ERM Chapter 15 Risk Management Competencies

ISO 31000:2018 28 Minutes
https://preteshbiswas.com/wp-content/uploads/2025/04/ERM_-Risk-Management-Competencies-1.mp3

To set up strong risk management in an organization, you need skilled people who know what they’re doing. Risk management helps organizations succeed, but only if it’s backed by capable professionals who fit the organization’s size, type, and setup. This section looks at what skills risk management experts need, what abilities people in the organization should have, and how to check for gaps and plan improvements. It also covers specific skills these professionals often need—like leading discussions, analyzing data, and persuading others—and explains the worth they bring to the organization. A big part of this is the role of risk practitioners. Risk management isn’t just a list of tasks anymore; it’s a real profession. Like other jobs, it has certain skills that professionals need to do their work well. These skills split into two types: technical or management skills, and behavioral skills. Technical or management skills are the know-how and abilities required to handle the job. Behavioral skills are the personal traits and ways of acting that help them do it effectively.Businesses today face rapid changes from financial shifts, political events, new rules, governance demands, and technology advances. These create new risks, while digital growth shakes up companies and makes organizational life trickier and less predictable. A good reputation takes time to build but can be ruined quickly. Human resources and hiring practices are also evolving fast to keep up with these challenges.

Enterprise Risk Management (ERM) is now a detailed process woven into how organizations are run and governed. It demands a solid grasp of the business, its strategies, and its culture. A Chief Risk Officer (CRO) today needs to be a trusted teammate to the leadership, guiding the organization to take smart risks and foster a strong risk culture. To do this, the risk team must build good relationships and work closely and honestly with departments like compliance, operations, customer service, finance, HR, sales, and tech. This is a big shift from the old view of risk management as just number-crunching to avoid losses or ticking boxes for rules. Knowing how to handle the numbers side of risk management is still key, especially for those starting out. But senior risk experts now spend more time teaming up with other departments, focusing on things like risk culture, behaviors, rewards, project success, new risks, and preparing for crises. They’re also more involved with top leaders and the board on big business decisions. A CRO needs sharp people skills and emotional smarts to work with both the board and staff, ensuring the leaders set a strong example for risk ethics and culture. A big part of the job is explaining risk appetite—balancing risks and rewards as the organization chases its goals. The CRO helps the board think about uncertainties that could hit the business model, keeping it strong and sustainable over time. They also connect with outside groups like partners, suppliers, regulators, and investors. So, modern risk professionals need way more than just technical know-how to stay effective. While this discussion started with insurance, the changes it points out apply across industries. Still, building a risk team means balancing strategic leaders with technical experts who support them. Risk management is a fairly new field, and many organizations say there aren’t enough senior candidates who’ve grown up in it, earning qualifications and experience like accountants do. This shortage, combined with the need for leadership and change skills, has pushed some organizations to hire senior risk leaders from outside the field. This is especially tough in developing countries, where risk management expertise is scarce, and even regulated businesses are still figuring out what’s required.

12.1 Career levels

The framework is built around four career levels instead of focusing on specific job titles or roles: Leadership, Senior, Management, and Support. Each level includes different kinds of jobs. As people move up from the Support level to the Leadership level, they learn more about risk management standards. The importance of these roles can vary depending on the organization’s size, reach, and how advanced its risk management is. For example, the person in charge of guiding risk management might be at the Senior level in a small company or local government, but in a big international company, they’d likely be at the Leadership level.

  • At the Leadership level, people have the deepest knowledge and skills. They create the organization’s risk strategy, oversee risk issues, and guide the board and decision-makers on risk plans. They also help shape the future of risk management as a profession. Examples of jobs here include Chief Risk Officer, Director of Risk Management, Head of Risk Management, or high-level consultants.
  • The Senior level involves strong knowledge and skills too. People here develop risk policies and procedures, contribute to the risk strategy, and make sure it’s carried out. They also manage improvements to risk practices and work with people inside and outside the organization. Jobs at this level might be Risk Manager, Senior Risk Consultant, Senior Risk Analyst, or Head of Risk Management.
  • At the Management level, people fully understand risk concepts and how to use them. They manage and advise on putting risk processes into action and highlight why they matter. Examples include Risk Management Executive, Risk Management Officer, Risk Management Adviser, Risk Analyst, or Risk Consultant.
  • The Support level is for those with little or no experience. They focus on explaining why risk management is helpful and assist with setting up its processes. Jobs here could be Risk Management Assistant, Risk Management Officer, or Risk Analyst.

Technical Skills for Risk Management

Technical skills, as explained by Hopkin and Thompson, should match the PIML steps for setting up risk management. We already looked at these PIML steps in Unit 2 and on pages 92 to 98 of their book. Hopkin and Thompson list the specific technical skills tied to each PIML step in table 28.1. These skills also work for any plan that uses the plan-do-check-act approach.

