Historically, the corporate risk management department has been based on the partnership engagement model in that the department is viewed as a partner that supplies services to the core business. Using the COVID 19 pandemic as a backdrop, we will explain how this model no longer works and how corporate risk management departments can evolve so they are seen as contributing to business outcomes and to the success of the organization.

“The legitimate object of government, is to do for a community of people, whatever they need to have done, but can not do, at all, or can not, so well do, for themselves - - - in their separate, and individual capacities.” - Abraham Lincoln, Fragment on Government, July 1, 1854 “When you see how hard it’s been for governments to get their citizens to just put on a mask in stores, or get vaccinated, to protect themselves, their neighbors and their grandparents from being harmed or killed by COVID-19, how in the world are we going to get big majorities to work together globally and make the lifestyle sacrifices needed to dampen the increasingly destructive effects of global warming - for which there are treatments but no vaccine? That’s magical thinking, and it demands a realistic response.” - Thomas Friedman, The Climate Summit Has Me Very Energized and Very Afraid, New York Times, November 9, 2021

Gifted thinkers from Abraham Lincoln in the 19th Century to Thomas Friedman in the 21st Century have long worried about the ability of humanity to manage uncertainty - to adapting and learning more, doing more of what works, and collaborating more. Because whether it’s navigating through a once-in-a-century pandemic or addressing climate change before it’s too late, building better systems to manage uncertainty is the only route to a healthier and safer world.

One area of business that needs to adapt is the corporate risk management department. As previously explained, the current model of risk management departments, are typically not seen as performing activities that relate to the core purpose of the organization. This true of other corporate functions such as IT departments.

Why is this? Think about how these two departments came into being. Historically, they were created as back-office functions that made sure that the company had proper commercial insurance and that the company’s computers kept running. The mindset was that these back-office functions would partner with the rest of the business by delivering these services. Value was not measured on the basis of outputs or contributions to the success of the business. Instead, performance was measured on the basis of inputs: money spent on insurance premiums and computers and whether projects (the insurance program or computer system) came in on time and budget.

Let’s turn back to the pandemic to explain why the partner-engagement model isn’t strong enough to influence business outcomes. At the time this article was written (December 2021), a new COVID-19 variant - Omicron - was sweeping the world. Dr. Ashish Jha, one of America’s foremost public health experts tweeted on December 8, 2021 that your health risk depended on your membership in one of three groups:

  • Group 1 - Immunologically naïve: Unvaccinated and not recently infected who will get infected at exceedingly high rates. Many will get sick and the degree of illness will likely be moderate to severe.
  • Group 2 - Somewhat protected: People with 1-2 vaccine shots or a recent infection. Large numbers of this group will experience breakthrough infections but severe illness, except for high risk individuals, should largely be preventable.
  • Group 3 - Highly protected: People who are fully vaccinated and received booster shots or have hybrid immunity (infection + two shots). Probably some limited breakthroughs but severe illness will be rare.

​ Consequently, the Omicron variant will be a “big deal” if you are in Group 1 but you are likely to experience mild to no disease if you are in Group 3. What’s interesting is that Dr. Jha’s use of three groups mirrors our earlier discussion of uncertainty and the importance of shifting our mindset away from the study of problems or deficits to the other half of the continuum which promotes the best of the human condition. In other words, should we tie optimal health and well-being to eliminating deficit gaps that cause negative deviance or should we focus more on increasing abundance and positive deviance? Look again at Kim Cameron’s map which corresponds to Dr. Jha’s groupings:

Application of Cameron’s classification to Dr. Jha’s groupings means that the “Immunologically Naïve” population will experience illness, the “Somewhat Protected” population will experience normal health, and the Highly Protected population will flourish. The question for the United States and other countries will be how to increase the number of “Highly Protected” groups. We think it will come down to the degree to which public health expertise can be better integrated within individual communities. Without that integration, communities will continue to struggle with decision-making and developing a sense of shared ownership for public health.

The same principle holds true for the future of the corporate risk management community. While some centralization will remain (e.g., everyone uses the same insurance program and claims process), risk management professionals need to embed within each department of the organization. Otherwise, risk management professionals, like public health officials, will remain disconnected, from influencing outcomes.

The role of senior leadership is to ensure that the integration happens and that there is a consistency of practice across the organizations. Think of it as risk management serving as a common framework in that every business unit has the same canvas and paint but leaves it up to individual unit to decide what they paint and how (i.e., manage uncertainty). The role of the risk management professional in this scenario is not to function as a supplier of services but as a valued contributor to the ongoing operation and to the success of the business unit.

There are at least four key components that make up a model de-centralized risk management framework that should be scaled up within each business unit:

  • Collaborative learning;
  • Decision-making;
  • Process accountability and methods improvement.
  • Effective communication

We will explore each of these components at length in future columns.​