Risk management involves understanding, analysing and addressing risk to make sure organisations achieve their objectives.
Risk is part of all our lives. As a society, we need to take risks to grow and develop. From energy to infrastructure, supply chains to airport security, hospitals to housing, effectively managed risks help societies to achieve. In our fast-paced world, the risks we have to manage evolve quickly. We need to make sure we manage risks so that we minimise their threats and maximise their potential.
Risk management involves understanding, analysing and addressing risk to make sure organisations achieve their objectives. So it must be proportionate to the complexity and type of organisation involved. Enterprise risk management (ERM) is an integrated and joined-up approach to managing risk across an organisation and its extended networks.
Because risk is inherent to everything we do, the types of work undertaken by risk professionals are incredibly diverse. They include roles in insurance, business continuity, health and safety, corporate governance, engineering, planning and financial services.
The work is likely to be primarily office based but often includes visits to other offices to see clients (if you’re working in consultancy) or to sites (if you’re working in sectors such as construction). At a more senior level, you may spend time away from the office at conferences.
Travel within the working day is common, but depends on the size of the organisation and your level of responsibility. Risk management jobs are available across the UK, but overseas travel may be required if you are working for a company that operates internationally.
Risk management strategies and processes
According to technology-focused website TechTarget, all risk management plans – in whichever area or sector they are applied – follow the same steps that combine to make up the overall risk management process. These are as follows.
- Risk identification: the company identifies and defines potential risks that may negatively influence a specific company process or project.
- Risk analysis: once specific types of risk have been identified, the company then determines the odds of it occurring, as well as its consequences. The goal of the analysis is to further understand each specific instance of risk, and how it could influence the company’s projects and objectives.
- Risk assessment and evaluation: the risk is then further evaluated after determining the risk’s overall likelihood of occurrence combined with its overall consequence. The company can then make decisions as to whether the risk is acceptable and whether the company is willing to take it on based on its risk appetite.
- Risk mitigation: during this step, companies assess their highest-ranked risks and develop a plan to alleviate them using specific risk controls. These plans include risk mitigation processes, risk prevention tactics and contingency plans in the event the risk occurs.
- Risk monitoring: part of the mitigation plan includes following up on both the risks and the overall plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.
Skill up while serving
Read our two in-depth case studies, Alastair Allison and Lieutenant Colonel Joe Gossage, which highlight how ex-Services personnel have used their Forces experience and transferable skills to make a successful transition to a civilian career in risk management. You might be surprised at the sort of parallels there are between military roles and risk-management careers.
TRANSLATE YOUR SKILLS
The basic skills you will need for a successful career in risk management include:
- technical acumen
- problem-solving and decision-making abilities
- analytical skills and a good eye for detail
- the ability to cope under pressure
- planning and organisation skills
- negotiation skills and the ability to influence people
- good communication and presentation skills
- commercial awareness
- numerical skills and the ability to evaluate costs
- the ability to understand broad business issues.
Risk management standards
A number of standards have been developed worldwide to help organisations implement risk management systematically and effectively. These standards seek to establish a common view on frameworks, processes and practice, and are generally set by recognised international standards bodies or by industry groups. Risk management is a fast-moving discipline and standards are regularly supplemented and updated.
The different standards reflect the different motivations and technical focus of their developers, and are appropriate for a variety of organisations and situations. Standards are normally voluntary, although adherence to a standard may be required by regulators or by contract. Commonly used standards include:
- ISO 31000 2009 – Risk Management Principles and Guidelines
- Risk Management Standard – IRM/Alarm/AIRMIC 2002, developed by the UK’s three main risk organisations
- ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
- COSO 2004 – Enterprise Risk Management – Integrated Framework
- OCEG ‘Red Book’ 2.0: 2009 – a Governance, Risk and Compliance Capability Model.
Professional qualifications from the Institute of Risk Management (IRM) seek to equip students with the knowledge and judgement to select the appropriate standard or standards for use within their organisation. You can read about the IRM’s Professional Standards here: www.theirm.org/about/professional-standards-in-risk-management.aspx and its Risk Management Standard here: www.theirm.org/the-risk-profession/risk-management/irms-risk-management-standard
The mission of the IRM is to build excellence in risk management, in all sectors and across the world. Read about how some members have benefited from the IRM here: www.theirm.org/about/testimonials
Entry to this industry without a degree is possible, but you will usually start in an administrative role before working your way up to a risk assistant position and then progressing on to a risk manager role. Employers expect A-levels or equivalent qualifications for entry through this route.
International Certificate in Enterprise Risk Management
For those new to the career, the IRM offers the International Certificate in Enterprise Risk Management, an introductory distance-learning qualification, which takes six to nine months to complete. It is delivered as two modules, which are taken together. It offers a thorough grounding in the principles and practice of risk management. Find out more here: www.theirm.org/qualifications/international-certificate-in-enterprise-risk-management.aspx
NEBOSH National Certificate in Fire Safety and Risk Management
This qualification is particularly popular with Service leavers and offered by many ELCAS approved training providers. Courses leading to this qualification should equip holders to carry out fire risk assessments of most low-risk workplaces and identify the range of fire protective and preventative measures required. It is therefore also suitable for those moving into fire safety adviser roles. The course covers the management of health and safety – and in particular fire safety – including legal requirements.