The technical skills needed can vary based on the area where the risk professional works. Some examples of these areas are:

  • Strategy and performance,
  • The risk management process itself, and
  • Strengthening the organization’s abilities.

The skills required also depend on the risk professional’s level in the organization—like whether they’re at the Leadership, Management, or Support level.

The Framework are structured into four functional areas. Each of these is broken down into risk functional area components:

  • Insights and context: Uses knowledge of internal and external influences to ensure robust risk management in responsive and agile organizations.
    • Risk management principles and practice: Understanding the principles and practice of risk management and the relevance and use of theories, processes and tools.
    • Organizational environment: Understanding the internal environment of an organisation and its implications for risk management practices.
    • External operating environment: Understanding how the external environment influences an organization and its implications for risk management practices.
  • Strategy and performance: Develops a risk management strategy to meet organisational needs.
    • Risk management strategy and architecture: The development and implementation of risk management strategy and architecture.
    • Risk management policy and procedures: The development and implementation of proportionate risk management policy, guidelines, procedures and action plans.
    • Risk culture and appetite: The creation of a risk culture that is intrinsic to an organization’s culture
    • Risk performance and reporting: The development and implementation of a risk measurement performance and reporting framework.
  • Risk management process: Manages the risk management process.
    • Risk assessment: The identification, analysis and evaluation of the nature and impact of risks and opportunities.
    • Risk treatment: The development, selection and implementation of risk treatment strategies and controls.
  • Organizational capability: Develops and manages a skilled, agile and responsive risk organization.
    • Communication and consultation: The development and implementation of communication structures and plans
    • Change management: The management of risk within strategic and operational change.
    • People management: Systematic performance management and skills development to meet strategic needs.

1) Risk management principles and practice

  • Relevance of risk management
    • Leadership: Advocates risk management as a central part of an organisation’s strategic management.
    • Senior level: Educates an organization on the probability, nature and scope of risks and opportunities and their likely impact on an organization.
    • Management level : Advises on the selection and implementation of appropriate concepts and processes.
    • Support level: Explains different types of risks and possible responses to their treatment.
  • Tools and techniques
    • Leadership : Ensures resilience is incorporated into organizational strategy.
    • Senior level: Builds resilience across an organization to manage current and future risks, opportunities and uncertainties.
    • Management level : Analyses the suitability of the use of risk management tools and techniques and makes recommendations.
    • Support level: Explains risk management standards, concepts, theories, processes and approaches to risk management.
  • Principles of risk management
    • Leadership: Anticipates and influences risk management thinking at a national and/or international level.
    • Senior level: Advises on the appropriateness of different approaches to managing risks.
    • Management level: Champions the benefits of risk management to stakeholders.
    • Support level: Explains the value of risk management.

2) Organizational environment

  • Internal ethos
    • Leadership: Advises on the interface between an organisation’s overall vision, mission, objectives, culture and strategy and the risk management strategy.
    • Senior level: Assesses the influence of an organization’s strategic intent, internal context and governance practice on risk management.
    • Management level : Promotes the link between an organisation’s vision, mission, objectives, culture, strategy and organisational risk practices.
    • Support level: Explains the link between an organization’s vision, mission and its operational objectives and risk practices.
  • Internal influence through risk management
    • Leadership: Influences an organisation to adopt a comprehensive, consistent and collaborative approach to risk.
    • Senior level: Influences management decision-making to achieve the right balance of risk and opportunity.
    • Management level : Explains how to use organisational structures and processes to meet resilience requirements.
    • Support level: Explains an organization’s structures, systems and processes and their links to risk practices.
  • Organizational ownership
    • Leadership: Establishes an organizational structure that leads to the desired culture to facilitate an organization’s long term interests and viability.
    • Senior level: Embeds risk management into organizational strategies and policies.
    • Management level: Embeds risk management practices into operational processes.
    • Support level: Describes the factors involved in embedding risk management practices into operational processes.

3) External operating environment

  • External relevance
    • Leadership: Influences the impact of risk management across an industry sector and beyond.
    • Senior level: Assesses the potential impact of the external environment.
    • Management level: Identifies the factors in the external environment that may affect an organisation.
    • Support level: Describes the kind of factors in the external environment that may affect an organization.
  • External operating context
    • Leadership: Evaluates the strategic alignment of an organization’s risk management and its external operating environment.
    • Senior level: Aligns an organization’s risk management with its external operating environment.
    • Management level : Identifies opportunities within the external environment to maximize reward and minimize risk.
    • Support level: Explains the likely impact that external factors may have on an organisation.
  • Regulatory impact
    • Leadership: Evaluates the implications and limitations of the regulatory environment on an organisation.
    • Senior level: Analyses the impact of developments within the regulatory framework.
    • Management level: Implements risk management activities to meet regulatory requirements.
    • Support level: Describes the regulatory framework within which an organisation operates.

