Home > Risk > The essential competencies of an effective risk officer

The essential competencies of an effective risk officer

I recently sparred gently with a good friend, a respected and influential risk practitioner and thought leader, about the key competencies necessary for a risk officer to be effective.

He listed “probability theory, statistics foundations, risk perception and cognitive biases, decision theory and corporate finance”, saying that “without these competencies risk managers are useless to the business”.

Here’s an interesting piece on the question: What competencies should risk managers outside of banks and insurance companies really have?

My response was:

I would put these competencies first:

  1. Knowledge of the business
  2. Understanding of the goals and objectives of the organization
  3. Communication and teamwork skills
  4. Empathy
  5. Common sense and judgment
  6. Understanding of performance management

While for some situations, especially where a key decision is needed and multiple possibilities (and multiple effects) need to be carefully analyzed, quant methods such as modeling and Monte Carlo simulation are essential. But for many others, I can be quite comfortable with the use of informed and considered judgment. (Note that I emphasize informed and considered.) I especially like cross-functional workshops.

My friend responded, “I personally don’t see risk management without proper quants. Just talking about risks is insufficient for complex objectives, projects or decisions”.

I said, “I think it all depends on the business and how it operates. For example, how much math and statistics do you need in a retail business, an IT service provider, a consulting organization, or one that manages construction projects?”

Another friend (a venture capitalist) chimed in: “I think we can all agree that very few successful business executives are dumb. I find that many executives are constantly ‘rolling dice’ in their heads and doing back of napkin analysis that helps them make decisions to ‘win 3 ways and only lose 1 way’ and the like. This, too, is a sort of low fidelity math that operates in a world of the truly unknown future”.

But he also said: “Virtually every business I invest in or operate has at least one ‘mathematical model’ that is central to the organization. I only use Monte Carlo simulations for investment decisions (investments in companies and in technology systems for companies).”

My reply was: “Thanks – that jives with my experience. There are some situations that merit quant methods and some that don’t really. The former are dominant in financial services, less so in other business sectors.” I continued: “PS – you simply cannot model every risk! The organization would come to a halt, as risk is taken with every decision.”

I had asked my first friend how often he used quant techniques in his own business. He replied:

“Only for the decisions that justify risk modelling (high uncertainty, high materiality). And it’s not modelling individual risks, it modelling the effect risks collectively have on a decision or objective.”

That pretty much tied up the discussion. (I totally agree with his last point).

But, on reflection the ability to facilitate a cross-functional discussion would have been among my top competencies

But the top four competencies I shared with my friend remain my top four, as illustrated by a couple of stories in World-Class Risk Management .

… A. T. Kearney … captured this when they told this story:

A risk manager is overheard at a recent intra-departmental meeting: “The Basel II second pillar requires that we focus on the ICAAP, and it is inherent that the board of the bank fulfill their obligations in this respect and that sufficient oversight is provided by the SREP…” at which point many of the participants have no idea what the risk manager is talking about, but they are too afraid to ask questions so they nod their heads in polite agreement and hope no one will ask them for their personal opinion.

In World-Class Internal Auditing: Tales from my Journey, I tell a story of my own:

I once gave a presentation at a risk management association conference. Afterwards, the president of the association asked to sit with me over lunch as he had a problem he thought I could help with.

He told me that while he reported directly to the CEO, he always found it difficult to get time with him. When he was able to arrange a meeting, the CEO seem to lack interest in what he was saying and was reluctant to act on his recommendations.

As this gentleman was speaking, I realized the problem. I didn’t want to listen to him either, because he was boring! He spoke in a monotone without any passion in his voice, and used technical rather than business language.

If I didn’t want to listen to him over lunch, how could I expect a busy CEO to want to listen?

When management doesn’t find time to talk to you, or starts looking out the window as you are speaking, it’s not a management problem. You are most likely the problem!

We need to talk in the language of the business about things that matter to the business, and make sure the individual we are talking to understands how they affect him.

Let me close with one challenging idea.

Who should run these models?

Should it be the risk officer, or the individual responsible for the strategy, project, or plan?

I actually favor the latter!

So what do you think?

What are the top competencies for success for a risk officer?

  1. John Fraser
    May 5, 2018 at 9:49 AM

    Among others: knowledge of how to apply true ERM and credibility with management and the board.

    • Norman Marks
      May 5, 2018 at 9:54 AM

      Maybe I should have said they need to read your and my books, John.

  2. May 5, 2018 at 9:52 AM

    Norman, I also favour the latter, I have however discovered that in situations when hidden agendas are many, corporate culture is weak, potential for corruption is significant, it is better for the risk manager to do the risk analysis himself (subject to risk manager having no vested interest in the decision). I even once offered to the CEO to move all risk analysis to the risk team to which I got an astounding NO WAY :))

  3. May 5, 2018 at 12:11 PM

    I would have thought that the accountants carrying out the financial analysis of the project before presentation to the approving authority should be responsible for the modelling. If it is to be someone outside the team, such as the risk manager, you are blurring accountability. If things go wrong, you are setting yourself up for the blame game. However, there may be an argument for the risk manager checking the modelling.

    Norman, I agree with your competencies, although I would include, ‘laughs at the manager’s jokes’, or does that come under 3 and 5?

  4. May 5, 2018 at 3:15 PM

    Hi Norman, thanks for this relevant article.

    From a my own article that I wrote in 2016 entitled “10 Must Have Skills to be a Successful Risk Manager” – available in http://riskmanagementguru.com/10-must-skills-successful-risk-manager.html/ – I would highlight the following traits:

    – “Financial acumen”
    – “Strategic thinking capability”
    – “Technical skills, negotiation skills and the ability to influence people”

    However, my original article was more directed towards a “typical” Risk Manager working in financial services or a Bank.
    From your list, currently, I mark “Understanding of the goals and objectives of the organization” as one of the most relevant and sometimes difficult for risk managers to achieve.


  5. Robert
    May 11, 2018 at 9:25 AM

    I would add to the list of necessary competencies: Access to, and the ability to digest , various quantitative and qualitative information sources, without falling into “analysis paralysis” mode or filtering the information with preconceived notions/ judgement.

  1. May 5, 2018 at 2:05 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: