There is an emerging trend to incorporate the three related, but different disciplines of Governance, Risk and Compliance. Often the word or acronym “GRC” is used to abbreviate them. This month’s Risk View examines this trend and provides an explanation of the disciplines, the differences between them and the area of commonality.  It addresses issues associated with the notion that they can be put into one discipline or be managed by one role in the organization and highlights some of the dangers, or side-effects in following the GRC path.

Governance

Corporate governance is “the system by which entities are directed and controlled” (AS 8000 – 2003 Good Governance Principles). Governance is a whole of organization, or whole of business discipline which establishes the means by which the business is operated. This includes compliance to laws, establishing and pursuing objectives and strategies to achieve them, taking risk (pursuing opportunities whilst managing potential threats), and allocating resources effectively in order to achieve objectives.

Risk

Risk is “the effect of uncertainty on objectives” (AS/NZS ISO 31000:2009 Risk management – Principles and guidelines). Risk is both opportunity and threat. Risks must be taken by businesses and organizations in order to achieve objectives. The management of risk is about understanding what the opportunities are and how best to optimise them as well identifying, controlling and managing threats. This is to provide assurance that the organization is meeting its governance requirements as well as assisting in the delivery of expected outcomes and returns for shareholders and stakeholders. Risk management is integral to both corporate governance and strategic planning and part of compliance.

Compliance

Compliance is “adhering to the requirements of laws, industry and organizational standards and codes, principles of good governance and accepted community and ethical standards” (AS3806 – 2006 Compliance Programs). Compliance provides benchmarks, or thresholds over which risk taking (i.e., failing to meet compliance requirements) is not acceptable. It also provides assurance to the Board that the organization is meeting its legal obligations, is adhering to internal business policies, and is conducting its operations in accordance with stakeholder rights and expectations.

Area of commonality in GRC

In the GRC model, compliance risks (i.e. legal, statutory, health & safety, environmental management risks) are common in the discussion across all three disciplines. The reason is that an organization does not have an “appetite” for taking these risks as the outcomes are generally unacceptable where the adverse risk event occurs (i.e., breach of the law, workplace injuries, environmental damage, reputation damage etc). The organization has a low “tolerance” for such risks. All three disciplines therefore have a part to play in the identification and management of compliance risks.

Differences in GRC

Commercial risks (i.e. financial, product development, innovation, market development, business growth) are the domain of the risk management and corporate governance disciplines, not compliance. Risk management addresses all risks in an organisation (both compliance and commercial) however, the compliance discipline does not play a role in setting business strategy and business development. These aspects of the business are managed by the Board, Executive team and Marketing/ Business Development team where a certain appetite for business risk taking needs to be established, articulated and managed. Compliance is out of context in pursuing opportunities (unless the pursuit assumes a level of breach of compliance obligations).

Dangers of amalgamating Governance, Risk & Compliance

With regard to risk management, managing compliance type risks is non-negotiable. A business MUST manage these risks to low or acceptable levels for the reasons stated above. The compliance personnel have a role to play in the management of such risks. Managing market development risks is outside the domain of compliance and therefore including compliance personnel in the discussion and management of commercial, or business risk is out of context with regard to how an organization is operated. Taking and pursuing business risks is managed by other disciplines in the business which is why amalgamating governance, risk and compliance will, in general not work well.

Another unwanted side-effect of amalgamating governance, risk and compliance is the potential duplication of effort and waste of resources. The reason is that the Compliance Officer will likely have compliance risks in their risk register and under their management. The Risk Management Co-ordinator/ Manager will also have compliance type risks in their risk register. This can lead to overlap of tasks, wastage of resources and confusion.

Best approach

The best approach is to consider that risk management is a whole of organisation or whole of business discipline. Therefore risk management personnel need to participate at both the Board level to assist in the management of governance and business strategy risks as well the operational level with the sales & marketing department to assist in managing business development risks. Risk management personnel also need to participate in the compliance department to assist in the management of compliance type risks in the risk register.

Governance is a whole of organization function and many parties need to be involved, the Board, Chief Executive Officer, Risk Management Co-ordinator and Compliance Manager. Compliance supports the Board in providing assurance that the organization is meeting its requirements under law as well as business best practice within a policy environment.

Summary

Having a clear understanding of the differences and similarities in the roles defined in this paper will assist in establishing the correct organizational structure and management of an organization’s business processes. It will also reduce the potential duplication of effort which is one of side-effects on integrating governance, risk and compliance.