4) Risk management strategy and architecture

  • Mandate
    • Leadership: Achieves commitment and ownership from decision makers to a proportionate risk strategy and architecture.
    • Senior level: Evaluates the extent to which individual risk strategies are consistent with the overall risk strategy.\
    • Management level : Explains the purpose and role of a risk management framework, strategy and architecture.
    • Support level: Explains the components of a risk management framework, strategy and architecture.
  • Strategy
    • Leadership: Develops the risk management strategy and approach that optimises risk appetite.
    • Senior level: Assigns ownership and levels of authority that comply with the requirements of the strategy.
    • Management level : Makes recommendations for improvements to the risk management strategy.
    • Support level: Provides management information to support risk strategy development.
  • Structure
    • Leadership: Establishes a coherent, transparent and rigorous risk governance structure that supports an organisation’s risk strategy.
    • Senior level: Ensures consistency between an organisation’s risk management strategy, organisational strategies and its governance structure.
    • Management level : Communicates the requirements of the risk governance structure.
    • Support level: Describes the features of an effective risk governance structure.

5) Risk management policy and procedures

  • Policy
    • Leadership: Develops a risk management policy that is consistent with the risk management strategy.
    • Senior level: Implements plans and priorities to deliver risk management policy within agreed timescales and budgets.
    • Management level : Explains the purpose, role and benefits of embedding risk management policy and procedures into organisational policies and procedures.
    • Support level: Explains the purpose of risk management policy and procedures, and its components.
  • Roles and responsibilities
    • Leadership: Defines risk management accountabilities and methodologies that meet strategic requirements.
    • Senior level: Implements risk management policy ensuring that ownership and responsibilities are fulfilled within authority limits.
    • Management level : Advises on the appropriate use of methodologies, tools and techniques within the context of the risk policy.
    • Support level: Explains the features of methodologies, tools and techniques and their uses.
  • Resources
    • Leadership: Secures commitment and resources that will enable the implementation of the risk strategy.
    • Senior level: Reviews the effectiveness of risk management policy and processes and the use of resources, and makes recommendations.
    • Management level : Uses a range of resources to analyse management information to support recommendations for improvements to risk management policies and procedures.
    • Support level: Provides management information to support improvements to risk management policies and procedures.

6) Risk culture and appetite

  • Risk culture design
    • Leadership: Influences an organisation’s leadership in determining the desired risk culture.
    • Senior level: Fosters an organisation’s culture through the design of organisational systems, processes and behaviours.
    • Management level : Acts as a role model of the culture expected through personal behaviours and actions.
    • Support level: Explains an organization’s risk culture and acts accordingly.
  • Risk appetite
    • Leadership: Influences decision makers’ understanding of risk appetite and its implications.
    • Senior level: Nurtures the balance between risk taking, risk management and rewards in line with an organisation’s risk appetite.
    • Management level : Explains how an organisation establishes its risk appetite and tolerance.
    • Support level: Explains the factors that influence people’s perceptions of risk and opportunities and their impact on risk appetite.
  • Behaviours and values
    • Leadership: Ensures an organisation’s approach to risk management is aligned with its risk maturity and values.
    • Senior level: Embeds risk management approaches into organisational values.
    • Management level : Carries out reviews of the extent to which risk culture is demonstrated through individual behaviour and operational activities.
    • Support level: Identifies the level of risk maturity and its implications for risk culture and appetite.

7) Risk performance and reporting

  • Risk reporting systems
    • Leadership: Establishes a comprehensive risk reporting system that is aligned with other organisational performance management structures and processes.
    • Senior level: Reports on the strategic and financial impact of risks.
    • Management level : Ensures that risk reporting systems operate efficiently.
    • Support level: Explains the purpose of measuring and reporting risk performance and the use of technology to support effective risk management.
  • Risk performance indicators
    • Leadership: Defines organizational Key Risk / Performance Indicators (KRIs/ KPIs) for evaluating risk management performance, strategy, processes and controls.
    • Senior level: Specifies the design requirements of risk performance reporting systems.
    • Management level : Uses analytical tools and techniques to monitor changes to an organisation’s risks and opportunities; updates risk information.
    • Support level: Complies with legal, ethical and regulatory requirements in the gathering and recording of risk information.
  • Risk reporting protocols
    • Leadership: Ensures that risk reporting systems enable effective decision making and are capable of identifying actual and emerging risks.
    • Senior level: Reports recommendations for improvements based on systematic analyses of information at agreed intervals.
    • Management level : Produces risk management reports, highlighting areas of concern, change, emerging threats and opportunities.
    • Support level: Explains the uses of risk information; reports the potential consequences of poor risk reporting.

