So you want to be an En­ter­prise Risk Of­fi­cer?

Navin Pas­richa, a former chief risk of­fi­cer of a bank, an­swers some se­ri­ous ques­tions for those con­sid­er­ing a ca­reer in risk man­age­ment.

Insurance - - FEATURE -

Risk man­age­ment has been on the cor­po­rate agenda in Malaysia for some twenty years, but it is only now that the job of a risk man­ager is be­ing looked at as a se­ri­ous ca­reer choice. The slow up-take has partly been be­cause not ev­ery­body un­der­stands what a risk man­ager ac­tu­ally does. This is a pity be­cause a risk man­age­ment ca­reer can be ex­cit­ing, men­tally chal­leng­ing and also re­mu­ner­a­tively re­ward­ing – many would con­sider this an ideal job mix.

So what does a risk man­ager do?

Like all pro­fes­sions, risk man­age­ment has var­i­ous lev­els and it does dif­fer from in­dus­try to in­dus­try. The fi­nan­cial in­dus­tries such as bank­ing and in­surance are con­sid­ered to be pioneers in terms of risk method­olo­gies and by and large they do pay their risk pro­fes­sion­als bet­ter than other in­dus­tries, so let’s start with a look at what the Chief Risk Of­fi­cer or CRO of a bank is re­spon­si­ble for. Usu­ally, the CRO will report to the Risk Man­age­ment Com­mit­tee of the Board. The CRO’s job is to keep this com­mit­tee in­formed about ex­ist­ing and emerg­ing risks and to help the com­mit­tee mem­bers to de­cide on strate­gies that will im­pact the risk pro­file of the bank. This in­cludes in­vest­ment and pric­ing strate­gies which are at the core of the busi­ness. To do this ef­fec­tively, the CRO must be abreast of all types of bank­ing risks rang­ing from credit, op­er­a­tional, liq­uid­ity and mar­ket risks to po­lit­i­cal, rep­u­ta­tion and IT risks. This is a very broad re­spon­si­bil­ity and so the CRO is usu­ally sup­ported by staff mem­bers who are ex­perts in each of the risk cat­e­gories such as credit risk. The CRO is in­volved in all ma­jor strate­gic de­ci­sions in or­der to pro­vide risk ad­vice and he also keeps a mon­i­tor­ing brief on less sig­nif­i­cant risks and ad­vises when poli­cies, pro­cesses or or­gan­i­sa­tional struc­tures should be changed in or­der to man­age the risk pro­file of the bank in a par­tic­u­lar way. How rel­e­vant are re­port­ing lines for risk man­age­ment? In banks and in­surance com­pa­nies, the CRO is usu­ally in­de­pen­dent of the CEO and re­ports di­rectly to the Risk Com­mit­tee of the Board. This in­di­cates

the level of im­por­tance given to the CRO job in fi­nan­cial in­sti­tu­tions. In a bank the only other per­son who usu­ally re­ports to the Board di­rectly is the CEO and the Chief Au­di­tor. All other busi­ness and de­part­ment heads would report to the CEO. Look­ing a lit­tle deeper, this re­port­ing line which gives the CRO a great deal of in­de­pen­dence is de­signed to en­sure that within the fi­nan­cial in­sti­tu­tion there is a strong coun­ter­bal­ance to the mar­ket­ing-ori­ented heads of the busi­ness in­clud­ing the CEO. This en­sures that risk is al­ways ex­am­ined and prop­erly man­aged when busi­ness de­ci­sions are be­ing taken. In other words if you want your risk ca­reer to lead to a CRO po­si­tion, you must de­velop the char­ac­ter and per­son­al­ity to be able to en­ter into a con­struc­tive part­ner­ship with the CEO, but when needed you must also be able to stand up to the CEO and ques­tion plans and ac­tions. In­deed, when join­ing a com­pany in a risk man­age­ment unit es­pe­cially out­side the fi­nance in­dus­try, it is im­por­tant to un­der­stand the re­port­ing lines, be­cause they will help you to gauge the se­ri­ous­ness with which the com­pany takes risk man­age­ment. If the head of risk man­age­ment re­ports to say the Head of Fi­nance or as I have some­times seen, to the Com­pany Sec­re­tary, then th­ese jobs are to be avoided as the job scope will be very lim­ited and the func­tion prob­a­bly does not carry too much weight. This type of re­port­ing line is a sig­nal that risk man­age­ment may be un­der­taken as mat­ter of com­pli­ance rather than as a busi­ness im­per­a­tive. There is a fa­mous quote from a risk man­ager of a bank in the UK, which il­lus­trates the frus­tra­tion you could be fac­ing if the re­port­ing lines for risk are not ap­pro­pri­ate. Dur­ing the re­cent fi­nan­cial cri­sis, Paul Moore, a former risk man­ager at HBOS, gave writ­ten ev­i­dence to a Trea­sury com­mit­tee1 in which he said, that HBOS had “a cul­tural in­dis­po­si­tion to chal­lenge” and that the task of “be­ing a risk and com­pli­ance man­ager … felt a bit like be­ing a man in a row­ing boat try­ing to slow down an oil tanker”. Due to the preva­lence of the sales cul­ture in HBOS, Moore sug­gested that the, “bal­ance and sep­a­ra­tion of pow­ers was just far too weighted in favour of the CEO and their ex­ec­u­tive” and al­leged that his team had been sub­ject to “threat­en­ing” be­hav­iour dur­ing the course of its risk com­pli­ance. Moore was

...the CRO must be abreast of all types of bank­ing risks from credit, op­er­a­tional, liq­uid­ity and mar­ket risks and also po­lit­i­cal, rep­u­ta­tion and IT risks.

dis­missed by HBOS in 2004 and he sued for un­fair dis­missal. If you want to do your job right, then you want to make sure that the re­port­ing lines in your cho­sen com­pany are such that you will be al­lowed to do your job right. Which in­dus­tries are the hard­est for the risk man­ager? In terms of com­pa­nies which are the best and most dif­fi­cult in­dus­tries to work in from a risk man­ager’s per­spec­tive, there are prob­a­bly a few con­tenders for the eas­i­est in­dus­try, but one of the most dif­fi­cult has to be the in­surance in­dus­try. There are a few rea­sons for this, but mainly it is be­cause of the in­dus­try’s close as­so­ci­a­tion with risk. Af­ter all, the whole busi­ness model of in­surance is to be able to cost and to price risk; so the as­sump­tion or sub­con­scious at­ti­tude of many in­surance man­agers is that they are ex­perts in risk man­age­ment and they will of­ten be at log­ger­heads with en­ter­prise risk or busi­ness risk man­agers. In­surance prac­ti­tion­ers are ex­perts at pre­dic­tion, cost es­ti­ma­tion and pric­ing of risk cer­tainly, but that does not mean they know the best strate­gies to re­duce or man­age risk in the busi­ness world – that is what the risk man­ager does. Once over this cul­tural hump, how­ever, in­surance com­pa­nies can be just as good em­ploy­ers of risk man­agers as any other in­dus­try. What risks do you really man­age if you are not the CRO? Not ev­ery­body en­ter­ing the risk man­age­ment field will start off as a CRO, so what are the func­tions of

In­surance prac­ti­tion­ers are ex­perts at pre­dic­tion, cost es­ti­ma­tion and pric­ing of risk cer­tainly, but that does not mean they know the best strate­gies to re­duce or man­age risk in the busi­ness world.

