A good friend, who is a respected and influential risk practitioner and thought leader, and I recently had a friendly argument about what key competencies a risk officer needed to be effective. He listed probability theory, statistics foundations, risk perception and cognitive biases, decision theory and corporate finance, saying that “without these competencies, risk managers are useless to the business.”
I responded by saying I would put these competencies first:
- Knowledge of the business.
- Understanding of the goals and objectives of the organization.
- Communication and teamwork skills.
- Common sense and judgment.
- Understanding of performance management.
Can Someone Be a Risk Officer and Not Be a Quant?
While for some situations, especially where a key decision is needed and multiple possibilities (and multiple effects) need to be carefully analyzed, quant methods such as modeling and Monte Carlo simulation are essential. But for many others, I can be quite comfortable with the use of informed and considered judgment. (Note the emphasis.) I especially like cross-functional workshops.
My friend doesn't see risk management without proper quants. He said just talking about risks is insufficient for complex objectives, projects or decisions. But I think it all depends on the business and how it operates. For example, how much math and statistics do you need in a retail business, an IT service provider, a consulting organization, or one that manages construction projects?
At this point, a friend who is a venture capitalist chimed in: "I think we can all agree that very few successful business executives are dumb. I find that many executives are constantly ‘rolling dice’ in their heads and doing back of napkin analysis that helps them make decisions to ‘win 3 ways and only lose 1 way’ and the like. This, too, is a sort of low fidelity math that operates in a world of the truly unknown future." But he continued, “Virtually every business I invest in or operate has at least one ‘mathematical model’ that is central to the organization. I only use Monte Carlo simulations for investment decisions (investments in companies and in technology systems for companies)."
That jives with my experience. Some situations merit quant methods and some don't. The former are dominant in financial services, less so in other business sectors. You simply cannot model every risk! The organization would come to a halt, as risk is taken with every decision.
I asked my first friend how often he used quant techniques in his own business. He replied: "Only for the decisions that justify risk modeling (high uncertainty, high materiality). And it's not modeling individual risks, it's modeling the effect risks collectively have on a decision or objective."
That pretty much tied up the discussion as I totally agreed with his last point.
Related Article: 8 Biggest Risks for Internal Auditors in 2018
Communication Skills in High Demand
On reflection, I would add the ability to facilitate a cross-functional discussion among my top competencies. But the top four competencies I shared with my friend remain my top four, as illustrated by the following stories.
The first story comes from global management consulting firm A.T. Kearney. A risk manager is overheard at a recent intra-departmental meeting: “The Basel II second pillar requires that we focus on the ICAAP, and it is inherent that the board of the bank fulfill their obligations in this respect and that sufficient oversight is provided by the SREP ....” At this point many of the participants had no idea what the risk manager was talking about, but they were too afraid to ask questions so they nodded their heads in polite agreement and hoped no one would ask them for their personal opinion.
The next story happened to me. Following a presentation I gave at a risk management association conference, the president of the association asked to sit with me over lunch as he had a problem he thought I could help with. He told me that while he reported directly to the CEO, he always found it difficult to get time with him. When he was able to arrange a meeting, the CEO seem to lack interest in what he was saying and was reluctant to act on his recommendations.
As this gentleman was speaking, I realized the problem. I didn’t want to listen to him either, because he was boring! He spoke in a monotone without any passion in his voice, and used technical rather than business language. If I didn’t want to listen to him over lunch, how could I expect a busy CEO to want to listen?
When management doesn’t find time to talk to you, or starts looking out the window as you are speaking, it’s not a management problem. You are most likely the problem. We need to talk in the language of the business about things that matter to the business, and make sure the individual we are talking to understands how they affect him.
Let me close with one challenging idea: Who should run these models? Should it be the risk officer, or the individual responsible for the strategy, project or plan? I favor the latter, what do you think?
What would you name as the top competencies for success for a risk officer?
Related Article: Effective Risk Management Starts With Better Decision Making