8) Risk assessment

  • Risk assessment process
    • Leadership: Defines the approaches to risk identification, analysis and evaluation; establishes the level of investment to be deployed.
    • Senior level: Interprets facts, patterns and trends to reach evidence-based decisions on the nature of risks and opportunities.
    • Management level : Uses a range of information sources and assessment tools and techniques to identify, analyse and evaluate risks and opportunities.
    • Support level: Contributes to the risk assessment process.
  • Analysis of risk impact
    • Leadership: Scopes the potential impact of aggregated risks and worst case scenarios quantitatively and qualitatively.
    • Senior level: Prioritises risks and opportunities in terms of probability, scale, significance, impact and distribution.
    • Management level : Explains the range of factors that can influence the perception of risk.
    • Support level: Explains how and why to use different risk assessment tools and techniques.
  • Evaluation of risk consequences
    • Leadership: Evaluates the impact and value of potential strategic risks and opportunities.
    • Senior level: Evaluates interdependencies between risks, uncertainties and opportunities, critical failure points and resource implications.
    • Management level : Advises on the use of risk assessment tools and techniques.
    • Support level: Explains how to display the results of risk assessments.

9) Risk treatment

  • Risk treatment and risk appetite
    • Leadership: Ensures an organisation’s approach to the treatment of risk is aligned with its risk appetite and strategy.
    • Senior level: Monitors the effectiveness of an organisation’s approaches to risk treatment and makes recommendations.
    • Management level : Implements controls to manage identified risks in accordance with risk treatment strategies and budgets.
    • Support level: Explains the suitability of different risk response options and control types.
  • Cost-effective risk treatment
    • Leadership: Determines risk treatment strategies and investment that align with an organisation’s approach to risk management.
    • Senior level: Develops, prioritises and resources suitable controls to treat identified risks and manage opportunities.
    • Management level : Supervises the quality of risk monitoring and mitigation actions taken, challenging and making interventions when issues arise.
    • Support level: Explains the costs and benefits of risk treatment activities.
  • Business continuity and crisis management
    • Leadership: Integrates business continuity strategies and crisis management within an organisation’s risk management strategies and plans.
    • Senior level: Ensures the continuing coordination of business continuity and crisis management strategies and plans with risk management.
    • Management level : Collates and analyses management information to support crisis management and business continuity plans and activities.
    • Support level: Explains the principles and features of crisis management and business continuity.

10) Communication and consultation

  • Risk communication procedures
    • Leadership: Establishes an organisation’s approach and infrastructure for communication about risk management.
    • Senior level:: Identifies media and methods for communicating the risk strategy that align with target groups.
    • Management level : Uses agreed media and methods to communicate risk matters.
    • Support level: Communicates risk matters to agreed stakeholders, adhering to organisational values and standards.
  • Risk communication contents
    • Leadership: Promotes the view that risk management is a universal responsibility and acts as a risk champion across an organisation.
    • Senior level: Develops risk communication interventions that further relationships with stakeholders and are consistent with organisational values and standards.
    • Management level : Provides stakeholders’ feedback on the effectiveness of the risk communication infrastructure and strategy.
    • Support level: Ensures that information communicated is accurate and complete, and complies with relevant regulations.
  • Stakeholder engagement
    • Leadership: Develops an organisational stakeholder engagement strategy that is consistent with the risk strategy.
    • Senior level: Manages stakeholders’ expectations in a way that is consistent with organisational values and standards.
    • Management level : Builds productive relationships with stakeholders through effective communication and consultation.
    • Support level: Supports risk communication and consultation processes within agreed guidelines

11) Change management

  • Embedding risk responsiveness
  • Leadership : Ensures that risk management is embedded throughout change programmes.
  • Senior level: Senior level: Advises on how to embed risk management throughout an organisation’s change activities.
  • Management level : Supports the embedding of risk management throughout an organisation’s change activities.
  • Support level: Explains the relationship of change management and risk management.
  • Developing change plans
  • Leadership : Achieves strategic and cultural change that optimises opportunities and mitigates risk through change programmes.
  • Senior level: Develops change plans that support agreed changes to strategies and policies.
  • Management level : Implements change plans in a way that minimises disruption to operations.
  • Support level:Supports others in managing risks in accordance with their role.
  • Implementing change
  • Leadership :Promotes the vision for strategic change in line with the risk culture and strategy.
  • Senior level: Ensures change-related risks and opportunities are managed proportionately.
  • Management level :Assesses the impact of the delivery of change plans, reporting any adverse effect or unexpected opportunities.
  • Support level:Contributes positively to tasks relating to implementing change.

