“When seeking advice from the risk manager, the CEO expects a different frame of reference than their other managers can provide. CEOs are particularly interested in threats to business strategy, potential disruptions to relationships with top customers and how leading-edge new issues affect their organization.

“CEOs aren't interested in just having problems dumped on them, so the risk manager's advice needs to include feasible mitigation steps. Perfection isn't practical, so help the CEO get to 'good enough.' Don't cry wolf or try to eliminate all risk.

“One of the challenges of giving advice to the CEO is the difference in perspective. Risk managers need to be able to understand and anticipate issues from the CEO's point of view—and to understand their own knowledge limitations so that they know when to fill in gaps.

“When raising issues, be highly selective and balance risk against return. Always go beyond insurance—even though the risk manager must be the insurance expert. Demonstrate the quality expected of a senior executive. And never self-glorify.

“CEOs won't spend much time with risk managers who aren't able to effect change. So if risk managers want to be engaged, they need to earn operational influence and credibility and be the person that the CEO's immediate subordinates mention when business risks get discussed.”

Ron Cooley
Director of Risk Management
W.W. Grainger Inc.

“The reality is that understanding insurance is not going to be particularly relevant to senior management—understanding risk is,” observes Cooley, whose Lake Forest, Ill.-based company is a Fortune 500 industrial-supply company.

“They expect you to be the insurance expert; what you have to demonstrate is that you're an expert in knowing and understanding [the company's] business.”

That includes staying ahead of the curve where a company's potential business threats are concerned and planning for those scenarios, “as opposed to reacting to the things that have already happened,” he says.

Cooley stresses that keeping the boss informed is key, a point sometimes overlooked by other RMs. “I often hear from my peers about changes that occurred that [C-suite members] weren't aware of, or that they were the last to know,” he notes.

When he started with Grainger, Cooley says, “I had to understand what made the company successful and what the things were that we absolutely had to continue.”

Grainger buys products from 3,000 different suppliers and sells them to two million different businesses. So a large part of what Cooley manages is the Product Liability risk of selling such an enormous number of products to a wide variety of customers.

Apparent to him from the beginning, says Cooley, was the company's emphasis and focus on qualifying its suppliers, partnering with the right people, and seeing that controls and compliance efforts were in place.

The company's emerging challenges? “Our e-commerce platform is the fastest-growing part of our business,” he notes. “As we sell more and more products online, we're dealing with more risks associated with the online distribution of products and different customer expectations. Cyber security and cyber liability are becoming far more relevant to us.”

Part of dealing with the C-suite, Cooley says, is regularly keeping them abreast of these and other developments: “A big part of what I do is to appear each year in front of the audit committee of our board. A big part of that discussion and presentation is how the business has changed in the last 12 months and what has been done to adapt to that change. A lot of risk managers, unfortunately, don't have that level of visibility.”

A word of caution, however: Always be prepared. “The last thing you want to do is to go into one of those meetings and have somebody surprise you with something that you weren't aware of, weren't thinking about and hadn't adequately addressed from a risk-management standpoint,” he adds.

Cooley says that a big part of the discussions with senior management and the board is assuring them that “risk management knows how this business has changed and evolved—and then showing them these are the things we've done within risk management to address those changes.”

Risk managers who can do this, he says, will be effective and will be involved with projects on the front end, “as opposed to hearing about things on the back end.

“The true measure of success is when senior management asks, 'Have you gotten risk management involved?' That's what we're all striving for. And the great thing is when the people on the other side of the table say, 'Oh yes, they've been involved and they understand exactly what we're doing.'”

Richard Rabs
Vice President/Claims & Risk Management
Veolia Transportation

At Rabs' company, a Lombard, Ill.-based private provider of public transportation, operating buses, trains, taxis and shuttles, the risk-management team of eight is fortunate to be part of the larger finance group.

“So our team is known to the C-suite,” says Rabs. “We're there through the entire process. When bad news happens, that's when we go to work, and they understand that.”

To make the most out of his interactions with top executives, he says, there are several points to consider. For one, “it's important to know your audience.”

Rabs has worked with several different CEOs over the years. “Some want to be in the thick of things,” he says. “Others just want to know about [an incident] at a high level, but don't want to get as involved. Knowing this helps in the delivery of information.”

