization and taking steps to bring them to within a level determined to be acceptable by the senior leadership. It’s not about eliminating risk completely but managing it in a rational, informed way.  

Because the organization and environment inevitably change over time, managing risk is a task that’s never done. It’s a permanent ongoing activity.  

The operational areas that risk management is concerned are broad and varied. They include process and procedural robustness and integrity; people, skills, and training; insurance and self-insurance; the supply chain, outsourcing, and inherent risk; infrastructure, systems, and telecommunications; and physical and information security.  

More simply, the job of the risk manager is to identify, prioritize, and mitigate the risks faced by the organization. 

Risk Management and Business Continuity 

The relationship of the risk management department and the business continuity office varies by organization. The best practice is for BC to be tucked inside the risk management department. In BC, everything we do is about reducing risk, making risk management a natural home for the BC effort (as opposed to, say, making BC subordinate to the IT department, a common but misguided arrangement). However, risk management’s concerns go beyond the BC focus on preventing disruptions and reducing their impact.  

Due to their shared focus on reducing risk, a background in BC provides solid preparation for a career in risk management.  

What Makes Risk Management an Attractive Field   

Risk management is a uniquely interesting field. Its horizon is unusually broad in that the risk management professional has to identify and assess risks across so many fronts. These range from workplace violence to the weather to cyberattacks to supply chain disruptions caused by far-flung geopolitical events.  

With such a wide breadth of concerns to worry about, the risk management professional is unlikely to get bored. In addition, a risk manager needs to know something about everything in order to effectively carry out the duties of the role.  

Many people would find this  combination of demands overwhelming. In my view, it’s one of the things that makes the job attractive.  

Tools Needed to Excel in This Role  

What does it take to succeed as a risk management professional? Here are four tools the risk manager needs in his or her toolkit:  

• A solid understanding of how the business works. The risk manager’s knowledge should cover all aspects of the organization, from the concerns of senior management to those of middle management to the work of the people on the floor doing the job. A risk manager should possess deep industry knowledge and a solid understanding of what is critical and what’s not.  

• Good, foundational knowledge of technology. The person doesn’t have to be a tech guru, but they do need an understanding of the core components of technology and how they work. The risk manager should know what the critical systems of the business are. This is necessary to assess threats to technology and their potential impacts on the business.   
• Knowledge of risk-identification methodology. A risk management professional needs to know how to identify and prioritize risks from the business and technology perspectives. Includes risks that reside in the neighborhood and those that might arise from across the globe.   
• Knowledge of how to mitigate risks. A risk manager needs to be well-versed in the four risk mitigation strategies (accepting, transferring, limiting, and avoiding risk) and know how to produce a mitigation plan.  

These four competencies—coupled with the ability to interact effectively with people at all levels of the organization and in every department—make up the main skills needed to excel as a risk management professional.  

Understanding the Risk Management Process 

Let’s look more closely at the central concern of the risk management professional: the risk management process. There are six steps to the process, and successful risk managers perform all of them on a continuous loop. The steps are: 

1. Assess the organization’s risks 

2. Prioritize the risks 

3. Figure out the organization’s risk profile 

4. Choose the optimal risk strategies for the organization 

5. Execute the chosen risk strategies 

6. Measure residual risk 

For a more detailed discussion, see “Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty.”  

Defining the Risk Framework 

The risk framework refers to the activities that make up the role of risk manager. The framework has eight components:  

1. Internal control environment 

2. Setting of objectives 

3. Event identification 

4. Risk assessments 

5. Risk response 

6. Control activities 

7. Communication of relevant information 

8. Monitoring 

For an in-depth look at the risk framework, see “Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask.” 

The Eight Risk Areas 

One of the risk managers key responsibilities is analyzing the likely impact on the organization of each of the eight risk areas. Those risk areas are: 

1. Human error 

2. Nature 

3. Supply chains 

4. Vendors 

5. Technology 

6. Data security 

7. Facility security 

8. Business processes/management 

For more details on these areas, check out “Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty” and “Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask.”  

The Eight Risk Domains 

There are eight domains that make up the core content of enterprise risk management. They are:  

1. Operational 

2. Health and Safety 

3. Strategic  

4. Financial  

5. Human Resources  

6. Legal and Regulatory  

7. Technological  

8. Environmental and Infrastructure Hazards  

To learn more about the eight risk domains, check out, “These 8 Risk Domains Are the Meat and Potatoes of Risk Management.” 

Risk Tolerance and Risk Appetite 

Risk managers need to know about risk tolerance and risk appetite. Specifically, they need to know about the tolerance and appetite for risk of their organization’s senior leaders. 

Both terms refer to how much risk management is prepared to accept in pursuit of its objectives. Risk appetite is a broader statement of the level of risk that management deems acceptable. Risk tolerance refers to the specific level of risk the company will accept as it pursues a specific objective. 

These posts are a good place to start to learn more about risk tolerance and risk appetite. 

The Four Risk Mitigation Strategies 

I listed knowledge of the four risk mitigation strategies as one of the tools needed to be an effective risk manager. Here’s a bit more on those four strategies: 

• Avoiding risk. Exiting activities that bring it on or implementing protections to eliminate the exposure. 
• Reducing risk. Taking steps to reduce the likelihood of a negative event occurring, though not removing it completely. 

• Transferring risk. Employing a method such as taking out insurance to help cover a risk or hiring a third party that will take the risk associated with the action or process. 
• Accepting risk. Acknowledging that if the danger is realized, the organization will have to bear the consequences. 

For a detailed discussion of risk mitigation strategies, check out “Don’t Just Hope: Choosing Strategies to Mitigate Risk.” 

The Culture of Risk Management  

Once a risk manager has mastered the content described above, it all comes down to executing on that knowledge and educating the organization across all levels in order to make risk management and mitigation part of its culture. The most prepared organizations are those in which risk is addressed in daily activities and not just during a formal risk assessment. 

For more information on this aspect of being a risk manager, see, “Every Single Day: Make Risk Management Part of Your Company’s Culture.” 

Navigating Through a Dangerous World 

For people with the right temperament, skills, and knowledge, a career in risk management can be a compelling choice. The role requires a broad and deep knowledge of the industry and organization as well as of the broader threat landscape.  

Succeeding as a risk manager requires a strong commitment to the ongoing processes of identifying, prioritizing, and mitigating risk. It brings the satisfaction of helping the company make its way through an increasingly dangerous world and protecting its stakeholders from potentially devastating consequences. 

Further Reading 

For more on the career and practice of risk management, check out these posts from MHA Consulting: 

• Every Single Day: Make Risk Management Part of Your Company’s Culture 
• Don’t Just Hope: Choosing Strategies to Mitigate Risk 
• These 8 Risk Domains Are the Meat and Potatoes of Risk Management 
• Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty 
• Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask 
• Global Turmoil Making You Ill? Try a Dose of Risk Management   
• The ABCs of ERM: The Rise of Enterprise Risk Management 
• Enter the Matrix: Why You Should Employ a Risk Management Matrix 
• What’s Ahead in the World of Enterprise Risk Management