Social media is being mismanaged by organisations and businesses.  This Risk View focuses on a recent case whereby Fair Work Australia (FWA) dismissed an employer’s appeal against a decision to reinstate an employee found to be unfairly dismissed for publishing offensive and discriminatory comments against managers in the workplace through social media. It has implications for all businesses that are not prepared in managing the use of social media by its employees, whether it is company sanctioned or not. As a result of this case, you could find as an employer, that dismissing an employee for inappropriate use of social media in their own time could backfire and you may have to reinstate their employment if the use of social media is not managed appropriately. This case highlights the need to be prepared for social media management in your business or organisation.

2. Background to the case

Unfair dismissal of an employee for inapprpriate use of social media upheld by Fair Work Australia against Linfox.  An employee of Linfox posted offensive, derogatory and discriminatory comments about his workplace managers on his Facebook page. When Linfox dismissed this long standing employee for such events he lodged a complaint to FWA on the grounds of unfair dismissal. Linfox appealed and the full bench of FWA overruled their appeal.   The full story can be found in the Corporate Risk & Insurance article in the following link.

http://www.insurancebusinessonline.com.au/cri/article/employee-reinstated-by-fwa-despite-facebook-rant-social-media-risks-highlighted-144327.aspx

3. Being unprepared for social media carries high risk

The risks for organisations and business that are not prepared for the management of social media by its employees can be high.   The lines of delineation between “work” time and “personal” time are blurring. This makes the management of the use of social media even more challenging and this carries business, reputation and legal risk. Risk Point has indicated some of the risks with social media in previous Risk Views and this case highlights others that are potentially looming for employers.

4. What was Fair Work Australia’s finding in this case?

The absence of a Social Media Policy makes employers vulnerable.   In its findings, FWA identified a number of key factors in this particular case. One of these factors was that, “Linfox did not have a policy on the use of social media that made explicitly clear the employee’s conduct was contrary to Linfox’s expectations”. The other was that, “the employee was technically inexperienced with Facebook and the management of his page”. The second factor may be outside an employer’s capability to manage it, however the first is truly inside an employer’s capacity to manage and address.

5. What to do next?

Being prepared is better than ignoring the issue.    So what can be learnt by this case? A number of things. Firstly, not having a policy and guidelines in place for appropriate use of social media for employees carries significant commercial, business, legal, reputational and financial risk. Secondly, even if you decide not to use social media in your business or organisation you have a responsibility to provide guidance to employees on appropriate personal use of social media with regard to comments about company officers and employees. Thirdly, ignorance about social media will no longer be defensible in a legal or statutory dispute. The development of a Social Media Policy and Social Media Useage Guidelines will lower your business risk and prepare you in the event of an unfair dismissal case by an aggrieved employee where grounds for termination are, offensive, derogatory and discriminatory behaviour via the use of social media.

Overview

Social media means different things to different people.  For young people using social media purely for personal reasons the drivers, incentives and outcomes are generally very different to those of the corporate, or business user.  Social media is often viewed as a time waster by companies, particularly those that do not have a social media policy and guidelines for their personnel and who see little value in its use.  For organisations and businesses, the use of social media needs to be considered in context with the value it adds, the benefits it provides and the degree of relevance the business aims to hold in its operating environment (internal and external stakeholder engagement).  The resourcing of the adoption of social media cannot be underestimated but a planned, strategic approach to its use and adoption is by far a better approach than a random, or vague attempt to “keeping up with the Joneses”!  The Social Media Maturity Model provides high level guidance on the steps to take and organisational change that must take place to adopt and integrate social media.

Personal use

Many people are actively engaged in social media and use platforms such as Facebook, Twitter, LinkedIn, YouTube, Google+, Pinterest and so on.  This phenomenon cannot be stopped and it is changing the relationship between employers and employees.  It is also “blurring” the lines of separation between work time and personal time.  Companies that fail to understand this face a significant number of business risks.  In particular, litigation from inappropriate personal use of social media in work time (and out of work time) by employees and potential release or loss of sensitive company information through the use of social media are key issues facing most organisations.  By having appropriate policies, procedures and guidelines in place for employees using social media, companies are better equipped to manage these and other risks.

Many organisations think they can “ban” the use of social media within the workplace.  Sadly for them, this will not work.  Employers can attempt to ban staff from engaging in social media using company technology such as their computers and networks, but how can they stop the use of social media on personal phones and computer tablets (iPads etc.)?  They can’t!  So, its better to be engaged rather than not engaged.

