= Subscriber content; or subscribe now to access all American Banker content.

What Makes a Good Risk Manager?

Here on BankThink, risk is certainly a popular topic of discussion, as an adequate means of assessment is necessary if we are to avoid repeating past (and perhaps current) mistakes.

But a majority of our posts focus on new and existing tools, systems, agencies or legislation pertaining to risk management. Rarely do we talk about the personnel hired to implement them.

This is one of the reasons why a recent LinkedIn discussion thread piqued our interest.  On a message board dedicated to the International Organization for Standardization 31000 Risk Management Standard, one group member asked:  "What are the characteristics of a good risk manager? If you were to employ a manager of risk in your company, what attributes would you expect them to have?"

While responses were varied (and, at times, hotly contested), respondents generally agreed risk managers needed to possess strong analytical skills, natural leadership abilities, a basic knowledge of applicable software and a head for numbers.

Another overarching theme was the need for experience. While some said qualified personnel should have around four to six years of managerial experience under their belt, another commenter emphasized quality versus quantity by suggesting the ideal new hire come "with a track record of implementing Risk Management in an organization from conception."

"Start with the policy," this commenter added. "I personally don't really care if you use a crystal ball, if you can show that it works."

Ultimately, the question yielded a list of buzzwords so long (among them, "innovative thinker," "visionary" and "team player, but self-starter") it was hard to think any mortal could fill the role.

As one commenter wrote, "A lot of comments about the risk manager's attributes are so perfect that could you find such a person in the real world? This is a question."

What qualities do you think make for a strong risk manager? Let us know in the comments section below.

Jeanine Skowronski is the deputy editor of BankThink.


(13) Comments



Comments (13)
I disagree with all the above. A "branch manager" has principal authority, within limits, for making decisions for the branch--and is accountable for its results. An "IT manager," also within limits, develops and executes through IT systems to achieve agreed objectives and results.

So-called risk managers have no authority. They are not managers of anything (other than of staff people who generate only expense) and they have no bottom line. If Jamie's CIO had had a genius "risk manager" in London instead of Irving, it wouldn't have mattered, the genius would have been shouted down or fired. Firing, or the threat of it, also works wonders for general counsel and their risk-oriented "advice," as in the case of B of A. Moynihan stepped in and became Lewis's fair-haired boy in a situation not all that different from Nixon's firing of the Special Prosecutor.

A CRO will be nearly or entirely worthless, irrelevant, unless the Board and CEO are firmly committed to acting on his recommendations for risk reduction unless and until proven wrong. That condition will never or seldom be met. Even if it were, the CRO would have no bottom line, no way to assess his performance. Hence his position would be untenable and contradictory.
Posted by andrewkahr | Thursday, August 02 2012 at 4:19AM ET
From Dave Gibbons, Managing Director, Promontory Financial Group:
This is an important topic. Promontory CEO Gene Ludwig likens the role of a chief risk officer to that of a defensive coordinator and star hockey goalie, and it's a good analogy. The CRO sets the defensive strategy, positions the players, programs, and processes relative to the business and the risks, and ultimately protects the goal. That said, when that puck glides past, the CRO gets the blame. CROs don't get to score goals--it's not their job.
During a 30-plus year career as a bank regulator, as a chief risk officer, and now as a consultant, I've observed a few qualities over and over in the best risk managers.
- KNOWLEDGE. Simply put, they know their stuff. They are technically strong from a knowledge and skills standpoint, often in several disciplines, such as credit and operations. And they have the financial acumen to know how the money is being made, and hence where the risks lie.
- WISDOM. Plenty of people know their topic from a technical standpoint. Having the wisdom to know that the unexpected can always happen is something extra, and it's an essential trait in a CRO. Over years of experience, effective CROs have "seen it all" from both the business and risk angles. Yet they are either humble or skeptical enough to know that you've never really seen it all. They know what they don't know, and they are passionate about learning the industry-leading practices, whether from peers, regulators, or associations.
- COMMUNICATION. It is hard to succeed as a CRO if you are not a good communicator and networker. Both are vital to keeping abreast of what is going on in an organization, and to influencing change where needed. The CRO must be adept at managing across and up as well as down, and possess the ability to boil an issue down to its essence.
- OBSERVATION AND ANALYSIS. Good CROs are analytical without appearing to be--well, let's just say it--eggheads. They have a passion for getting the facts right and in context. Hand in hand with this quality, they are usually quite observant--they can see the relationships and dependencies among disparate businesses, operations, processes, and even people.
- JUST ONE MORE THING. Think Detective Columbo in a pressed pinstriped suit, and you've got the right idea. Good CROs are skeptical enough to ask penetrating questions, and they are persistent--even intrusive--when they need to be. CROs don't have to seek confrontation, but they can't shy away from it. "There are a couple of loose ends I'd like to tie up"--that could have been said by a CRO.
Posted by Debra Cope | Wednesday, August 01 2012 at 11:11AM ET
He or she:

