Risk management skills are a must for anyone who aspires to be a business leader or, especially, a risk manager. There are risks to be addressed at all business levels, and if business leaders and risk management professionals are unable to manage the risks effectively, their upward mobility in organizational charts likely will grind to a halt.
The best risk managers are often unknown to many of the employees in their organization because they either mitigate risks before business problems result or prevent risks from becoming an issue in the first place. People often only notice when things go wrong, not when they go right. A business could have 364 days of trouble-free operations in a year. But, on the one day a mission-critical server crashes, there's a data breach, an executive's laptop is stolen or another risk-related event occurs, all eyes are on the risk management team in an organization.
Being a capable risk manager requires awareness and knowledge to uncover potential business risks and present them to the people who are best suited to decide if the risks are acceptable or resolve ones that are problematic. Risk managers don't necessarily have to make required fixes themselves -- they just need to bring the situation to someone who can.
What is risk management?
Risk management is the process of identifying, assessing and managing potential issues that could have a negative impact on an organization's business operations and financial performance. It involves being mindful of potential risks and what could go wrong -- both the expected and the unexpected. Risk managers must be aware of all forms of risk in their area of responsibility -- and beyond, if possible. They should know how those risks would affect the business and what steps to take or what contingency plans to activate to reduce risks and avoid business problems.
This article is part of
Is risk management a soft skill?
Risk management is a complex and comprehensive process. It's definitely not a soft skill -- or, at least, not just one. There are many types of risk, including compliance, security, operational, financial and reputational risks. Risk managers require a combination of both hard and soft skills to successfully address all the various risks.
For example, compliance is a key risk factor. There are few greater risks than running afoul of government regulatory agencies -- compliance issues often can do far more damage to an organization than a hacker or out-of-date software. Risk managers need to constantly study, evaluate and implement new regulations as they come -- and they do keep coming.
In addition, proactivity is the hallmark of effective risk management. A reactive approach means addressing problems after they become problems, which can result in flawed risk management initiatives. Risk managers need to stay ahead of the risk curve.
How do you become a good risk manager?
Good risk managers need a variety of skills. The following are 12 important ones they should possess.
1. Analytical skills
Risk managers need analytical skills to collect data, analyze risks and make sound decisions based on the results. They also need to be able to spot holes and weaknesses that others may have missed in IT systems and infrastructure, business processes, financial practices and other areas.
2. Problem-solving skills
Risk managers also need to be able to solve problems. While some risks might require passing the issue on to someone above a risk manager's pay grade, others often will be left to the risk manager to solve. As a result, they need to like getting their hands dirty from a problem-solving standpoint.
3. People management and leadership skills
All the problem-solving skills in the world are useless if managers can't rouse the troops. Risk managers need good people management and leadership skills to inspire and incentivize staff members. In some cases, risk management might require upsetting the apple cart, and managers need the respect of their team through the inevitable challenges.
4. Relationship-building skills
This goes hand in hand with the leadership skills. Risk managers must be able to build relationships -- and not just with their immediate subordinates. They should also be able to do so with their superiors, as well as other corporate executives and department heads.
5. Financial knowledge
Risk managers need to know the potential cost of network outages and security breaches, as well as the likely financial impact of other business risks. Ultimately, financial risk will get everyone's attention in the C-suite and individual departments. The costs of lost productivity, lost income and financial penalties can be crippling to a business if risks aren't managed properly.
6. Regulatory knowledge
If there's one thing governments do well, it's regulating things. Regulations are constantly being added and updated. Risk managers must invest some of their time to stay up to date on all the changes and understand new and evolving regulatory requirements.
7. Business understanding
To identify and estimate risks to a company, risk managers need to understand how the business works. They can't say finance doesn't matter because they're in IT, or vice versa. Business understanding is a must -- especially if the risk manager aspires to join the C-suite in the future.
8. Ability to quantify risks
After assembling a list of potential business risks, risk managers need to be able to do a risk assessment and then rank the likelihood and severity of each risk. They should create and regularly update a list that notes the most likely to least likely risks, as well as the most severe to least severe ones. This helps determine the risk management program's focus on an ongoing basis.
9. Ability to plan risk management approaches
After preparing the ranked list of risks, a risk manager then needs to lead the process of planning how to manage them. That could include accepting risks that are deemed reasonable based on an organization's agreed-upon risk appetite and risk tolerance or adopting strategies to mitigate risks so they pose less of a business threat. In other cases, the organization might transfer risks to a third party or seek to eliminate them through risk avoidance measures.
10. Strategic thinking
No sports team ever wins by only playing defense -- and that applies here, too. If risk managers look at how things affect the business as a whole, they might come up with a better way for their organization to operate. Part of a risk manager's job is to see the big picture -- and maybe notice something others have missed.
Risk management requires constant education and keeping up with relevant news, trends and issues. Not so long ago, no one had heard of ransomware. Now, it's one of the greatest cybersecurity threats that companies face. News sites and industry journals should be regular reading material for risk managers.
12. Mathematics skills
Because risk management involves a lot of data analysis, risk managers must be comfortable with numbers and calculations. There are many analytics tools available -- from Microsoft Excel to business intelligence software -- that can help with cost estimates and other math work. But solid math skills are a prerequisite for using such tools effectively.
Create a culture of psychological safety to help manage risk
People often throw around the phrase, "Don't shoot the messenger." But, all too often, corporate management does shoot the messenger. This creates a climate where many workers are afraid to speak up about problems that can create business risks.
For example, after all Boeing 737 MAX airplanes were grounded due to two fatal crashes in 2018 and 2019, it was revealed that engineers knew the planes had defects but were afraid to go to management.
To avoid such situations, a new way of thinking has emerged that applies the concept of psychological safety to work teams. Team psychological safety is about creating a climate where people in an organization aren't afraid of being punished for making a mistake or being the bearer of bad news. It's meant to ensure that employees aren't reluctant to raise issues -- especially ones that involve serious business risks. As a result, risk managers should learn about it and incorporate it into their processes.