other mem­bers of a risk man­age­ment unit? The level of se­nior­ity and risk ex­pe­ri­ence tends to de­ter­mine the type of busi­ness risk you are likely to be al­lowed to man­age. There are many ways to cat­e­gorise risk, and im­pact is one of those. In terms of im­pact, there are four lev­els of risk: 1. In­dus­try level risks – th­ese are risks which ev­ery­body in the in­dus­try faces, such as in­ter­est rates in the bank­ing in­dus­try or CPO price fluc­tu­a­tions in the plan­ta­tions in­dus­try. 2. Strate­gic Risks – th­ese are risks which are of the com­pa­nies own mak­ing and arise only be­cause of a par­tic­u­lar strat­egy be­ing fol­lowed, they would not oth­er­wise ex­ist. 3. Process level risks – Th­ese are risks which ex­ist in ev­ery process – usu­ally low-im­pact low­cost er­rors and op­er­a­tional fail­ures. For in­stance, a food pro­cess­ing com­pany knows there is a risk of wastage – it is only a mat­ter of how much and at what cost. 4. Cat­a­strophic risks – th­ese are risks which if they crys­tallise could wipe out the whole or­gan­i­sa­tion or a very large part of it. So for a one-ship ship­ping com­pany, the sink­ing of that ship would be cat­a­strophic. 5. Project risks – th­ese are risks as­so­ci­ated with spe­cific projects that are be­ing un­der­taken or are planned by the or­gan­i­sa­tion. Of th­ese lev­els of risk, the in­dus­try level risks, the strate­gic risks, cat­a­strophic risks and some project risks will most likely be han­dled by the CRO or se­nior man­age­ment team within a risk group. The process level risks and some project risks will be han­dled on a day-to-day ba­sis by the less ex­pe­ri­enced. This is be­cause process level risks lend them­selves to risk man­age­ment by process and so can be mon­i­tored in a dis­ci­plined way. Risk man­age­ment tech­niques are less a mat­ter of knowl­edge and more a mat­ter of ex­pe­ri­ence. And as they say, it takes ten years to get ten years’ ex­pe­ri­ence. When look­ing at process level risks, you es­sen­tially have to ap­ply the stepped ap­proach to risk man­age­ment. The steps are – iden­tify, value, de­cide whether to re­duce the risk cost, ap­ply man­age­ment tech­niques, mon­i­tor and report, and then fi­nally re­peat the process. What con­tri­bu­tion to the busi­ness do risk man­agers make? There is a com­mon im­pres­sion that risk man­age­ment is a de­fen­sive strat­egy. With this view, risk is seen as a neg­a­tive event, such as a fire or fraud that might hap­pen and which has to be guarded against. Risk man­age­ment does in­deed have a large part to play as a de­fen­sive mech­a­nism. How­ever, if this is the only per­spec­tive that a busi­ness takes, then it is los­ing out on the ben­e­fits of the op­po­site view that risk is a pos­i­tive re­source in busi­ness. The most ef­fec­tive route is a balanced one that lever­ages risk man­age­ment as both a de­fen­sive mech­a­nism and, in other cir­cum­stances, a method of op­ti­mis­ing profit and growth op­por­tu­ni­ties.

Risk man­age­ment tech­niques are less a mat­ter of knowl­edge and more a mat­ter of ex­pe­ri­ence. And as they say, it takes ten years to get ten years’ ex­pe­ri­ence.

It is pos­si­ble to turn risk into op­por­tu­nity and to make op­por­tu­ni­ties more achiev­able by man­ag­ing some of the risks that sur­round them. There is no bet­ter way to ex­plain this than through some real ex­am­ples:

Real success sto­ries

In 2003, the food in­dus­try was go­ing through a par­tic­u­larly rough patch all around the world. Mad cow disease, avian flu and rock­et­ing freight costs be­cause of ten­sions in the Mid­dle East, had hit the prof­its of many food giants. An ex­cep­tion to this was the food in­dus­try and agri-busi­ness multi­na­tional group, Bunge. Bunge op­er­ates in some 30 coun­tries and em­ploys around 25,000 peo­ple. That com­pany was show­ing grow­ing prof­its, di­rectly against the trend of its com­peti­tors. In fact Bunge re­ported a fourth quar­ter growth of some 4% in prof­its for 2003 when most oth­ers were re­port­ing steeply de­clin­ing prof­its. In ex­pla­na­tion, Bunge’s chief ex­ec­u­tive of­fi­cer at the time, Alberto Weisser, had this to say, “… com­pet­i­tive freight pric­ing, locked in as part of our risk man­age­ment pro­grammes, helped off­set cur­rent record freight rates.” Ob­vi­ously, Bunge had fore­seen the risk of in­creas­ing freight costs and there­fore fixed rates in ad­vance as a sta­bil­is­ing strat­egy. Other com­pa­nies who left their freight costs to the va­garies of de­mand and sup­ply alone lost out. They had de­cided to gam­ble rather than proac­tively man­age their risks and they lost the gam­ble. The prac­tice that many com­pa­nies have of in­vest­ing in their sup­pli­ers is an­other ex­am­ple of a strate­gic risk man­age­ment move to re­duce sup­ply risk. Com­pa­nies with a high de­gree of ver­ti­cal in­te­gra­tion are the ul­ti­mate ex­am­ple of this. For in­stance, the one-time Aus­tralian re­tail gi­ant Coles Myer was of­ten at the mercy of dairy pro­duc­ers for milk sup­ply into their food su­per­mar­kets. Any milk short­ages have an im­me­di­ate im­pact not only on milk sales but on sales of al­most all other food items, be­cause many cus­tomers in Aus­tralia ac­tu­ally go into a su­per­mar­ket for the pur­pose of buy­ing milk and their other pur­chases are com­ple­men­tary. Partly as a hedge against the sup­ply risk of milk, Coles Myer pur­chased a dairy op­er­a­tion called Sand­hurst Dairies and thereby greatly re­duced the risk of un­re­li­able milk sup­ply.

There are good man­agers and not so good ones, risk man­agers in big com­pa­nies and in small ones so the best way to gauge re­mu­ner­a­tion is prob­a­bly in rel­a­tive terms.

How well does a risk man­ager get paid? There are thou­sands of other in­spir­ing success sto­ries. So what do risk man­agers get paid for such con­struc­tive in­put as th­ese two ex­am­ples demon­strate? There are good man­agers and not so good ones, risk man­agers in big com­pa­nies and in small ones so the best way to gauge re­mu­ner­a­tion is prob­a­bly in rel­a­tive terms. Th­ese rel­a­tiv­i­ties are not based on any sur­vey but are im­pres­sions from re­cruit­ment ex­er­cises. A good CRO will get paid as much as ev­ery­body else that is just one step be­low the CEO. This would be se­nior gen­eral man­agers or busi­ness unit heads. A good ex­pe­ri­enced man­ager in risk man­age­ment, with the ap­pro­pri­ate spe­cialised aca­demic achieve­ment, will prob­a­bly get around 15% to 20% more than a man­ager in fi­nance or in busi­ness devel­op­ment with the same num­ber of years un­der his or her belt. A new en­trant who has a req­ui­site risk man­age­ment di­ploma or other aca­demic achieve­ment in risk man­age­ment will com­mand some 15% to 20% more in salary than a new gen­er­al­ist en­trant to an or­gan­i­sa­tion. i MII is of­fer­ing a Qual­i­fi­ca­tion in En­ter­prise Risk Man­age­ment. The pro­gramme is called In­ter­na­tional Cer­tifi­cate in Risk Man­age­ment (CIRM). The next in­take is Nov 2012-Apr 2013. For fur­ther in­for­ma­tion, please con­tact the Ed­u­ca­tion & Life In­surance De­part­ment at tel: +603 2087 8882 or email: ed­u­ca­ Navin Pas­richa is Chair­man of con­sult­ing group Colum­bus Cir­cle Gov­er­nance and an ex­pe­ri­enced in­de­pen­dent Di­rec­tor. He can be con­tacted at

Newspapers in English

Newspapers from Malaysia

© PressReader. All rights reserved.