Business use

Many companies are now actively using social media for business, or commercial purposes.  Whilst the retail and consumer goods businesses are leading the charge, conservative industries such as mining and engineering are now using social media for marketing, stakeholder engagement, research, market intelligence and promotional purposes.  In so doing, most companies move through different levels of maturity when engaging in social media.

Social Media Maturity Model

Risk Point’s Social Media Maturity Model is a two dimensional tool which considers social media across four dimensions of the organisation and five stages of maturity with regard to its adoption.  The dimensions are: Business, Organisation, Employees and Technology.  The stages are: Laggards, Testing, Coordinating, Scaling & Optimising and Innovators.  The Social Media Maturity Model assists companies both determine where they are with social media and where they may want to be.  It assists in the planning, resourcing, organisational re-structuring and training with regard to the adoption and use of social media in and across the organisation.

Some organisations are in the “Laggards” stage where there is little awareness of social media and no vision for it within the business.  The use of social media is personal only with little or no interaction between the business and the employees.  In the “Testing” stage there is general awareness of social media and there is often a “toe in the water” approach to its use and adoption (such as establishing accounts in one or more of the social media platforms and informally using it).  There is no clear strategy for its use and there is a bottom up approach to social media leadership.  There is informal management of community (stakeholders and participants within and external to the organisation)  and consideration is being given to the development of policies, procedures and guidelines on its use.  There is a degree of engagement with staff and content is part company/ part personal.  There are no specific software tools or technologies in place to manage social media.

The more progressive companies are in the “Coordinating” stage where they have tried social media and are now developing the functional management of it within the business.  There is leadership and commitment but little social media governance.  Management of the community is being established and policies, procedures and guidelines for both the business and personal use of social media are being developed.  Such organisations are also developing metrics for managing social media and its success.  The more advanced “Coordinating” businesses have centralised content management, leadership & commitment, but formal governance is not yet in place.  There is explicit management of community and policies and procedure are under development.  There is a community based focus on social media and its management is centralised.  Software tools are deployed to manage social media and here are some corporate standards for its use.

The “Scaling & Optimising” companies are more advanced again as can be seen in the Social Media Maturity Model.  There is organisational management, leadership & commitment and formal governance in place for use and management of social media.  There is an integrated community and policies, procedures and guidelines are in place for its use.  There is strategic approach to social media and there is a culture of participation within the business.  Best of class tools and technologies are deployed to manage social media and there are corporate standards in place for its use and management.  The “Innovators” are ahead of the pack and have social media embedded in organisational processes, across the business and within the organisational culture.  There is an advanced community and integrated policies and procedures in place.  There is integrated content management and full participation across the business.  There are enterprise technologies in place for the management of all aspects of social media.

Summary

Companies in different stages of maturity are structured and managed differently with regard to the adoption, use and integration of social media.  There are differing levels of knowledge, awareness and deployment of social media across the stages and the management style differs.  The use of the Social Media Maturity Model assists companies and organisations consider where they are with regard to social media and where they may want to be.  It also highlights how the organisation needs to be structured and managed in order to achieve its target, or objective.  Establishing a strategic approach to social media will manage the risks, both downside threats of “getting it wrong” and upside opportunities of enhanced communication, promotion & marketing, research, and market intelligence.  It also provides greater staff and customer engagement within and across the business.

Why is this so, and does this mean that enterprise risk management does not work?  We do not agree with the notion that enterprise risk management cannot work and present our views on this topic around the ten headings presented by James Field.

1. Leadership and culture

Without effective leadership, buy-in from the top and the right organisational culture, it is very difficult to make enterprise risk management work.  Being able to express views and opinions around the table without retribution from colleagues or the CEO is critical in making ERM work.  Additionally, a committed board and CEO to business risk management will provide the right leadership and culture required to obtain the benefits and value of enterprise risk management.

2. The use of Excel spreadsheets

Trying to use MS Excel or MS Word to manage risk information is fraught with danger.  These tools were not designed for this purpose and specialised Governance, Risk and Compliance (GRC) software tools provide the right platform to manage risk information and integrate risk management into the business.  However, choosing the right application is critical and aligning it with organisational processes is a must if success is to be achieved. Don’t let the software drive the business, customise the software to suit your business.

3. Compliance focus

Many companies view risk as “compliance”.  For public companies the reporting requirements and compliance issues are significant, however this is the legacy of doing business in the public domain.  Directors that view risk management as compliance fail to see the value that true, enterprise risk management can bring to the business.  The other key aspect is that many Directors believe that if a few people identify some risks, put them into a risk register and look at them once a year, then this is risk management – “tick the box” and go back to business. Not so!