12) People management

  • Fulfilling personal objectives
    • Leadership : Provides inspirational leadership that motivates and empowers people to fulfil their objectives.
    • Senior level: Provides support that incentivizes people to take responsibility for managing risks and opportunities within the limits of their role.
    • Management level : Influences the behaviour of others to ensure that risk management objectives and standards are met.
    • Support level: Explains the requirements of their own role.
  • Risk management capability
    • Leadership : Establishes an appropriately resourced structure that is capable of delivering the risk strategy.
    • Senior level: Deploys the right mix of competence and expertise to meet strategic and operational imperatives.
    • Management level : Supports operational teams and individuals on the practice of risk management.
    • Support level: Takes active responsibility for their own personal and professional development.
  • Risk management competence
    • Leadership : Plans the development of the knowledge and competence of the workforce to meet anticipated risk management requirements.
    • Senior level: Develops the knowledge and competence of the workforce for the management of risks and opportunities.
    • Management level : Provides risk management support to individuals that enables them to achieve their objectives.
    • Support level: Contributes constructively to the achievement of agreed goals and objectives.

Personal Skills for Risk Management

Behavioural competencies are the personal traits and actions that help someone do their job well. While technical skills—the know-how needed for the job—are about “what” to do, behavioural skills are about “how” to do it. Just like technical skills, these personal skills can be learned and improved over time. In fact, people should keep working on them throughout their lives. Organizations can support this by offering workshops, seminars, and encouragement to employees. We look for these behaviours when choosing people for roles in an organization where understanding risk management is important.The behavioural competency framework outlines the personal traits and actions that the risk management profession sees as vital. It focuses on qualities specific to risk management experts and doesn’t cover general frameworks like management, which are explained elsewhere. This framework can be used alongside other national or organization-specific guidelines. This framework helps meet professional standards. For example, improving “Collaboration and partnering” (a personal skill) supports the standard of “Building strong relationships with stakeholders through clear communication and teamwork.”

There are six key personal skills:

  1. Courage and confidence
    • Achieves an appropriate balance between determination and stubbornness
    • Has courage and strength to admit mistakes and work on them
    • Stands by decisions and principles even in the face of strong opposition or threats
    • Is comfortable taking tough decisions and delivering difficult messages confidently
    • Backs up conclusions with evidence
    • Accepts responsibility and is accountable for the outcomes of work
    • Pursues a course of action tenaciously to achieve goals and objectives
  2. Influence and impact
    • Adapts communication and behaviour according to the audience/readership
    • Uses knowledge and experience to influence others
    • Builds “behind the scenes” support for ideas
    • Structures the message and uses clarity and conciseness of expression so that others can understand the implications of an issue
    • Captures the attention of the audience/readership by fluent and convincing communication, appealing to stakeholders’ needs, perspectives and key wins
    • Identifies linkages, relationships and power structures and plays to decision makers
  3. Integrity, ethics, and values
    • Adheres to code of professional conduct
    • Maintains consistently high standards of work, loyalty, honesty and commitment
    • Fulfils responsibilities to the highest professional and ethical standards
    • Never cuts corners or jeopardises appropriate risk management by taking “the easy option”
    • Remains independent and enables others to make informed decisions
    • Is approachable and open with information
    • Does not promise what cannot be delivered
  4. Innovation and catalyst
    • Identifies innovative and insightful solutions from disparate areas of business that take into account stakeholders’ culture and motivations
    • Fosters an environment where change is welcomed and people feel confident about suggesting ideas
    • Maintains a systematic, but flexible, approach to problem solving and decision making, using past lessons to inform future actions
    • Generates practical and commercially/financially viable ideas for improvement that align with business objectives and strategy
    • Is quick to spot and capitalise on emerging trends that may affect an organisation’s future growth and alerts others to the implications of decisions, issues and developments
    • Leaves no stone unturned in seeking inspiration for viable ideas for improvement
    • Encourages others to seek opportunities for improvement and adopts others’ ideas
  5. Building capability
    • Identifies individual and team development needs to meet business requirements and considers the needs of others beyond the team
    • Educates stakeholders on professional knowledge and expertise
    • Provides direction and support to others to achieve or exceed objectives and suggests appropriate development opportunities
    • Builds shared understanding of a business across different teams and encourages contributions from others
    • Strives constantly to improve professional knowledge
    • Seeks and exploits opportunities to develop skills and abilities
  6. Collaboration and partnering
    • Makes every effort to find out stakeholders’ needs, expectations and motivations and to discover what can be provided
    • Establishes a rapport with strategic partners by adopting a friendly, open, knowledgeable and helpful attitude
    • Builds strong networks with key stakeholders and promotes resource-sharing
    • Treats stakeholders with equal courtesy, consideration and respect and exemplifies corporate culture and values
    • Appreciates the viewpoints of others, even if they are in contradiction
    • Negotiates diplomatically and seeks to find common ground, compromise and mutually acceptable solutions in disagreements
    • Offers viable and constructive responses in a timely manner

