So you want to be an Enterprise Risk Officer?
Navin Pasricha, a former chief risk officer of a bank, answers some serious questions for those considering a career in risk management.
Risk management has been on the corporate agenda in Malaysia for some twenty years, but it is only now that the job of a risk manager is being looked at as a serious career choice. The slow up-take has partly been because not everybody understands what a risk manager actually does. This is a pity because a risk management career can be exciting, mentally challenging and also remuneratively rewarding – many would consider this an ideal job mix.
So what does a risk manager do?
Like all professions, risk management has various levels and it does differ from industry to industry. The financial industries such as banking and insurance are considered to be pioneers in terms of risk methodologies and by and large they do pay their risk professionals better than other industries, so let’s start with a look at what the Chief Risk Officer or CRO of a bank is responsible for. Usually, the CRO will report to the Risk Management Committee of the Board. The CRO’s job is to keep this committee informed about existing and emerging risks and to help the committee members to decide on strategies that will impact the risk profile of the bank. This includes investment and pricing strategies which are at the core of the business. To do this effectively, the CRO must be abreast of all types of banking risks ranging from credit, operational, liquidity and market risks to political, reputation and IT risks. This is a very broad responsibility and so the CRO is usually supported by staff members who are experts in each of the risk categories such as credit risk. The CRO is involved in all major strategic decisions in order to provide risk advice and he also keeps a monitoring brief on less significant risks and advises when policies, processes or organisational structures should be changed in order to manage the risk profile of the bank in a particular way. How relevant are reporting lines for risk management? In banks and insurance companies, the CRO is usually independent of the CEO and reports directly to the Risk Committee of the Board. This indicates
the level of importance given to the CRO job in financial institutions. In a bank the only other person who usually reports to the Board directly is the CEO and the Chief Auditor. All other business and department heads would report to the CEO. Looking a little deeper, this reporting line which gives the CRO a great deal of independence is designed to ensure that within the financial institution there is a strong counterbalance to the marketing-oriented heads of the business including the CEO. This ensures that risk is always examined and properly managed when business decisions are being taken. In other words if you want your risk career to lead to a CRO position, you must develop the character and personality to be able to enter into a constructive partnership with the CEO, but when needed you must also be able to stand up to the CEO and question plans and actions. Indeed, when joining a company in a risk management unit especially outside the finance industry, it is important to understand the reporting lines, because they will help you to gauge the seriousness with which the company takes risk management. If the head of risk management reports to say the Head of Finance or as I have sometimes seen, to the Company Secretary, then these jobs are to be avoided as the job scope will be very limited and the function probably does not carry too much weight. This type of reporting line is a signal that risk management may be undertaken as matter of compliance rather than as a business imperative. There is a famous quote from a risk manager of a bank in the UK, which illustrates the frustration you could be facing if the reporting lines for risk are not appropriate. During the recent financial crisis, Paul Moore, a former risk manager at HBOS, gave written evidence to a Treasury committee1 in which he said, that HBOS had “a cultural indisposition to challenge” and that the task of “being a risk and compliance manager … felt a bit like being a man in a rowing boat trying to slow down an oil tanker”. Due to the prevalence of the sales culture in HBOS, Moore suggested that the, “balance and separation of powers was just far too weighted in favour of the CEO and their executive” and alleged that his team had been subject to “threatening” behaviour during the course of its risk compliance. Moore was
...the CRO must be abreast of all types of banking risks from credit, operational, liquidity and market risks and also political, reputation and IT risks.
dismissed by HBOS in 2004 and he sued for unfair dismissal. If you want to do your job right, then you want to make sure that the reporting lines in your chosen company are such that you will be allowed to do your job right. Which industries are the hardest for the risk manager? In terms of companies which are the best and most difficult industries to work in from a risk manager’s perspective, there are probably a few contenders for the easiest industry, but one of the most difficult has to be the insurance industry. There are a few reasons for this, but mainly it is because of the industry’s close association with risk. After all, the whole business model of insurance is to be able to cost and to price risk; so the assumption or subconscious attitude of many insurance managers is that they are experts in risk management and they will often be at loggerheads with enterprise risk or business risk managers. Insurance practitioners are experts at prediction, cost estimation and pricing of risk certainly, but that does not mean they know the best strategies to reduce or manage risk in the business world – that is what the risk manager does. Once over this cultural hump, however, insurance companies can be just as good employers of risk managers as any other industry. What risks do you really manage if you are not the CRO? Not everybody entering the risk management field will start off as a CRO, so what are the functions of
Insurance practitioners are experts at prediction, cost estimation and pricing of risk certainly, but that does not mean they know the best strategies to reduce or manage risk in the business world.