4. Common risk language

Establishing common risk language is critical to achieving success in enterprise risk management.  The finance department uses different language to the IT department as does the OH& S department to the HR department.  Further, managers often have a different interpretation of what a risk is.  The OH&S people often see risk as personal injury, whereas risk for the finance people it is about losing money.  The other key factor is in naming risks and describing what can go wrong.  Using a structured approach such as “Cause – Effect” and “Root Cause Analysis” helps develop common risk language.

5. Diamonds in the sand

Failure to demonstrate the value of risk management is a key reason for the failure of enterprise risk management.  Whether the risk professional is an in-house employee or an external consultant, it is critical to demonstrate to the CEO and senior executive team the value of risk management.  Identifying 20-30 key strategic and operational risks in a workshop forum does not take a great deal of time, and if done properly the real “gem” of risk management can be found. What may impact the achievement of our objectives?

6. Over quantification

If you think risk management can be done through financial modeling and mathematics, think again.  Look what happened in the USA with hedge funds and the GRC.  Where was Monte Carlo modeling and quantitative risk management during the financial crisis?  Enterprise risk management is a qualitative and at best, semi-quantitative activity and involves people management, alignment with orgaisational values & objectives and sound decision making.  Don’t try to over complicate it!

7. The chasm between risk practitioners and GRC software vendors

GRC software vendors are good at selling software for managing risk information and processes.  However they often have little understanding of the client’s business, maturity of decision making, business processes and capabilities.  Risk practitioners are (or should be) good at establishing risk management frameworks and facilitating risk workshops.  There is often a disconnect between the interests of the risk professional and the product vendor.  Make sure your risk professional has a strong understanding of GRC software before you make this purchasing decision!

8. Vision, planning and silos

The new (or not so new) risk management standard, ISO 31000 provides guidance on how to establish, manage and integrate risk management into the business.  It starts with the requirement to have a clear mandate at the board and executive level to have risk management as part of the business.  This is an improvement on the old process based risk management standard, AS/NZS 4360.  Furthermore, organisations often have multiple risk based programmes underway which do not talk to each other.  They can involve health and safety programmes, business continuity planning, crisis management planning, emergency response, media management etc.  For enterprise risk management to succeed this silo based approach needs to be challend and these activities integrated.

9. Linking strategic objectives

So often risk management programmes are not linked to organisational objectives.  Enterprise risk management will not add value unless there is a clear linkage between organisational and strategic objectives (what the business is trying to achieve) and risks which are impediments to success, or “the effect of uncertainty on objectives”.

10. Risk articulation and granularity

Expressing risks appropriately is critical to success.  Describing risks which define current business conditions is stating fact (i.e., tight labour market, high Australian dollar etc).  Risk assessment is not fact assessment.  If a current business condition may cause an unwanted event, then this could be a risk (refer item 4, common risk language).  The definition of risk can be used as guidance in expressing risks that deal with uncertainty, and not fact.  The other issue is granularity.  Having hundreds of low level risks and many permutations of risk around impact or consequence often clouds the picture and reduces the value of risk assessments.  Conversely, only addressing a few high level risks may not present the full picture as to material things that my go wrong in the business.

In summary, enterprise risk management can work.  With the right approach, sound understanding of your business, its objectives and your capapbilities and equiped with the risk managment standard, real value can be achieved and business performance optimised.

In businesses where risk management maturity is less advanced (immature, early starter or even progressive), risk management activities are often viewed as “extra” tasks to be undertaken by the business and its management.  This often results in a loss of momentum in following up actions after risk assessment or risk review workshops.  Frequently managers view risk management activities as “tedious” and in the worst case, a “tick the box” mentality may prevail.  In such organisations there is often resistance and push-back from senior managers in completing risk management activities and tasks.

In more progressive businesses (semi-mature or mature) where there is commitment from the board and executive to risk management and it’s integration into the business, such issues are less prevalent (but not always!).  These issues are outlined in the opening paragraph.  The Risk Management Task Integration Model (RMTI) provides a mechanism for: identifying existing business tasks and activities; identifying new “risk” tasks (such as the development of risk treatment plans); determining what is important and what is urgent (tasks to be completed in the business); identifying any additional resources which may be required to undertake the required risk management activities, and a re-prioritisation of tasks and allocation of resources.

