This guidance issued by the Malta Association of Risk Management (MARM) is intended to describe a base level of competencies for a professional risk manager to function effectively in any sector. The document covers:
● Roles of the Risk Manager - describes the tasks associated with each role and common or likely requirements supporting the achievement of these tasks
● Required Competencies - outlines the competencies required of a risk manager to effectively carry out the roles the Roles of a Risk Manager
● Demonstrating Competence - outlines ways in which these competencies can be demonstrated to third parties by risk managers
The Core Competencies of a Professional Risk Manager
1. The Core Competencies of a Professional Risk Manager
Malta Association of Risk Management (MARM) NOVEMBER 2017
2. Contents
1. Scope & Purpose of this Document ................................................................................................3
2. Key Definitions................................................................................................................................4
3. The Role of the Risk Manager.........................................................................................................4
3.1. Define Risk Architecture .............................................................................................................5
3.2. Risk Assessment...........................................................................................................................6
3.3. Risk Response..............................................................................................................................6
3.4. Risk Monitoring & Reporting .....................................................................................................7
3.5. Managing Risk Culture................................................................................................................7
4. Required Competencies ..................................................................................................................8
5. Demonstrating Competence............................................................................................................9
6. Document Revision History ............................................................................................................9
7. Sources & Further Reading.............................................................................................................9
3. 1. Scope & Purpose of this Document
The notion behind risk management is as old as mankind whilst risk management as a discipline has
been practiced in public and private bodies for many decades. The recognition of risk management as a
profession however, involves general acceptance of risk management as a standalone occupation as well
as acknowledging the importance of promoting the integrity and competence of those practicing it. We
believe that creating the right conditions for the professional recognition of risk management and risk
managers in Malta is of paramount importance and this document entitled ‘The Core Competencies of
the Professional Risk Manager’ is our contribution to this process.
Defining these core competencies of the professional risk manager is not an easy task and in order to set
the scene, there are several challenges worth highlighting. First of all, almost any position or role within
any organisation involves the application of risk management to some extent. For example, an
experienced general manager will usually have wide range of risk management experience. A second
challenge is that the roles bearing the ‘risk manager’ title are diverse and some require specific technical
skills (for example mathematical modelling). We have responded to these challenges as follows.
To address the first challenge, in line with the position taken by the Federation of European Risk
Management Associations (hereafter referred to as FERMA) in recent official publications1
, we support
fully the ‘three lines of defence’ model. Whilst the primary responsibility for risk management in this
model resides within the first line of defence, the risk manager forms part of the second line of defence
and retains a degree of independence from frontline functions.
In response to the second challenge, whilst acknowledging that stakeholders expect risk managers to
possess sector-specific skills which are compatible to the needs, nature and complexity of the
organisation, we do not set out to prescribe these technical requirements and instead recognise that
these shall remain a function of the candidate assessment and recruitment practices of the enterprise.
Nonetheless, this guidance is intended to describe a base level of competencies for a professional risk
manager to function effectively in any sector. Should sector specific competencies also be required of a
risk manager, the requirements set out in this document should be supplemented by other
requirements relevant to that sector. Our focus therefore is on the competencies required of a
professional risk manager to deliver/oversee end-to-end enterprise risk management. The remainder of
this document, shall describe these core attributes in more detail as follows :
Section 3 – The Role of the Risk Manager describes the tasks associated with each role and
common or likely requirements supporting the achievement of these tasks;
Section 4 – Required Competencies outlines the competencies required of a risk manager to
effectively carry out the roles described in Section 3 - The Roles of a Risk Manager; and
Section 5 – Demonstrating Competence describes ways in which these competencies can be
demonstrated to third parties by risk managers.
1 E.g. Guidance on the 8th EU Company Law Directive or FERMA/ECIIA Audit & Risk Committee Best Practices, available at
http://www.ferma.eu/about/publications/eciia-ferma-guidance/
4. We have consciously excluded competencies associated with certain specialist activities often forming
part of the risk manager’s role, such as hedging, insurance purchasing and claims management.
2. Key Definitions
Whilst the word risk derives from the ancient Arabic “rizq”, which like the Maltese word “risq” refers to
gains and blessings, today risk is often understood to mean the possibility of adverse consequences. ISO
31000 defines risk as the ‘effect of uncertainty on objectives’. This is a working definition which we prefer,
as it ties risk to an enterprise’s aims and is neutral between the upsides and downsides of potential
outcomes.
In many cases the optimal arrangements for a risk function will comprise more than one individual.
This team may even include individuals from outside the enterprise. We have not taken a view on what
type of arrangements are best. For the purposes of this document we have used the term risk manager
even where in practical terms a risk function may be used interchangeably. For the sake of consistency,
for the rest of the document we have used the term ‘enterprise’ to describe any public or private body or
organisation.
3. The Role of the Risk Manager
ISO 31000 describes the constituent elements of the process of risk management (sometimes referred to
as the 7 “Rs”) as follows:
1. Recognition or Identification of Risk
2. Ranking or Evaluation of Risk
3. Responding to Significant Risks
4. Resourcing Controls
5. Reaction Planning
6. Reporting & Monitoring Risk
Performance
7. Reviewing the Risk Framework
We have mapped the above process elements to risk manager ‘roles’ as follows.
Risk Manager Role Reference To The 7 ‘Rs’ Listed Above
Define Risk Architecture 7
Risk Assessment 1 & 2
Risk Response 3 – 5
Monitoring & Reporting 6
In addition to the above, we consider ‘Managing Risk Culture’ to be a central role of the risk manager.
Below we have described the tasks and requirements associated with each of these five roles in more
detail.
5. 3.1. Define Risk Architecture
Defining or redefining the enterprise’s risk architecture follows on from an understanding of its
strategic objectives and the threats and opportunities surrounding the execution of this strategy. In
order to design an effective risk architecture, a risk manager must understand the enterprise’s internal
processes and activities so as to be able to develop a well-defined enterprise risk framework supported by
a methodology and suitable tools which complement the nature, scale and complexity of the enterprise
as well as the maturity of its risk culture. A risk management policy which takes full consideration of the
enterprise’s risk appetite is likely to be an important component of the overall risk architecture.
Having expertise in the strategic aspects of risk, it is likely that the risk manager will take on a leading
role in supporting the Board and/or senior management in establishing and maintaining a suitable risk
architecture. This does not only involve developing a sound risk framework and common risk taxonomy
across the organisation but also ensuring an appropriate organisation within the first, second and third
lines of defence where objectives are aligned to the overall risk strategy of the organisation. Securing an
effective risk architecture requires risk awareness at all levels of the organisation particularly at the level
of the Board of Directors and Senior Management and appropriate steering and oversight from the
enterprise’s governing bodies.
Likely requirements supporting the achievement of these tasks:
Build an understanding of the enterprise including its culture, history, the environment in which it
operates (e.g. competition, technological development) and the objectives and constraints of the
enterprise and its segments;
Define the objectives of the risk manager within this context;
Define the objectives and the scope of the risk management policy;
Select a suitable risk management framework and develop a supporting implementation plan;
Develop strategies in relation to risk assessment, risk response, (including the principles guiding
alternative risk response strategies for the enterprise - termination, tolerance, treatment, transfer)
risk monitoring and risk reporting;
Identify the roles and responsibilities of the company’s employees in the context of risk
management;
Identify required resources;
Secure approval for the risk management framework from the enterprise's governing bodies / senior
management and for required resources;
Communicate risk management policy and supporting architecture to stakeholders;
Implement the risk management framework;
Provide ongoing awareness training to participants in the risk governance organisation and to top
management;
Provide methodological approaches in the identification and evaluation of risks linked to new
strategic orientations;
Adapt plans/arrangements resulting from changes within the enterprise and its environment.
6. 3.2. Risk Assessment
Risk assessment comprises the identification, analysis and evaluation of risks pertaining to the
enterprise. It involves the use of suitable tools to facilitate a process of anticipating relevant
opportunities and risks at all levels within the enterprise.
It includes a process of analysis to classify and evaluate risks, so as to ensure suitable prioritisation and
validated of initial risk evaluations by relevant stakeholders.
Likely requirements supporting the achievement of these tasks:
Define the risk universe for the enterprise;
Define and make use of a common risk taxonomy so as to achieve a shared understanding of risks
and how to assess them. For example ensure that the difference between inherent and residual
risks is defined and understood;
Identify the tools and techniques to be used to identify both opportunities and threats.
Facilitate risk identification exercises;
Create a specific scale against which probability and impact of risks can be measured feeding into a
risk register and determine the tools and techniques to be used to estimate probability and impacts
or identified risks;
Determine when expert assistance is required;
Evaluate inherent and residual risks. Identify root causes of these risks;
Communicate to relevant stakeholders how the risk assessment exercise has been carried out and
relevant findings; and
Provide strategic insights to the enterprise based on the work carried out and obtain feedback.
3.3. Risk Response
Risk response involves dealing with significant identified risks. The acceptability or otherwise of
identified risks can be determined by comparing assessed risks with the enterprise’s defined risk
appetite. Risk response then involves the risk manager providing assistance to the enterprise in the
implementation of suitable risk mitigation strategies bearing in mind the root cause of the risk and the
costs associated with the available risk response strategies.
Risk treatment measures can include implementing control measures to reduce the likelihood of the
realisation of a risk event or measures to reduce the impact should the risk occur. Part of the risk
manager’s role is to ensure that planned risk response measures are put in place.
Likely requirements supporting the achievement of these tasks:
Ensure that there is named ownership for all significant risks;
Develop an arsenal of potential risk mitigation strategies. Suggest suitable risk treatment solutions
to address specific risks;
7. Assist with the evaluation of the effectiveness and efficiency of specific risk mitigation plans, (e.g.
helping with budgeting and drawing in expert resources as required);
Define jointly, with each risk owner, a timetable for the implementation of action plans;
Participate in drawing up risk prevention plans;
Participate in drawing up business continuity plans;
Support the implementation of risk treatment measures (e.g. carry out risk awareness training); and
Present consolidated action plans to stakeholders.
3.4. Risk Monitoring & Reporting
Monitoring should be a planned part of the risk management process and involve regular checks on
recognised risks. Effective monitoring ensures that risk management activities are delivering expected
results and supports continuous improvements in overall risk management.
Similarly, reporting should support the overall risk management framework providing timely
communication to relevant stakeholders, which is well understood so as to support sensible decision-
making.
Likely requirements supporting the achievement of these tasks:
Define and apply risk monitoring indicators which are relevant to measuring the implementation
and effectiveness of risk management measures;
Establish suitable tools (e.g. risk monitoring dashboards) to communicate results of risk monitoring
indicators, risk scoring and changes in the overall risk profile of the organisation resulting from
developments in business strategy or external events;
Define the role and operating procedures of Risk Committees or similar bodies receiving risk
reporting;
Establish an appropriate risk reporting agenda which enables risk governance forums to receive and
discuss risk-relevant information and which encourages effective risk based decision making;
Communicate risk reporting to relevant stakeholders.
3.5. Managing Risk Culture
Risk culture represents the values, beliefs, knowledge and understanding about risk shared by a group of
people. Risk culture is influenced and/or reinforced by attitudes, incentives and behaviours within that
group where those in leadership roles usually being particularly influential.
It is within the role of the risk manager to help an enterprise or segments within it to understand the
current risk culture, define what a healthy risk culture would look like and champion efforts to achieve
this.
8. Likely requirements supporting the achievement of these tasks:
Understand the features of a healthy risk culture and symptoms of a sub-optimal risk culture;
Improve awareness of issues related to risk culture (particularly at senior levels within the
enterprise);
Design and implement co-ordinated actions to achieve/maintain a healthy risk culture;
Encourage open lines of communication so as to share best practices;
Analyse risk events or near misses to identify where cultural lessons can be learnt; and
Communicate internally examples of good and bad practices.