Each skill includes three parts:

  • A short explanation
  • Examples of good behaviors
  • Examples of unwanted behaviors

This setup lets users quickly see the behaviors they should aim for and recognize what’s not acceptable. These skills are described as actions you can observe. People using the framework—whether they’re checking themselves or being evaluated by recruiters or managers—should look for proof of whether these skills are shown or not. All risk management professionals need these skills, but which ones matter most depends on:

  • The specific job in risk management
  • The person’s level (like Leadership or Support)
  • The organization’s size and setup
  • The current needs of the job
  • Upcoming changes in the organization’s goals or structure
  • The person’s own interests (like a specific industry or risk type)

Depending on someone’s level, each skill might apply fully or partly. For example, in “Influence and impact,” Leaders should show all the positive behaviors, while at the Support level, only some might apply. At a minimum, Support-level people should:

  • Adjust how they talk or act based on who they’re addressing
  • Use their knowledge and experience to guide others
  • Share ideas clearly and confidently so others grasp the importance of an issue

On the other hand, Support-level people aren’t expected to show these higher-level behaviors yet, though they should know they’ll need them as they grow:

  • Gain quiet support for ideas behind the scenes
  • Grab attention with smooth, convincing communication that matches stakeholders’ needs and interests
  • Spot connections, relationships, and power dynamics to sway decision-makers

When judging how well someone shows these behaviors, you could rate them as:

  • Falling short of expectations
  • Doing better than expected
  • Meeting expectations

Risk management helps organizations succeed, but only if it’s backed by capable professionals who fit the organization’s size, type, and setup.

Two key questions for an organization are ‘what are the existing competencies?’ and ‘how far are these competencies away from what is advised by best practice?’ Approaches that can be taken to establish the gap between existing and desired competencies are a skills audit and the interview approach. A skills audit is useful to gather data on the existing competencies to enable a comparison with best practice competencies and skills. The interview approach can be used to gather data, when selecting risk staff and as part of the personal development and improvement appraisals for existing staff.

Competency roadmap

We’ll look at how to make a plan, or roadmap, to boost the skills within an organization’s risk team. The ideas here can also help improve risk management skills for all employees across the organization. A roadmap is a set of steps that moves us from where we are now to where we want to go. In a competency roadmap, it lists the actions needed to raise the skill level of a risk professional or team to a suitable point. The right level of risk management skills depends on how mature the organization and its industry are at handling risks. This target skill level is shaped by both the organization’s current risk maturity and the maturity level it aims to reach. As the organization gets better at managing risks, the skills needed also need to grow.

Creating a risk management competency roadmap follows the usual steps of a project:

Key Things to Think About

Starting the Project

  • Figure out and confirm where the skill gaps are in risk management.
  • Set a budget for the project.

Planning the Project

  • Decide which skills to improve first, based on the organization’s main risks and controls.
  • Find the best ways to fill these skill gaps, like on-the-job training or professional courses.

Carrying Out the Project

  • Make sure the roadmap fits with the organization’s regular risk management activities.

Finishing the Project

  • The roadmap should keep going over time, but specific tasks within it should have clear deadlines.
  • Once tasks are done, review what worked and what didn’t to learn for next time.

Upskilling

The goal of upskilling is to make sure employees have the abilities they need for their jobs in the organization. It’s best to plan upskilling as part of a competency roadmap so that any training or coaching matches the organization’s target level of risk management maturity. When upskilling fits into a broader skill-building plan, it can also show junior staff a clear way to grow their skills and experience, helping them move up in their careers. This clear path can make it easier to hire and keep good employees. The most popular ways to upskill are:

  • Training
  • Coaching and mentoring

Training

Consideration should be given to the types of training in relation to competency training for risk management professionals:

Sr NoType of TrainingDetails
1Academic training for example, international certificate in Enterprise Risk ManagementSuitable for giving risk professionals a broad knowledge and understanding of enterprise risk management
2Short courses for example, Practical risk appetiteSuitable for an in depth look at a particular subject with a focus on practical implementation
3Hands on training / on the job trainingSuitable for situations where there is an experienced supervisor passing on the benefit of their knowledge and experience

Coaching and Mentoring

Coaching and mentoring are key parts of an organization’s learning and growth plan and can be very helpful for building risk management skills. The Chartered Institute of Personnel and Development (CIPD) explains them like this:

  • Coaching: Coaching is a hands-off way to help someone improve how they do their job. It looks at both what the organization needs and what the person wants to achieve. It helps people figure out what they’re good at and where they need to grow. While personal traits might come up, the main focus is on how they perform at work.
  • Mentoring: Mentoring happens when a more experienced worker shares their know-how to help a less experienced colleague grow. Usually, the mentor and the person being mentored don’t work together daily or have a boss-employee relationship. Mentoring tends to last longer than coaching.