 Risk Management Task Integration Model (RMTI)

The Risk Management Task Integration Model is an eight step process to assist in integrating risk management tasks and activities into the business.

•  - Conduct risk assessments and risk analyses in the business.
•  - Develop Risk Treatment Plans.
•  - Establish the organization’s  Risk Tolerance & Risk Appetite using.
•  - Identify resources required to complete risk management activities.
•  - Carry out an analysis on the company’s existing work schedule.
•  - Conduct a “gap analysis” on the additional tasks required to undertake the risk activities .
•  - Make decisions regarding what tasks are important and what tasks are urgent.  This establishes priorities.
•  - Identify whether additional resources are required to complete the risk management tasks.
•  - Integrate risk treatment actions and risk management activities into the business.
•  - Finally, monitor the entire process and mechanism, review and update (if required). 

The Risk Management Task Integration Model (RTAM) can be used in a broader context than managing the resourcing and completion of risk treatment actions and risk management reviews.  It can be applied to risk management training, education and awareness programmes as well as employee induction.  It can also be applied to the development of the organisation’s Risk Management Plan. Risk Point has also developed an implementation process for RMTI. Post your request for the implementation model and we will email it through.

• - 1 in every 4.5 minutes online is spent on social media
• - 1 in every 8 people in the world has a Facebook account
• - The internet now has more people age 35+ using it than those below 35
• - 45% of employers screen social media sites
• - 35% reported they found content on Social Media that caused them not to hire candidates

Many business executives do not understand the risks of social media, both upside opportunities and potential threats with this medium.  Risk Point has identified 25 key risks with Social Media, of which the Top Ten are listed in this Risk View:

RISKS (Threats)

1. 1. Failure to engage in social media and resultant loss of opportunities
2. 2. Failure to engage in social media and the resultant loss of relevance in the market
3. 3. Engaging in social media with inadequate policy and strategy resulting in reputation and brand damage
4. 4. Loss or theft of company information by employees using social media
5. 5. Poor or inappropriate “conversations” leading to stakeholder disengagement
6. 6. Breach of privacy laws by inappropriate use of social media by staff
7. 7. Litigation arising from inappropriate use of corporate social media by staff
8. 8. Staff disengagement due to lack of corporate social media strategy or positioning
9. 9. IT security issues
10. 10. Loss of productivity in the workplace due to excessive personal use of social media by employees

The risks associated with failure to engage in social media will increase over time as competitors, staff and other stakeholders to the business engage and come to expect that their customers and suppliers are also engaged in social media.  Consider the internet twenty years ago.  The early adopters started using email and developing online presence through web sites and blogs.  Many companies in the 1990’s did not value the importance of having a web site to showcase their business online and engage with potential customers.  How many businesses in 2012 do not have a web site or use email? – None.  Social media is a further application of the enabling technology, the internet.

The risks of engaging without a sound strategy and policy position are different from those of not engaging in social media.  There have been many examples of poor use of social media and subsequent brand and reputation damage including: McDonalds, Fedex, Qantas, Nestle and many others.  There is no question that social media does require adequate focus and resourcing within the business.  Failure to listen carefully, talk appropriately, respond to threats in a timely manner and respond to opportunities will cause commercial damage to the business.  Failure to support staff and employees to engage in and use social media appropriately has probably the largest potential threat to the organization.

BENEFITS (Opportunities)

Social media can deliver many opportunities for businesses including learning from customer sentiment and adapting business to their wants and needs.  Social media also allows us to “listen” to the market, understand what competitors are doing and engaging with potential customers.  Social media is a window to relevance and the ability to compete for the future, today.

SUMMARY

By understanding the risks associated with social media, businesses can leverage their position in the market place and improve customer service and staff recruitment and retention.  Failure to engage or engage appropriately with sound business rules can spell disaster for a company.  Understand your social media risks and develop appropriate strategies, polices and procedures to obtain the benefits of this wave and manage downside threats.

  *www.twosocialmedia.com

The “Risk Manager” role supports the actual risk takers in the business, i.e., those people in the organisation that are responsible for managing risk in the delivery of their business objectives. When organisations employ support functions and place the title of the role as “Risk Manager”, confusion reigns and a lack of clarity is generated around “who does what?”

