First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The essential competencies of an effective risk officer

risk officerI recently sparred gently with a good friend, a respected and influential risk practitioner and thought leader, about the key competencies necessary for a risk officer to be effective.

He listed “probability theory, statistics foundations, risk perception and cognitive biases, decision theory and corporate finance”, saying that “without these competencies risk managers are useless to the business”.

Here’s an interesting piece on the question: What competencies should risk managers outside of banks and insurance companies really have?

My response was:

I would put these competencies first:

  1. Knowledge of the business
  2. Understanding of the goals and objectives of the organization
  3. Communication and teamwork skills
  4. Empathy
  5. Common sense and judgment
  6. Understanding of performance management

While for some situations, especially where a key decision is needed and multiple possibilities (and multiple effects) need to be carefully analyzed, quant methods such as modeling and Monte Carlo simulation are essential. But for many others, I can be quite comfortable with the use of informed and considered judgment. (Note that I emphasize informed and considered.) I especially like cross-functional workshops.

My friend responded, “I personally don’t see risk management without proper quants. Just talking about risks is insufficient for complex objectives, projects or decisions”.

I said, “I think it all depends on the business and how it operates. For example, how much math and statistics do you need in a retail business, an IT service provider, a consulting organization, or one that manages construction projects?”

Another friend (a venture capitalist) chimed in: “I think we can all agree that very few successful business executives are dumb. I find that many executives are constantly ‘rolling dice’ in their heads and doing back of napkin analysis that helps them make decisions to ‘win 3 ways and only lose 1 way’ and the like. This, too, is a sort of low fidelity math that operates in a world of the truly unknown future”.

But he also said: “Virtually every business I invest in or operate has at least one ‘mathematical model’ that is central to the organization. I only use Monte Carlo simulations for investment decisions (investments in companies and in technology systems for companies).”

My reply was: “Thanks – that jives with my experience. There are some situations that merit quant methods and some that don’t really. The former are dominant in financial services, less so in other business sectors.” I continued: “PS – you simply cannot model every risk! The organization would come to a halt, as risk is taken with every decision.”

I had asked my first friend how often he used quant techniques in his own business. He replied:

“Only for the decisions that justify risk modelling (high uncertainty, high materiality). And it’s not modelling individual risks, it modelling the effect risks collectively have on a decision or objective.”

That pretty much tied up the discussion. (I totally agree with his last point).

But, on reflection the ability to facilitate a cross-functional discussion would have been among my top competencies

But the top four competencies I shared with my friend remain my top four, as illustrated by a couple of stories in World-Class Risk Management.

… A. T. Kearney … captured this when they told this story:

A risk manager is overheard at a recent intra-departmental meeting: “The Basel II second pillar requires that we focus on the ICAAP, and it is inherent that the board of the bank fulfill their obligations in this respect and that sufficient oversight is provided by the SREP…” at which point many of the participants have no idea what the risk manager is talking about, but they are too afraid to ask questions so they nod their heads in polite agreement and hope no one will ask them for their personal opinion.

In World-Class Internal Auditing: Tales from my Journey, I tell a story of my own:

I once gave a presentation at a risk management association conference. Afterwards, the president of the association asked to sit with me over lunch as he had a problem he thought I could help with.

He told me that while he reported directly to the CEO, he always found it difficult to get time with him. When he was able to arrange a meeting, the CEO seem to lack interest in what he was saying and was reluctant to act on his recommendations.

As this gentleman was speaking, I realized the problem. I didn’t want to listen to him either, because he was boring! He spoke in a monotone without any passion in his voice, and used technical rather than business language.

If I didn’t want to listen to him over lunch, how could I expect a busy CEO to want to listen?

When management doesn’t find time to talk to you, or starts looking out the window as you are speaking, it’s not a management problem. You are most likely the problem!

We need to talk in the language of the business about things that matter to the business, and make sure the individual we are talking to understands how they affect him.

Let me close with one challenging idea.

Who should run these models?

Should it be the risk officer, or the individual responsible for the strategy, project, or plan?

I actually favor the latter!

So what do you think?

What are the top competencies for success for a risk officer?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , ,

Comments are currently closed.