How Coaching and Mentoring Are Used
Coaching and mentoring can fit into many situations, but they’re most often used for:

  • Helping manage and improve performance
  • Getting people ready for and guiding them through changes
  • Encouraging self-led learning and growth

The Facilitator’s Role

Before diving into how to run a successful risk workshop, we need to look at the key role of the workshop facilitator. The traits of a facilitator aren’t just special to risk workshops—they’re part of everyday management skills. There are three main styles of facilitation: Directive, Collaborative, and Supportive. A skilled facilitator can switch between these styles depending on what works best for the workshop. The choice of style depends on the workshop’s goal, the situation inside and outside the organization—like how urgent the workshop feels—and the organization’s culture and level of experience. Here are the key traits and skills a facilitator should have:

  • Work well with big, varied groups
  • Keep themselves and the group in a good mindset
  • Handle sessions in person or online
  • Manage disagreements
  • Use lots of different facilitation methods and tools
  • Keep people engaged
  • Steer groups toward results
  • Strong process-handling skills
  • Good people skills
  • Knowledge of the subject area
  • A responsive way of working
  • A flexible mindset
  • Awareness of what’s happening around them
  • Behavior that fits the situation

Running effective risk workshops

Risk workshops are a way to gather opinions and agree on the risks an organization faces, especially when identifying risks. Running a good risk workshop isn’t easy, so we’ll break it down in more detail. There are three main steps to running a successful risk workshop:

  1. Planning
    Planning is likely the most crucial step. It can make or break whether the workshop works well or falls flat.
  2. The Workshop
    Risk workshops should be:
    • Enjoyable
    • Exciting enough that people want more
    • Helpful to the team
    • Lead to decisions and clear next steps
  3. Results
    • Keep an action log that covers the basics: what needs to be done, who’s doing it, and by when.
    • Share the results with everyone who attended.

Analytical Skills

When it comes to analyzing risks, math skills matter, but the real key is being able to think logically and show it in your work. Risk practitioners often deal with tons of information, spot trends, and explain what they find clearly and sensibly. These analytical skills are super helpful when writing reports, creating training, or leading risk workshops, like we talked about earlier. For these skills to work well, they need to lead to a decision or action—something risk practitioners especially need to focus on. Some people are quick to act, while others dig deep into analysis. Finding a balance between fast decisions and thorough thinking is important. Organizations now have more data than ever, which is both a chance and a challenge for risk practitioners. The Oxford English Dictionary describes “big data” as huge sets of information that computers can analyze to find patterns, trends, and connections, especially about how people act and interact. In the past, risk practitioners leaned on opinions from experts or small samples of data. But with bigger databases and better tools, they can now look at all the data instead.

Some big challenges with data include:

  • Making sure the organization’s needs drive how data is used, not just the tech.
  • Checking that the data is correct and useful.
  • Keeping data secure.
  • Following laws about data handling, like the GDPR rules in the EU.

In risk management, there’s also more data to handle. The risk register is like a database that holds everything the organization knows about its risks and how it controls them. As organizations grow and risks get trickier, they often need advanced software tools. These tools help analyze risk data and create reports or dashboards.

Here are some ways data can be used:

  1. Looking at all the data instead of just small pieces.
  2. Adding more risk details to databases—like incident logs, near misses, or control breakdowns—and sorting them.
  3. Using databases that make searching and reporting easy.

Communication, Reporting, and Presentations

We’ll explore how communication, reporting, and presentations can be powerful tools to influence others. Influencing means getting people on board, sparking their interest, building connections, and capturing their imagination. Influencing involves skills like listening well, understanding how groups work, negotiating, and seeing things from stakeholders’ perspectives, even when their needs differ. At the heart of all this is good communication. Communication skills are super important for risk practitioners. Risk communication happens in two ways:

  • Informal – like chatting with stakeholders or holding risk workshops.
  • Formal – like writing risk reports or giving presentations.