Organisations are challenged due to the general understanding that a “Manager” of a process or function (i.e., finance; information technology; engineering; asset management; human resources etc.) is responsible for outcomes in the department or business processes for which they are accountable. When applying the title, “Risk Manager” to a role which supports risk management, this generates a false understanding that such people are actually responsible for managing business or organisational risk. The problem is compounded when there are many different combinations of words used to describe such support roles i.e., Manager Risk and Compliance, Security Risk Officer, Health and Safety Risk Officer, Chief Risk Officer etc.

The actual managers of risk are those people whose roles involve taking risks and adding value to their organisations, not the support roles which espouse the use of neat models, diagrams and processes to assist the risk takers. A person who has neither worked in a senior strategic management role, nor run a business or enterprise has very little experience in actual risk taking, and therefore “risk management”. This problem is compounded when the “Risk Manager” works in the public service or local government sector where often the tenure of their position is guaranteed (or at least secure) and where the person has no experience in business “risk-taking”.

Then there is the role of “Risk Adviser” who advises organisations on the risk management function, processes and activities. An adviser is normally a person with deeper knowledge in a specific area i.e. a specialist. A “Risk Adviser” may be an internal role or one who is contracted to the organisation to provide specialised skills and advice.

In the context of the external, independent “Adviser”, it is the specialised skills and impartiality that adds value to the client who pays for such advice. The person who fills this role is the consultant. A consultant is usually an expert or a professional in a specific field and has a wide knowledge of the subject matter (Pieter P. Tordoir (1995). The professional knowledge economy: the management and integration services in business organisations.). A consultant usually works for a consultancy firm or is self-employed, and engages with multiple clients.

The independent consultant is a true risk manager as they manage their own business with all the risks associated with the uncertainty of cashflow, management of resources to support the business, (time, capital, staff) and strategic decision-making to ensure their services meet market demand. This is carried out whilst considering market and competitive forces as well as monitoring trends to ensure relevance of their role in the broader risk management profession whilst also ensuring the success of their own enterprise or business.

The role of “Risk Adviser” (particularly consultant) is the most well-equipped to provide strategic risk management advice to business as they have the skills and experience in making such decisions. In addition, they are required to hold specialist risk management skills in order to “add value to their clients’ business” (one of the key principles of AS/NZS ISO 31000:2009, Risk management – Principles and guidelines). This role also assists the Board of a company to define and establish its risk appetite and risk tolerance position as the independent “Risk Adviser” performs this function in their own business. An employee in an organisation with the title “Risk Manager” actually knows very little about risk appetite as they generally are not involved in strategic decision-making and therefore do not risk their organisation’s financial capital. The advice they provide to their executive team or Board is based on their reading and understanding of the risk management literature (including the risk management Standard), formal education, skills acquired on the job and past experience.

Underpinning the support for practitioners of the discipline of risk management are professional bodies such as the Risk Management Institution of Australasia (RMIA). By its very nature, the role of RMIA is one of engendering cooperation and sharing a common purpose for its members. However, there is a myopic view within certain aspects of the RMIA membership and Board that “Risk Advisers” (consultants) are not part of the risk management profession and therefore do not share a common purpose with other members. This view divides the common purpose of the Institution, which paradoxically has a membership base comprising a significant number of risk management consultants (“Risk Advisers”).

In fact, “Risk Advisers” are generally more experienced in taking and managing risk than internal “Risk Managers”. They are generally more experienced in advising Boards and executive teams in establishing risk appetite and integrating risk management into the strategic decision-making processes in the business. Often such advice adds more value in a business than creating (risk management) processes which are often not applied by managers in organisations who do not fully understand risk management.

As the risk management discipline struggles with the growing pains of establishing its identity in organisations and developing recognition amongst its peers (i.e., accountants, actuaries, company secretaries, finance managers, solicitors etc) it is incumbent that the RMIA adopts a leadership role in the profession and not one of exclusiveness and divisiveness in protecting the interests of the “Risk Manager” while limiting the opportunities to promote risk management philosophies and principles as an essential element of good management practice.

The challenge for risk management to be recognised as a “profession” will be an ongoing one for risk management practitioners involved in playing a part in providing organisations with skills, knowledge, processes and support mechanisms to allow managers to take and manage risks in order to obtain appropriate returns for risk and to achieve organisational objectives. A broad rather than narrow view of the risk management profession is what is required to build recognition of all participants in the diverse activities of “risk management”.

The challenge for RMIA is to adopt an inclusive approach to the broad and valuable contribution made by all its members and to foster a cohesive and united approach to the development of “risk management”. The challenge for practitioners is to gain a greater understanding and acceptance of the respective roles described herein which all contribute towards effective risk management as a management discipline.