Historically, the corporate risk management department has been based on the partnership engagement model in that the department was viewed as a partner that supplied ancillary services to the core business. Using the COVID 19 pandemic as a backdrop, we will explain why this model has become outdated and how corporate risk management departments can evolve in ways that contribute to the success of the organization.
“When you see how hard it’s been for governments to get their citizens to just put on a mask in stores, or get vaccinated, to protect themselves, their neighbors and their grandparents from being harmed or killed by COVID-19, how in the world are we going to get big majorities to work together globally and make the lifestyle sacrifices needed to dampen the increasingly destructive effects of global warming - for which there are treatments but no vaccine? That’s magical thinking, and it demands a realistic response.” - Thomas Friedman, The Climate Summit Has Me Very Energized and Very Afraid, New York Times, November 9, 2021
Gifted thinkers from Abraham Lincoln to Thomas Friedman have long worried about the ability of humanity to manage uncertainty - to adapting and learning more, doing more of what works, and collaborating more. Because whether it’s navigating through a once-in-a-century pandemic or addressing climate change before it’s too late, building better systems to manage uncertainty is the only route to a healthier and safer world.
One area of business that needs to adapt is the corporate risk management department. As previously explained, corporate risk management departments are typically not seen as performing activities that relate to the core purpose of the organization. This is true of other corporate functions such as IT departments.
Why is this? Think about how these two departments came into being. Historically, they were created as back-office or ancillary functions that made sure that the company had proper commercial insurance and that the company’s computers kept running. The mindset was that these ancillary functions would partner with the rest of the business by delivering these support services. Value was not measured on the basis of outputs or contributions to the success of the business. Instead, performance was measured on the basis of inputs: money spent on insurance premiums and computers and whether projects (the insurance program or computer system) came in on time and budget.
Let’s turn back to the pandemic to explain why the partner-engagement model isn’t strong enough to influence business outcomes. At the time this article was written (December 2021), a new COVID-19 variant - Omicron - was sweeping the world. Dr. Ashish Jha, one of America’s foremost public health experts tweeted on December 8, 2021 that your health risk depended on your membership in one of three groups:
- Group 1 - Immunologically naive: Unvaccinated and not recently infected who will get infected at exceedingly high rates. Many will get sick and the degree of illness will likely be moderate to severe.
- Group 2 - Somewhat protected: People with 1-2 vaccine shots or a recent infection. Large numbers of this group will experience breakthrough infections but severe illness, except for high risk individuals, should largely be preventable.
- Group 3 - Highly protected: People who are fully vaccinated and received booster shots or have hybrid immunity (infection + two shots). Probably some limited breakthroughs but severe illness will be rare.
Application of Cameron’s classification to Dr. Jha’s groupings means that the “Immunologically Naive” population will experience illness, the “Somewhat Protected” population will experience normal health, and the “Highly Protected” population will flourish. The question for the United States and other countries will be how to increase the number of “Highly Protected” groups. We think it will come down to the degree to which public health expertise can be better integrated within individual communities. Without that integration, communities will continue to struggle with decision-making and developing a sense of shared ownership for public health.
The same principle holds true for the future of the corporate risk management community. While some centralization will remain (e.g., everyone uses the same insurance program and claims process), risk management professionals need to embed within each department of the organization. Otherwise, risk management professionals, like public health officials, will remain disconnected, from influencing outcomes.
The role of senior leadership is to ensure that the integration happens and that there is a consistency of practice across the organization. Think of it as risk management serving as a common framework in that every business unit has the same canvas and paint but leaves it up to each individual business unit to decide what they paint and how (i.e., manage uncertainty). The role of the risk management professional in this scenario is not to function as a supplier of services but to act as a valued contributor to ongoing operations and to the success of the business unit.
There are at least four key components that make up a model de-centralized risk management framework that should be scaled up within each business unit:
- Collaborative learning;
- Decision-making;
- Process accountability and methods improvement.
- Effective communication
These substantive skills are critical to managing uncertainty in a way that increases the potential and magnitude of good things happening (the positive side of uncertainty) and decreases the probability and severity of bad things happening (the negative side of uncertainty). In future columns, we will explore how the traditional corporate risk management community can help their organizations become more proficient in each of these substantive areas.