No previous health and safety or fire safety knowledge is required. The qualification is divided into three units, each of which is assessed separately:
- Management of Health and Safety
- Fire Safety and Risk Management
- Practical Fire Risk Assessment.
This modular structure provides great flexibility, enabling students to choose to study individual units in any order over a five-year period.
Course fees are determined by individual course providers and vary depending on the format of the course. You should plan your study around a minimum of 70 taught hours and approximately 55 hours of private study and background reading. Training providers offer courses to fit around your requirements, via:
- distance or blended learning
- day or evening courses over a number of weeks
- block release or modular courses.
Find out more here: www.nebosh.org.uk/qualifications/certificate/default.asp?cref=64&
Other course providers
Other professional bodies that offer sector- or occupation-specific risk management training include:
- CFA Institute
- Chartered Insurance Institute (CII)
- Global Association of Risk Professionals (GARP).
See ‘Key contacts’ for full details of all of these.
Although this area of work is open to all graduates, a degree in one of the following subjects may increase your chances:
- finance or economics
- management or business studies
Graduates of less relevant subjects can also take the IRM’s International Certificate in Enterprise Risk Management (see above) to give them an introduction to risk management and increase their chances of gaining an entry-level position. It also offers the International Certificate in Financial Services Risk Management, which is a degree-equivalent qualification. Although there are no formal entry requirements, students are expected to have some knowledge of risk management tools and techniques. The course is delivered through supported distance learning, which includes directed self-study and online coaching. Find out more here: www.theirm.org/qualifications/international-certificate-in-financial-services-risk-management.aspx
Graduates of risk management courses and courses with risk management content are sought after and targeted by recruiters of risk managers. Some risk management undergraduate and postgraduate courses offer exemptions from IRM professional qualifications.
Postgraduate courses in risk management can also be studied, sometimes on a distance-learning basis. Such courses can offer a way to develop your career and may be supported by your future employer. The IRM offers an International Diploma in Enterprise Risk Management, which is a postgraduate-level qualification for risk management professionals. It usually takes around 18 months to complete and, again, is undertaken via distance learning. Find out more here: www.theirm.org/qualifications/international-diploma-in-risk-management.aspx
IRM Certificate and Diploma students join the IRM as students during their studies and are upgraded to relevant qualified member grades upon completion. Students on risk management degree and postgraduate courses are able to apply for free student membership of the IRM while studying, which can help with job prospects. Visit the IRM website for details of the different levels of membership available (see ‘Key contacts’).
Postgraduate qualifications are not essential but can be advantageous. A master’s in risk management is also available at a number of universities and may be particularly relevant if you have not completed a risk management-related degree.
Continuing professional development (CPD) is also important and the IRM runs a range of courses and training events throughout the year, to help risk managers keep up to date with developments in the area and refresh their skills.
Use your ELC
Under the ELC scheme, a wide range of learning can be taken, provided it is offered by an approved provider listed on the ELC website at www.enhancedlearningcredits.com and is at level 3 or above.
Risk-related careers are incredibly diverse, reflecting the widespread role of risk management in companies and communities. Risk roles range from banking and insurance to logistics and infrastructure, aviation, space travel, construction, public health, international development and many more. Because of their highly transferable skills, qualified and experienced risk management professionals are able to move easily between different sectors and countries. Transferring across sectors can often open up opportunities to gain higher salaries, better prospects and sponsorship of further qualifications.
Employers of risk managers include:
- charities and commercial businesses
- energy and utilities companies
- engineering and construction companies
- insurance companies
- NHS trusts
- local authorities.
At higher levels, employers look for experience or knowledge of risk management, so it may be useful to seek work placements during leave time if these are not part of a course you are taking or plan to take. This could set you up with risk and insurance contacts, which could help your future job prospects. Experience from your Service career could also be useful if it relates to the sector in which you wish to specialise in a risk management role.
There are also opportunities for self-employment for experienced risk managers who want to set up their own consultancy. And there may be opportunities to work abroad as demand for risk managers is growing, particularly in new fast-developing economies.
WHERE TO LOOK FOR JOB VACANCIES
Alarm, the risk professionals’ organisation, has vacancies in the public sector: www.alarm-uk.org
The Association of Insurance and Risk Managers (AIRMIC) – has job listings in its members’ section: www.airmic.com
Jobs In Risk: www.jobsinrisk.com
Individual companies may advertise opportunities on their websites. There are also specialist recruitment agencies that have details of risk management vacancies. These include:
Adam Appointments – agency for risk management recruitment in Scotland: www.adamappointments.co.uk
IPS Group – recruitment of risk managers in a variety of sectors and locations: www.ipsgroup.co.uk/risk-management-jobs
What can you earn?
Note: the following figures are intended as a guideline only.
Risk management is not an entry-level role. Typical starting salaries for those starting in a risk technician role are around £21,250. Risk analysts with between one and six years’ experience can earn from £29,000 to £44,000. With several years’ experience at risk manager level, salaries can range from £46,500 to £74,000. With substantial experience at director level it is possible to earn £70,000-plus.
Salaries vary widely depending on sector, level of responsibility and location. The highest salaries are found in financial sectors and in London-based positions.