Rabs, who reports to the chief financial officer, says his department publishes weekly and monthly reports to keep the C-suite informed about potential impediments to its bottom line.

“You don't want to surprise your boss,” he says. Whether it's news about being over budget or under budget, he adds, “let the boss know.”

When a problem does need to be presented, solutions should be ready as well. Again, know your audience. “Some bosses like to be the solutions guy, others don't,” says Rabs. “At the level we're playing at, if they have to come up with all the solutions, we don't belong there.”

Rabs also notes the importance of carefully listening to the suggestions of the CEO or the company board. “Nobody has an exclusive on good ideas,” he says, adding that on several occasions the CEO's response has been “that he's seen the situation before” and can offer excellent advice based on that experience.

Rabs adds that risk managers also should be careful not to become pegged as the “insurance guy” or the “claims guy.”

Michael Liebowitz
Director/Risk Management and Insurance
New York University
Member of NU's Risk Managers Advisory Board

“The CEO wants to know that the operation is protected, that we know about all of the issues that can affect the operation, and that the organization has implemented or is developing mitigation strategies.

“And the biggest [risk-management issue for CEOs] is that the long-term goals and vision for the organization can be met within a controlled risk tolerance.

“The way I handle it is by understanding the vision the senior management team has developed for an organization: What is on the long-range horizon, three to five years out? Where do we want to go? What new business units are we going to operate?

“Then I get inside their heads and try to figure out the potential areas of exposure that exist in developing these new business strategies. [Next] I do an analysis and then create the mitigation strategy and come up with a risk tolerance for that business unit.

“This would then be fed back to the senior management team and the CEO. So when they are ready to go ahead, it's ready and we've done all our research.

“We then have a road map that does not have potholes in it. We don't want to fall into the unexpected. We want to minimize the unexpected and manage the expected.

“The most difficult part is getting in front of senior management. They have to believe the risk-management program is important enough to the organization.”

Liebowitz's suggestions for getting the C-suite to seek out insight from the risk team?

“This is an evolutionary process. Develop a strong risk-management program and progress that into an enterprise-risk program, which has the risk map of the organization as it exists today. Now move it along to a strategic-risk program that has all of this built into it.”

It's at the level of strategic risk, Liebowitz says, where the CEO needs and wants to engage.

“Depending on how the message is delivered, some may see the risk manager as a blockade to the organization,” he adds. “We don't want to be seen as a blockage to the future of an organization but as a partner in business development.”

Tim East
Director of Corporate Risk Management
The Walt Disney Co.
Member of NU's Risk Managers Advisory Board

“CEOs are looking for risk managers who are thinking strategically about how they can support the overall objectives of the organization—way beyond just structuring an insurance program, protecting against volatility or even reducing overall costs. 

“The risk-management function must work with every division to sustain existing operations, facilitate growth and support new business opportunities.

“We need to shift from a functional and transactional emphasis, which typically focuses on narrow roles and processes. This tends to be reflected in descriptions of risk management such as 'the insurance department does…' or 'we execute the following processes each year.'

“CEOs expect the risk-management team today to have an agenda of initiatives, projects and active support for the operating businesses; to be finding solutions to problems; and to be more efficiently managing a wide array of risks.”

Sarah E. Pacini
Vice President/Risk Management and Insurance
Advocate Health Care
Member of NU's Risk Managers Advisory Board

“Take a breath before automatically saying 'no' [to a course of action that may be considered risky]. The risk manager needs to identify concerns with a particular option and clarify those for the executive-management team.

“There is a time to say no, but before jumping to that as the option, try to find solutions to appropriately get to the same target, which is to point out the risks and overcome or minimize them.

“It also doesn't hurt in today's environment to quantify the value that risk management brings to the table, since everyone is looking at the bottom line. Right now it's very important to specify the cost savings risk management provides—it's not necessarily a revenue-generating department, but it is a cost-savings department.

“In my industry we talk about patient safety and cost savings, particularly from Hospital Professional Liability insurance and risk-reduction strategies that are taken at all of our sight levels. It's about the prevention of lawsuits.

“Our executive-management team wants to see the quantitative, but we also need to show the lack of litigation. We're preventing injuries [and the associated costs], whether workers' comp-driven or professional liability-driven. It's important to quantify that for your executive management team.”