Every type of communication involves some storytelling. For important talks, reports, or presentations, it helps to plan out what you want to say and how to say it. A big part of making it work is thinking about how the person hearing or reading it will take it in. For formal risk communication, the 5Cs can guide you: make it clear, short, logical, believable, and thorough.

In an Annual Report, you’ll usually see risk details in places like:

  • A section just for risk management.
  • The strategic report.
  • The directors’ report.
  • The notes to the financial statements.

When looking at the risk info in an Annual Report you pick, ask yourself:

  1. Is the risk info too broad or fuzzy to be clear or make sense?
  2. Does it feel real and trustworthy, based on what you know about how risk management works in an organization?
  3. What’s missing? What aren’t they telling you?

Complacency versus crisis

The competency framework lists traits of a risk practitioner with strong influencing skills, like:

  • Adjusting how they talk or act based on who’s listening or reading.
  • Using their know-how and experience to sway others.
  • Quietly building support for ideas behind the scenes.
  • Explaining things clearly and briefly so people get the point of an issue.
  • Grabbing attention with smooth, convincing talk that fits stakeholders’ needs and interests.
  • Spotting connections, relationships, and who holds power, then tailoring their approach to decision-makers.

When trying to influence stakeholders, risk practitioners need to find a middle ground. They focus on spotting patterns in incidents and risks and what these could mean for the organization. Problems can pop up in different ways—some hit fast, like a fleet crash or a fire, while others creep up slowly, like health issues from asbestos or harmful chemicals at work. This makes it tricky to avoid being too relaxed or too panicked. If risk info is always downplayed, it can make people too laid-back, leading to weak efforts to handle risks. But if it’s overly dramatic and stuck on worst-case scenarios, the risk practitioner might lose trust or push the organization into a habit of reacting to crises instead of planning ahead. A big plus of enterprise risk management is helping organizations make smarter, quicker decisions. This comes from the special spot risk practitioners often have—working across all parts, teams, and areas of the organization to make it work.

Risk practitioners help decision-makers by:

  • Running risk management tasks that give structured info to guide choices.
  • Talking with stakeholders to understand the situation and goals of the decision.
  • Sharing clear, to-the-point info that matters for the choice at hand.

Through their role in enterprise risk management, risk practitioners can nudge key people in the organization toward a mindset of growing value, rather than just playing it safe like in the old days.

The Worth of a Risk Management Professional

As a risk management professional, you can show your value to the organization in three main ways:

  • Make an Impact: Push risk management as something that adds value at every level of the organization.
  • Make a Difference: Join in on the organization’s big-picture strategy talks.
  • Engagement and Commitment: Be a reliable teammate to the organization’s leaders and managers.

The risk practitioner helps shape how risk is handled through the organization’s setup—like its risk architecture, strategy, and procedures. For these to really help, they need to work well at all levels of the organization. To add value, these risk management systems and steps should fit the organization’s current risk maturity level. If they’re too complicated or feel like endless checklists, you risk turning off leaders and managers. With a wide view of the whole organization, a risk practitioner can spot where things are weak—like in controls, teamwork, communication, or sharing info. Then, they can bring the right people together to fix those gaps in a positive way.

Being part of the organization’s strategy discussions is one of the best ways to stand out as a risk practitioner. The Chief Risk Officer (CRO), for example, is described as:
“…a leader of the ERM process, the CRO pulls together different risk management efforts to make sure the company’s limited resources are used wisely.”

Senior risk professionals can make the biggest difference by focusing their time on key areas they can shape. Their role keeps growing and includes things like:

  1. Creating quick stress tests and business plan predictions.
  2. Checking the investment strategy.
  3. Improving defenses against cyber risks.
  4. Watching out for fraud more closely.
  5. Tackling other day-to-day risks.
  6. Updating and fixing risk models.
  7. Teaming up with top leaders to rethink risk appetite and strategy.
  8. Overhauling the risk behavior and culture setup.
  9. Strengthening the company’s ability to handle reputation hits.
  10. Boosting the organization’s understanding of big, widespread risks.

Building Trust and Dedication

To really make a mark and bring change as a risk practitioner, you need to earn the trust of the organization’s leaders and managers. Becoming that trusted partner can be tough, especially if the top bosses don’t see why risk management matters. As noted, “…the risk team, led by the CRO, needs to build solid ties and work openly and honestly with teams like compliance, operations, customer service, finance, HR, sales, and tech.” A great way to start getting closer to senior leaders and the board is by helping shape the organization’s risk appetite—how much risk it’s willing to take. You can also assist by looking at risks to the business model and dealing with outside groups like partners, suppliers, regulators, and investors.To keep proving your worth as a risk management professional and a reliable partner, you have to keep growing your technical skills and personal traits. This helps you stay on top of a role that’s always changing and growing.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply