And we would all expect that a reasonable and semi-competent captain would have taken steps to make sure this is the case. So, in a corporate environment, does the same principle hold true? As a risk management function, are we satisfied that our role is to guide the business when danger is looming or do we think we need to step into the captain’s shoes and do everything that the captain ought to do? And what is the expectation from the business of the risk management function?
You might say that this would depend on any number of factors – how much does the captain care about passenger safety, what is the captain’s appetite for risk, are there any other constraints on the captain… the list is endless.
But what it ultimately comes down to is who is accountable for risk management decisions. In the majority of cases, this would be the same individual who is accountable for running the business. After all, a business can only successfully be run and be self-sustaining if it is run in light of the risks that impact it, not despite the risks.
So then, why are risk management frameworks, policies, procedures written by the risk management function using technical risk jargon, reviewed by the risk management community and rolled out to risk managers? Wouldn’t it be more constructive to work with senior executives to come up with a simple set of principles that can be incorporated by the business into existing business processes and therefore ensure that risk management is embedded? If the answer is yes, that risk management is the business’ responsibility, then what should the role of the risk management function be? Perhaps the answer is that just like engineers, navigators, meteorologists and other specialists who assist the captain of a ship to understand their environment and minimise their exposure, the role of the risk management function is to translate regulatory requirements and technical risk management principles into plain English to empower and support the business in managing its own risks and make informed decisions.
The question is: as a risk management function, are we comfortable with being the lighthouse – guiding, supporting and assisting the captain to map out a course for his ship, and then calling in the coast guard if the captain chooses to take a dangerous course or gets into trouble?
Happy sailing or happy guiding? The choice is yours.