a) must be constitutionally incapable of having absolute confidence in the validity of any quantitative risk model, and
b) must not exclusively rely on a deductive approach to risk analysis (in other words, don't always rely on a set of general principles that can always be used to explain specific circumstances).
Posted by | Wednesday, August 01 2012 at 10:14AM ET
Among all the traits mentioned ,one that I would like to highlight is the strong sixth sense -or GUT FEEL he/she should have---risk aversion should be anathema to him/her and he/she must have the ability to assess and take as much as his apetite for risk is-Risk taking is not hitting the blind spot--risk taking is reasoned calculation-that ability must be very shasrp
Posted by zaidi | Tuesday, July 31 2012 at 3:07PM ET
Must be apolitical. Cannot be caught up in considering how to spin something. It's assummed a risk manager is honest. He/she must also be open. Even if he/she doesn't have the answer, they must raise issues and ask the right questions. A risk manager is meant to eliminate surprises.
Posted by dbclark | Tuesday, July 31 2012 at 3:01PM ET
In order to help the bank do an effective risk assessment, the risk manager must ensure that the right information is being collected from throughout the organization.
In order to activate good risk mitigation efforts, the risk manager must be able to establish a plan and effectively communicate it.
Posted by rhaven | Tuesday, July 31 2012 at 2:55PM ET
A good risk manager must be disciplined. Risk management is about discipline, making decisions the right way after weighing all relevant factors and risks and being disciplined enough to let some opportunities pass when they cannot make it through the disciplined review. The risk manager must understand this and enforce it. When you look at the recent crises, that is where the problems arise: a lack of discipline and overwhelming greed.
Posted by spedro | Tuesday, July 31 2012 at 1:14PM ET
1. Critical-thinking skills
2. backbone
Posted by bartharness | Tuesday, July 31 2012 at 1:14PM ET
It's really a lot simplier. The real risk managers are the CEO and the top management team. There the ones that have to understand and value to risks. All the risk managers, analysis and reports in the world can't replace this group from their responsibility to understand and value the risks that could threaten the bank.
Posted by Rhsmith999 | Tuesday, July 31 2012 at 12:31PM ET
A risk manager must intimately understand the internal controls and the risks that the controls mitigate, but be able to evaluate the cost of implementing those controls versus the risk of not implementing the controls. We get so caught up in "buzz words" and "the talk" that we forget to dig down and find out if the person truly understands the basis of risk versus reward of the particular function being evaluated. If risk were eliminated, then there would be no banks period. The above description sounds like it is describing an analyst.....rather than a risk manger. yes there are a lot of similarities in skills, but a huge difference in application of knowledge and decision making.
Posted by vkpace | Tuesday, July 31 2012 at 12:25PM ET
competent, candid, courageous, cultural, consistent
Posted by D Lewis | Tuesday, July 31 2012 at 10:54AM ET
Risk management is about the network and culture you can create in and "around" the activities and actions of an organization. No one person has the red cape, as you indicate in the note above. However, in today's world of risk and risk management, the most effective leaders know how to "crowd source" intelligence from around an organization. He or she knows that the Devil is in the Details and that the best ballast for lifting those details out of the trench and onto the proper dashboards means impacting the culture of an organization, from the Board and CEO down to the line staff in a bank branch. "Everyone a risk manager" is the culture to create. This doesn't require everyone to know stochastic calculus. After all, the math usually fails just when you wish it didn't. This is one of the empirical realities of the proverbial Black Swan. Today's risk manager must have the skill to create such a platform in an organization, and this requires proper empowerment from above. Sadly, most organizations give lip service to risk management, and risk management is more of a compliance exercise in regulatory appeasement than a meaningful CORE PRINCIPLE of business mission and activity. Until Boards take a more active role in strategic direction on ERM, and until the CEO realizes that ERM isn't compliance but a core value of the enterprise, risk management will continue to be an exercise in windmills and jousting. For those serious enough to put forth the effort, the skills needed orient around:

* Data
* Technology
* Best (sound) practice(s)
* Governance
* Organizational design
* Presentation and speaking skills
* Sales and marketing
* ...and for the CRO, yes, mathematics, finance, markets, and economics

(among other things)
Posted by Stentor | Tuesday, July 31 2012 at 12:48AM ET
Some common sense... Robo-risk doesn't do anyone any good!
Posted by openuris | Monday, July 30 2012 at 4:45PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.