One of the most important aspects of running a successful business is identifying, quantifying, and managing the various risks for which the company may have exposure. Failing to recognize and plan for risk can bring an end to an enterprise. For companies that deal primarily with data and information, the corporate risk profile (threats to which a company is exposed) is closely linked to cybersecurity and data protection. Risks are often related to safety and security for companies that deal mostly with physical goods and services.
cybersecurityguide.org is an advertising-supported site. Clicking in this box will show you programs related to your search from schools that compensate us. This compensation does not influence our school rankings, resource guides, or other information published on this site.
Featured Cybersecurity Training
|School Name||Program||More Info|
|Purdue University Global||Online BS in Cybersecurity||website|
|UC Berkeley School of Information||Online Master’s in Cybersecurity | No GRE/GMAT Required||website|
|Southern New Hampshire University||Online BS in Cybersecurity or Online MS in Cybersecurity||website|
|UC Berkeley||Berkeley Cybersecurity Boot Camp||website|
|Michigan State University||Cybersecurity Graduate Certificate||website|
|University of Pennsylvania||Penn Cybersecurity Boot Camp||website|
Regardless of business type, there are four categories of risks that all companies must address. These, along with some of their subcategories, include:
- Market Risk
- Interest and currency exchange rates
- The fluctuating cost of materials
- Changing trade laws
- Compliance Regulations
- Credit Risk
- Customer defaults
- Vendor relationships
- Operational risk
- Employment and Business practices
- Continuity processes
- Employee safety and security
- Property and data protection
- Reputational Risk
- Brand perception
- Data breach or exposure
What is a risk manager?
A corporate risk manager is involved in many aspects of the business. The risk manager position should always be an executive role in the organization. In some companies, risk management is elevated to the C Suite with the chief risk officer (CRO) role. Where the risk manager falls within the enterprise’s hierarchy is often an indication of the organization’s risk appetite or willingness to assume certain risks.
In simple terms, the role of a risk manager is to understand everything that could go wrong and what the consequences or impact on the business would be if it did go wrong. The “what could go wrong” scenarios are the threats. The “consequences or impact” of a threat is referred to as criticality.
In addition to understanding the criticality of the various threats faced by the organization, the risk manager must also understand the probability of a given threat happening to the company.
The basic formula applied by managers is Risk = Threat x Probability x Criticality. This formula can also be expressed as Risk = Threat x Vulnerability x Consequence.
To be effective, risk managers must monitor both external and internal influences that could affect their business.
Risk manager requirements, skills, and experience
While risk management careers span across all industries and organizational types, there are some skillsets and experiences that will help all risk managers be successful in their job. These include:
- Ability to objectively analyze data and information to form a big-picture view of risk
- Ability to digest detailed information to determine trends and tendencies
- In-depth knowledge of their industry, including competitors and adversaries
- Ability to communicate effectively at an executive level
- Ability to be agile and react to changes in the business environment
- Organizational and leadership skills
What do risk managers do?
In addition to understanding the organization’s risk, a risk manager defines the companies risk appetite. This is done by developing strategies to minimize, eliminate, or transfer the risk. Some risks are minimal, either because the consequences are small or the probability of the event is low. Those risks may just be assumed by the company, or in other words, they just take the risk. Other risks, however, must be eliminated or transferred in the form of insurance.
Threats and risk factors are quantified and communicated by the use of a risk assessment. A risk assessment is a tool used by risk management professionals to examine known risk factors and benchmark them against known probable consequences. A risk assessment is used to formulate appropriate ways to eliminate or minimize risk.
Considering threats from weather and natural disasters to civil unrest and potential competitor mergers and acquisitions, risk managers must be ready to council company leadership on a possible course of action.
In well-staffed organizations, the risk manager may be able to rely on input from peers and subordinates, such as:
- Cyber risk specialists
- Security director
- Chief information officer
- Threat intelligence specialists
- Chief resilience officer (commonly found in municipalities)
The risk manager’s job is to evaluate input from all available sources and then quantify risks for senior decision-makers in the company. They often assist senior management in defining business strategies that avoid or mitigate risks.
