These days it is not enough for banks and other financial services companies to merely take risks. Firms must calibrate their risks and monitor them as much as they project return on investment. Every prudent risk is taken with an eye toward avoiding the imprudent one.

It is now a given for any high-functioning, risk-taking institution to have an internal department — or departments — devoted full-time to measuring and setting the firm's risk meter. I call this a company's "risk organization." Supervised companywide by the chief risk officer, the risk organization is comprised of managers who report to the CRO, including those tasked with overseeing specific risk areas (operational risk, market risk, credit risk, etc.) as well as business-line managers directly attuned to the risk sensitivity of each revenue center.

Banks that are prioritizing the risk organization are seeing ever-increasing resources devoted to risk management. However, those resources alone do not achieve effective risk management. High-functioning risk organizations I have observed and worked with share and exhibit certain common traits. Here is my list of the seven traits that increase the likelihood of success:

Mature Governance Structure

The first trait of a high-functioning risk organization is a mature risk governance framework. This establishes the objectives, principles and action plan for how the risk organization will manage risk, as well as the structure of committees and other bodies where key managers discuss risk-related issues and ensure that action items are followed.

Whatever technologies and complex risk management processes a bank has put in place, nothing will work without an effective risk governance framework being adopted. The framework addresses the following questions: How quickly do problems get escalated and are they escalated to the right people? Are the right people involved in the governance of risk? Are there an appropriate set of working groups and subcommittees to address ongoing issues? When things do go wrong, are the decision-makers aware of the root causes and how are those causes being addressed?

When a company is hurt by a risk failure in some trading unit or branch, it is often a failure of leadership to understand and then question how unusual levels of profit are really being generated by individuals or trades. Think of various rogue-trading failures or the subprime lending debacle. Problem identification may not have occurred or it may not have been escalated effectively. A risk governance framework can address both of these needs.

Top-to-Bottom Risk Culture

The second trait is a living and breathing risk management culture. A risk governance framework is only helpful if the culture allows those with lower-level responsibilities to take action where they see unusual or unexpected risk exposure. The tone for being proactive is set from the top. An effective CRO spends time on the trading floor and in the branches making sure that everyone in the company receives the message: it is not just risk managers who manage risk, but all employees.

This is an important message because it is those on the front line who ultimately make the difference. Do they know why it is important not to open the door to someone knocking on the door without a proper ID card? Do they understand how opening that phishing email can unlock the company's network? The tone that is set by those at the top can make a vital difference to those who execute on a day-to-day basis. Are senior executives acting in a way that demonstrates and reinforces the importance of the risk message?

An Open Mind About Regulation

Third, effective risk organizations see regulatory requirements not just as a bureaucratic overhead but as an opportunity to strengthen business decision-making.

For example, one CRO has discussed with me the applicability of scenario-based stress tests required under the Dodd-Frank Act beyond regulatory compliance. Since the stress test model had to be created anyway, the CRO reasoned, why not also develop it as a tool that can support business case analysis and decision-making for a wide range of business purposes?

The same is true for developing an operational risk framework that, while being required by the regulators, can have broader utility. Some banks view it as a check-the-box exercise, but the winners turn it into a data-based risk decision-making tool.

Understanding the Firm's Unique Risk Profile

Fourth, high-functioning risk organizations have a high level of self-awareness of the types of risks that they are prepared to take and the boundaries that they should stay within.

Take Berkshire Hathaway as an example. Warren Buffet has built a career on investing in the equities market, an inherently risky activity. Yet he has long shied away from investing in technology companies for reasons he has shared frequently. This is self-awareness par excellence. While this may make sense for Buffet, and we can agree that he has had some success in investing, clearly such a strategy would not make sense for a company like Facebook. In fact the opposite is true.

Facebook cannot afford the risks associated with a failure to embrace the latest technology. This was evidenced by the impact on its stock price from its perceived slowness to build revenues from mobile Internet platforms in mid-2012. Facebook's subsequent focus and success in addressing mobile-based revenue applications have been rewarded in the markets since then.

On the flip side, the consequences for firms that lack self-awareness and fail to understand the limits of the risks that they take pay a heavy price. The failures of firms such as Knight Capital in market technology, Bear Stearns in managing client assets, Rochdale Securities in providing customized brokerage services, are all such examples.

Not Just Throwing Money at the Problem

The fifth trait is a constant search for efficiency: how to carry out effective risk management with fewer resources. The growth in spending related to risk management since 2008 is undisputed and potentially unavoidable given the short-term need to address new regulatory requirements: Dodd-Frank, Volcker Rule, etc. The winners, however, are those organizations that over the long term can manage their risk and regulatory requirements effectively while on a tighter budget.

Innovation and Technology

The sixth trait is a drive to do research and invest in technology. In the past, this has led to the development of tools such as Value-At-Risk and various Risk Scenario tools. Today, organizations that have prioritized innovation can analyze data in more powerful ways to identify emerging risks more quickly and accurately. Those organizations that have outsourced certain repetitive tasks have nurtured a rich risk talent pool to focus on solving difficult analytical questions. They will be able to make the best use of new analytical tools, and be more sophisticated in managing key risk categories such as anti-money laundering, capital market manipulation, insider trading and potential global market dislocations. In the future, managing these risks with such tools should become more like managing the traffic of a busy city: jams will surely occur but they won't lead to major take-downs.

Constant Self-Analysis

Perhaps the most important trait is a bank's ability and willingness to improve risk management elements that are lacking, which hinder the institution's success. Managing the transformation into a high-functioning risk organization is a long-term but still vital endeavor.

It starts with the ability to look in the mirror and conduct an honest and accurate assessment of the organization in relation to each of these traits and identify where the company falls short. When a company is hit by a high-profile risk failure, it is natural to ask which risk management shortcomings the episode revealed, and then try to address those shortcomings. But an even more winning strategy would be to avoid knee-jerk reactions, asking enough skeptical questions about any efforts to fill gaps — to ensure the new initiative is indeed a right fit for the organization — so the business isn't blinded by its own sense of immediacy. The acquisition of these seven traits is not simple but developing the right path will ultimately bring significant rewards to those able to navigate it.

Andrew Waxman is an associate partner in IBM Global Business Services' financial markets risk and compliance practice and can be reached at or on Twitter @abwaxman. The views expressed here are his own.