THE ROLE OF RISK MANAGERS, CHAMPIONS, AND COMMITTEES
BCLC's risk management program would not have been possible without the two risk managers, the ERMAC group and its champions, and the initial drive from the head of Internal Audit to implement ERM. Although most risk managers will state that the most important prerequisite for a successful risk management program is active endorsement by senior management, the provision of operational managerial resources is also essential. At BCLC, as with most organizations, the greatest progress has been made when there has been a designated risk manager assigned to the ERM program.
The role of the central risk function at BCLC, Risk Advisory Services, has not been to manage any specific risks, but rather to provide expert facilitation, coordination, and advice to management. The accountability for individual risks remains with the manager responsible for the program where the risk originates.
The two managers who have supported the ERM program came from very different backgrounds and brought different approaches to the program. Initially the program was initiated within Internal Audit and the first risk manager brought both extensive internal audit experience and, as an internal appointment, an understanding of BCLC's culture and approach. The second risk manager came with a more operationally focused risk management background and from a very different sector. Enterprise risk management is a developing discipline, and practitioners come from a wide variety of backgrounds (including finance, audit, health and safety, quality assurance, engineering, insurance, etc.), each with their own slightly different approach. Where risk management programs are supported by a single individual, change in personnel can be an opportunity to revitalize programs but also has the potential for discontinuity.
During the initial establishment of the program in 2007-2008, the active engagement of the ERMAC group of risk champions supported adoption of risk management across BCLC, bringing their knowledge and enthusiasm to both the enterprise risk assessments and the development of the program as a whole.
Risk champions are frequently advocated as a way to embed risk management into functional areas through their existing personal and professional relationships, and also as a group with diverse backgrounds and operational experience to assist with articulating a more holistic enterprise-level view of risk. However, there are some issues with the concept:
• Those selected may be the usual suspects – individuals who are chosen for every initiative either because they are felt to be particularly capable, in which case they may be overly stretched, or conversely because they are underutilized at present, leading to the possibility that they may not have the required influence to be effective.
• There may be a perception that the champion is responsible for risks in his or her division or functional area, even though other individuals hold the appropriate managerial or oversight role. This issue may lead to risks being identified but not effectively managed with formal treatment plans, and potentially to difficulties with monitoring and follow-up. Over time, champions may feel that they are put in a difficult position, or may become frustrated that their concerns are not taken forward and acted upon.
During the establishment of the ERM program, the role of the champions on the ERM Advisory Committee was clear, but as the program progressed, and in particular following the changes in 2009, the mandate became less clear and members began to feel a degree of frustration. The 2010 Internal Audit ERM review picked up on these concerns, and a new model was proposed that led to the disbanding of the committee in 2011.
The new model recognized the high level of engagement of senior management across BCLC and the more dynamic role of the Executive and the board, and also picked up on the developing concept of linking governance, risk, and compliance (GRC) matters into an integrated approach. The previous mandates of both ERMAC and a compliance committee that BCLC had established in early 2010 were brought together into the new Risk Management Planning Group (see Exhibit 10.7). This group consists of the leads from key BCLC programs, such as business planning, portfolio management, business continuity, enterprise architecture, internal audit, and policy management, with the primary role to share knowledge and improve coordination across the functions.
Early accomplishments for the group included the development and adoption of a shared lexicon of key risk management terms, and a jointly developed compliance management proposal and business case. Currently, the group is focused on developing a broad-based GRC-type dashboard, which will bring together information about the status of risks, audits, policies, regulations, performance indicators, incidents, and issues at a divisional level.
Exhibit 10.7 ERM Governance Structure, 2012-2013