Risk manager job description
The role of the risk manager is to develop and communicate risk policies for an organization. They develop risk models for each risk category; market, credit, operational, and reputation. They apply the risk formula (Risk = Threat x Probability x Criticality) to determine appropriate risk acceptance, reduction, elimination, or transference strategies.
Typical duties include:
- Designing and executing a risk management process
- Perform or oversee risk assessments to cover all business risks
- Define the organization’s risk appetite
- Prepare and balance risk management and insurance budgets
- Define risk reporting procedures
- Communicate risk policies to stakeholders
- Create or approve business continuity plans
- Oversee company health and safety plans
- Conduct or oversee compliance audits
- Review significant contracts and proposals
A recent job description posted on a popular employment website reads as follows.
“[The company] seeks an experienced Risk Manager to join their team in New York.
In this highly visible role, the successful candidate will be responsible for monitoring and managing equity portfolio risk, scenario analysis, multi-factor modeling, and tail-risk analysis. The Risk Manager will regularly interact with portfolio managers and senior management on all equity risk-related matters.
The successful candidate will have an advanced degree in a quantitative discipline with a minimum of 5+ years of risk and/or quantitative analysis experience gained at a leading asset manager. Extensive factor modeling experience is a key requirement. Deep knowledge of fundamental equities trading strategies is key. Programming ability in Python or R strongly preferred. Clear, deliberate, and thoughtful communication skills are critical as regular interaction with the desk and senior management is an integral part of this role.”
A risk manager job description for another industry would read quite differently. Some interesting similarities are likely to be consistent, however. Note that “deep knowledge and fundamentals” of the hiring firm’s business is expected. This requirement should be expected regardless of the industry. Also, note that communication skills and the ability to interact with senior management are required.
Certificates or Special Training Required for Risk Managers
Since an intimate knowledge of specific business nuances is desirable, the training and educational requirements for the role of risk manager will vary widely depending on industry and organizational type. There are certain certifications and training that will be valued across these industry and organizational variations. These include:
- A bachelors degree in business administration or management should be considered a minimum requirement
- An MBA is preferred (check out this page for information about a cybersecurity MBA)
- A law degree
- A degree in finance or economics
- Several years of previous experience in risk management
- If working in the financial services industry, a Financial Risk Manager (FRM) is desirable
- The Professional Risk Managers’ International Association (PRMIA) offers four risk management certificates
Outlook for risk managers
The overall outlook for the risk manager is excellent. Risk management as a profession is just coming into itself. For many years many organizations addressed risk in a segmented way where each office, branch, division, or plant manager was responsible for managing their local risks. Only over the last two decades have companies embraced the idea that an executive with company-wide authority and responsibility is needed.
Two years ago, Recruiter.com said, “The overall job outlook for risk management specialist careers has been positive since 2004. Vacancies for this career have increased by 29.04 percent nationwide in that time, with an average growth of 4.84 percent per year. Demand for Risk Management Specialists is expected to go up, with an expected 11,760 new jobs filled by 2018. This represents an annual increase of 0.95 percent over the next few years.”
How much do risk managers make?
According to salary.com, “The average risk manager salary in the United States is $111,765 as of May 28, 2020, but the range typically falls between $96,890 and $127,934. Salary ranges can vary widely depending on many important factors, including education, certifications, additional skills, the number of years you have spent in your profession.”
The Bureau of Labor Statistics combines risk managers with other categories of financial managers, and salaries of risk management employees depend on the field or business in which they’re employed.
- Median annual salary: $127,990
- Top 10 percent annual salary: More than $208,000
- Bottom 10 percent annual salary: Less than $67,620
It should be noted that compensation packages for risk managers frequently outperform financial managers’ averages in general. Those employed in this profession may earn bonuses and commissions in addition to salaries and may even receive profit sharing.
Payscale.com lists the average risk manager salary at $86,840, but the location will invariably make a significant difference in overall compensation.