Risk management is a must for anyone who aspires to be a leader or manager. There is risk to be addressed at all business levels, and if a leader is unable to manage risk, their upward mobility will disappear.
The best risk managers are often unknown, because they mitigate or prevent the risk. People often only notice when things go wrong, not when things go right. A business could have 364 days of trouble-free operation. But the one day a server crashes, there's a data breach or a laptop is stolen -- all eyes are on you.
Being a capable risk manager requires awareness and knowledge to uncover potential risks and present them to people best suited to solve the problem. A risk manager doesn't necessarily have to make the fix -- they just need to bring it to the person who can.
What is risk management?
Risk management means being informed and mindful of potential risks and what could go wrong -- the expected and the unexpected. Risk managers are aware of all forms of risk to their area of responsibility -- and beyond, if possible. They know how those risks would affect the business and what steps to take, or what contingency plans should be in place to avoid the problem.
Is risk management a soft skill?
Risk management is a very complex and comprehensive skill. It is not a soft skill. There are many types of risk, including compliance, security, operational and financial. Compliance is a key factor, because there can be few greater risks than falling afoul of government regulatory agencies. They can do far more damage than a hacker or out-of-date software.
Risk managers need to constantly study, learn, adapt and implement new regulations as they come -- and they keep coming. Proactivity is the hallmark of risk management. A reactive approach means addressing the problem after it becomes a problem. Risk managers need to stay ahead of the curve.
How do you become a good risk manager?
Good risk managers need several skills. Here are some of those skills.
1. Analytical skills
Risk managers need analytical skills to collect data and make important decisions using that data. They also need to spot holes and weaknesses that others may have missed in the systems, infrastructure and other areas.
2. Problem-solving skills
Risk managers also need to be able to solve problems. While some risks may require passing the news on to someone above their pay grade, some will fall to the manager to solve. So they need to like getting their hands dirty.
3. People management and leadership skills
All the problem-solving skills in the world are useless if managers can't rouse the troops. Risk managers need good people and leadership skills to inspire and lead staff. Risk management may require upsetting the apple cart, and managers need the respect of their team through challenges.
4. Relationship-building skills
This goes hand in hand with the previous skill. Risk managers need to be able to build relationships -- and not just with their immediate subordinates. They should be able to build relationships with other departments and superiors.
5. Financial knowledge
Risk managers need to know the average cost of network outages and security breaches. Financial risk is what will get everyone's attention. Managers need to know the costs in lost productivity, lost income and financial penalties -- the latter of which can be crippling.
6. Regulation knowledge
If there is one thing the government does well it is regulate. Regulation is constant and changing. Risk managers must invest their time to stay up to date on all changes and understand those updates.
7. Business understanding
To identify and estimate risks to a company, risk managers need to understand how the entire business works. They can't say finance doesn't matter because they are in IT, or vice versa. Business understanding is a must -- especially if the risk manager has aspirations for the C-suite.
8. Ability to quantify risks
After assembling a list of potential risks, risk managers need to be able to rank, on a scale of their choosing, the likelihood and severity of each risk. They should have a complete list that notes the most to least likely risk, and the most severe to least severe risk. This will determine the risk manager's focus.
9. Ability to choose mitigation strategy
There are four main types of mitigation action or strategy, according to the site Skills You Need:
- Acceptance. This means accepting the risk and taking no action to mitigate it. This is for risks that will only have a small effect or are unlikely to happen.
- Avoidance. This means making every effort to avoid the risk. This is for catastrophic risks that are almost certain to happen.
- Limitation. This is the most common mitigation strategy, which aims to limit either the likelihood or the effect of the risk.
- Transference. This is the transfer of risk to someone else who is prepared to accept it. This is used in areas outside of a risk manager's core competency.
10. Strategic thinking
No sports team ever wins by only playing defense -- and that applies here, too. If a risk manager looks at how things affect the business as a whole, they might come up with a better way to operate. Their job is to see the big picture, and they might see something others miss.
Risk management requires constant education and keeping up with the news. Ten years ago, no one heard of ransomware. Now it's one of the greatest threats that companies face. News sites and industry journals should be regular reading material.
Risk management involves a lot of numbers and analysis. This requires comfort with numbers and calculations. There are many analytical tools available -- including Microsoft Excel -- that can help with cost estimates.
Create a culture of psychological safety
People often throw around the phrase, "Don't shoot the messenger." But all too often, management does shoot the messenger. This creates a climate where people are afraid to speak up.
After the Boeing 737 MAX airliners were grounded due to two fatal crashes, it was revealed that engineers knew the planes had defects but were afraid to go to management.
As a result, a new way of thinking emerged called psychological safety. Psychological safety is about creating a climate where people are not afraid of being punished for making a mistake or being the bearer of bad news. Psychological safety is meant to bring in a climate where people are not afraid to speak up -- especially when it relates to severe risk.