4. Required Competencies
The tasks and requirements of a risk manager, as set out above in Section 3 – The Role of a Risk
Manager, require a mixture of hard and soft skills.
In terms of hard skills, a risk manager should have a strong understanding of risk management and
related concepts. This includes the following broad areas:
Business basics
Essentials of risk management
Risk assessment
Risk treatment
Risk monitoring and reporting
The ‘Body of Knowledge’ for FERMA’s rimap® certified risk management professional qualification
provides more detail and is referenced in Section 7 – Key Sources & Further Reading.
In terms of the following soft skills, we have identified the following competencies.
Communication Skills – in addition to credible written and verbal communications skills
which the risk manager can adapt to the situation and audience, the individual is capable of
making a persuasive case.
Creativity & Adaptability – the ability to approach a problem from numerous perspectives.
Flexibility to propose solutions that fit the organisation.
Cultural Awareness – understands the enterprise and the individuals working in it. Cultivates
an extensive network. Appreciates potential cultural barriers to positive change. Receptive to
information from diverse sources.
Inquisitiveness – displays a suitable level of professional scepticism. Seeks corroborative
evidence before accepting the validity of presented information. Prepared to challenge accepted
practice or encourage alternative views in order to uncover the truth.
Management – demonstrates strong leadership skills. Able to identify the wider implications of
decisions, including the resourcing and budgetary implications.
9. Integrity – displays objectivity and independence in their work and sound ethical, moral and
professional conduct/judgement. As an individual of good repute, puts the interests of the
profession before all other considerations and operates at all times within the parameters of
what is legally and professionally acceptable.
Organisation – shows ability to prioritise effectively and organise tasks effectively. Daily tasks
are congruent with stated strategic objectives.
5. Demonstrating Competence
Competence can be demonstrated through a combination of experience and knowledge. The rimap®
certified risk management professional qualification is one channel through which competence can be
evaluated and maintained. We also consider the following qualifications as equivalent:
International Diploma in Risk Management (IRM - Institute of Risk Management)
Financial Risk Manager (GARP - Global Association of Risk Professionals)
We consider the following to be of value in demonstrating competence, but insufficient in of
themselves to be considered of equivalent value to the rimap® qualification in demonstrating an
individual’s competence as a risk manager:
Professional insurance qualifications
Professional accountancy qualifications
In addition to, or in lieu of the qualifications and professional certifications cited above, a risk
manager’s experience in industry, where this covers principally all elements cited in Section 3 – The
Role of a Risk Manager, is also considered of value in demonstrating the desired level of competence.
6. Document Revision History
This document was first created by the MARM’s Educational Sub-Committee in August 2017.
It was formally approved by the MARM council on 29 November 2017.
7. Sources & Further Reading
In preparing this document ‘The Risk Manager Framework – a professional reference tool’ authored by
AMRAE (Association pour le Management des Risques et des Assurances de l’Entreprise) which is
available at
http://www.amrae.fr/sites/default/files/fichiers_upload/RiskManagerFramework_AMRAE_2013_0.pdf
was a key source of reference. Both the content and logical format of this document was used as a
template to develop this document .
10. AMRAE is a French national risk management association and is a chapter of FERMA.
As referred to above in Section 4 – Required Competencies, the technical knowledge to be expected of
a professional risk manager is summarised in the ‘Body of Knowledge’ for the rimap® certified risk
management professional qualification (FERMA) – an online resource available at - http://rimap-
certified.org/wp-content/uploads/2016/05/Rimap-Body-of-knowledge.pdf
A risk manager should be familiar with ISO 31000 and COSO Enterprise Risk Management
frameworks. We also recommend IRM briefings and guidance on online resource available at
https://www.theirm.org/knowledge-and-resources/guides-aned-briefings.aspx.
These are updated regularly and the following are especially relevant:
Risk Culture under the Microscope – Guidance for Boards – an online resource available at
https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf
A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO
31000 available at https://www.theirm.org/media/886062/ISO3100_doc.pdf