other members of a risk management unit? The level of seniority and risk experience tends to determine the type of business risk you are likely to be allowed to manage. There are many ways to categorise risk, and impact is one of those. In terms of impact, there are four levels of risk: 1. Industry level risks – these are risks which everybody in the industry faces, such as interest rates in the banking industry or CPO price fluctuations in the plantations industry. 2. Strategic Risks – these are risks which are of the companies own making and arise only because of a particular strategy being followed, they would not otherwise exist. 3. Process level risks – These are risks which exist in every process – usually low-impact lowcost errors and operational failures. For instance, a food processing company knows there is a risk of wastage – it is only a matter of how much and at what cost. 4. Catastrophic risks – these are risks which if they crystallise could wipe out the whole organisation or a very large part of it. So for a one-ship shipping company, the sinking of that ship would be catastrophic. 5. Project risks – these are risks associated with specific projects that are being undertaken or are planned by the organisation. Of these levels of risk, the industry level risks, the strategic risks, catastrophic risks and some project risks will most likely be handled by the CRO or senior management team within a risk group. The process level risks and some project risks will be handled on a day-to-day basis by the less experienced. This is because process level risks lend themselves to risk management by process and so can be monitored in a disciplined way. Risk management techniques are less a matter of knowledge and more a matter of experience. And as they say, it takes ten years to get ten years’ experience. When looking at process level risks, you essentially have to apply the stepped approach to risk management. The steps are – identify, value, decide whether to reduce the risk cost, apply management techniques, monitor and report, and then finally repeat the process. What contribution to the business do risk managers make? There is a common impression that risk management is a defensive strategy. With this view, risk is seen as a negative event, such as a fire or fraud that might happen and which has to be guarded against. Risk management does indeed have a large part to play as a defensive mechanism. However, if this is the only perspective that a business takes, then it is losing out on the benefits of the opposite view that risk is a positive resource in business. The most effective route is a balanced one that leverages risk management as both a defensive mechanism and, in other circumstances, a method of optimising profit and growth opportunities.
Risk management techniques are less a matter of knowledge and more a matter of experience. And as they say, it takes ten years to get ten years’ experience.
It is possible to turn risk into opportunity and to make opportunities more achievable by managing some of the risks that surround them. There is no better way to explain this than through some real examples:
Real success stories
In 2003, the food industry was going through a particularly rough patch all around the world. Mad cow disease, avian flu and rocketing freight costs because of tensions in the Middle East, had hit the profits of many food giants. An exception to this was the food industry and agri-business multinational group, Bunge. Bunge operates in some 30 countries and employs around 25,000 people. That company was showing growing profits, directly against the trend of its competitors. In fact Bunge reported a fourth quarter growth of some 4% in profits for 2003 when most others were reporting steeply declining profits. In explanation, Bunge’s chief executive officer at the time, Alberto Weisser, had this to say, “… competitive freight pricing, locked in as part of our risk management programmes, helped offset current record freight rates.” Obviously, Bunge had foreseen the risk of increasing freight costs and therefore fixed rates in advance as a stabilising strategy. Other companies who left their freight costs to the vagaries of demand and supply alone lost out. They had decided to gamble rather than proactively manage their risks and they lost the gamble. The practice that many companies have of investing in their suppliers is another example of a strategic risk management move to reduce supply risk. Companies with a high degree of vertical integration are the ultimate example of this. For instance, the one-time Australian retail giant Coles Myer was often at the mercy of dairy producers for milk supply into their food supermarkets. Any milk shortages have an immediate impact not only on milk sales but on sales of almost all other food items, because many customers in Australia actually go into a supermarket for the purpose of buying milk and their other purchases are complementary. Partly as a hedge against the supply risk of milk, Coles Myer purchased a dairy operation called Sandhurst Dairies and thereby greatly reduced the risk of unreliable milk supply.
There are good managers and not so good ones, risk managers in big companies and in small ones so the best way to gauge remuneration is probably in relative terms.
How well does a risk manager get paid? There are thousands of other inspiring success stories. So what do risk managers get paid for such constructive input as these two examples demonstrate? There are good managers and not so good ones, risk managers in big companies and in small ones so the best way to gauge remuneration is probably in relative terms. These relativities are not based on any survey but are impressions from recruitment exercises. A good CRO will get paid as much as everybody else that is just one step below the CEO. This would be senior general managers or business unit heads. A good experienced manager in risk management, with the appropriate specialised academic achievement, will probably get around 15% to 20% more than a manager in finance or in business development with the same number of years under his or her belt. A new entrant who has a requisite risk management diploma or other academic achievement in risk management will command some 15% to 20% more in salary than a new generalist entrant to an organisation. i MII is offering a Qualification in Enterprise Risk Management. The programme is called International Certificate in Risk Management (CIRM). The next intake is Nov 2012-Apr 2013. For further information, please contact the Education & Life Insurance Department at tel: +603 2087 8882 or email: firstname.lastname@example.org. Navin Pasricha is Chairman of consulting group Columbus Circle Governance and an experienced independent Director. He can be contacted at email@example.com