The proliferation of chief “something” officer (CxO) titles over the past decades recognizes that there’s value in having a single individual focused on a specific critical problem. A CxO position can be strategic or it can be the ultimate middle management role, with far more responsibilities than authority. Many of those handed such a title find that it’s the latter. This may be because the organization that created the title is unwilling to invest the necessary powers and portfolio of responsibilities to make it strategic – a case of institutional inertia. Or it may be that the individual given the CxO title doesn’t have the skills or temperament to be a “chief” in a strategic sense.
In business, becoming a chief anything means leaving behind most of the hands-on specific skills that made one successful enough to receive the promotion. This is often the hardest requirement, especially for those coming from an administrative or a highly technical part of a business. Take the
The same distinction applies to newer C-level titles. For example, since the financial crisis a few years ago, there has been a growing recognition that banks must manage
Approach
Having the proverbial “seat at the table” (a hackneyed business phrase that’s shorthand for being taken seriously by the senior
Learn another language. Understanding of other parts of the business goes a long way toward being able to work more effectively, and a CRO should be to translate risk jargon into words and concepts that are relevant to specific parts of the business. It works both ways, too. Understanding the objectives, objections and concerns of other executives means being able to grasp the nuances of their questions and comments. It also helps in explaining the thinking behind the trade-offs necessary to optimize a balance sheet to achieve an optimal ROE for the level and structure of the risk. It’s also essential to be able to communicate the essence of risk management to laymen, for example, by distilling the complexities of a black-box risk strategy into an elevator pitch. All risk models are translatable into easy-to-comprehend concepts. A CRO must be able to do this and even develop an institutional shorthand within the organization that everyone understands – the functional equivalent of describing a feature film as “a car-chase buddy movie.”
Assert leadership when it’s needed. Some leaders are born, but everyone else needs to unlearn habits that detract from their effectiveness as a leader. People in risk or compliance roles may have a harder time than others because the basic skills necessary to
Beyond these three personal and interpersonal requirements, appropriate use of
Data is the lifeblood of risk management. The credibility of the risk organization is based on accuracy and availability of data. Bad data drives bad decisions and undermines the authority of the risk organization. As data sets proliferate, grow larger and increasingly incorporate external data feeds (not just market data but news and other unstructured data), the challenge increases. The proverbial garbage-in-garbage-out (GIGO) becomes Big GIGO, as I have written. Data quality must be built into all of the systems. Speed in handling data is essential. The pace of transactions in the financial markets and the banking industry continues to increase, and their risk systems must keep up. Our benchmark research shows that financial services has to deal with more sources of data than other industry sectors.
Yet beyond these maxims is the reality that all large financial institutions fall short in their ability to handle data. “You can have your answers fast or you can have them accurate,” is often said in jest, but it reflects the business reality that analyses often are not black-and-white – utterly reliable or completely false. They may have to be based on information that to varying degrees is incomplete, ambiguous, dated or some combination of these three. Adapting to this reality, new tools utilizing advanced analytical techniques can qualify the reliability of a bit of analysis. It’s better to get some assessment and see that it’s 33 percent reliable than to get no answer or – worse – get an answer without qualification. In most cases, it’s better to get an approximate answer now than to wait for an ironclad answer in a day or two. The decision-makers have an idea of the risk they’re taking if they act on the result, or they can take a different approach to look for a way to get an answer that is more reliable.
Software is essential to risk management and optimization. Technology can buy accuracy, speed, visibility and safety. Many banks ought to do more dynamic risk management. Analytical applications using in-memory processing can substantially reduce the time it takes to run even complex models that utilize very large data sets. This not only improves the productivity of risk analysts but it makes scenario analysis and contingency planning more accessible to those outside the risk organization. If you can run a complex, detailed model and immediately get an interactive report (one that enables you to drill back and drill around), you can have a business conversation about its implications and what to do next. If you have to wait hours or days as you might using a spreadsheet, you can’t.
Desktop spreadsheets have their uses, but in risk management the road to hell begins in cell A1. Spreadsheets are the right tool for prototyping and exploratory analysis. They are a poor choice for ongoing risk management modeling and analytics. They are error-prone, lack necessary controls and have limited dimensionality. The dangers of using spreadsheets in managing risk exposure were laid bare by the internal investigation conducted by JP Morgan, which I commented on at the time. There are many alternatives to desktop spreadsheets that are affordable and require limited
Automate and centralize. Information technology delivers speed, efficiency and accuracy when manual tasks are automated. The payoff from automating routine reporting and analytics may seem trivial, but this is usually because people – especially managers – underestimate the amount of time spent as well as the routine errors that creep into manual tasks (especially if they are performed in a desktop spreadsheet). The need for automation and centralization especially applies to regulatory and legal activities, such as affirmations, attestations, signoffs and any other form of documentation. Especially in highly regulated industries such as financial services, there is no strategic value in meeting legal requirements, but there is some in doing so as efficiently as possible and limiting the potential for oversights and errors. Keeping all such documentation in a central repository and eliminating the use of email systems as a transport mechanism and repository for compliance documentation saves time of highly compensated individuals when inevitable audits and investigations occur and limits the possibility that documents cannot be found when needed.
Senior executive sponsorship is also a critical need if the chief risk officer is to be a strategic player. If the CRO has done all of the above, that’s not going to be a problem because the CRO’s objectives and the CEO’s objectives will be largely aligned. True, that’s not always a given. Some organizations will not embrace the notion that managing risk can be strategic. CROs who find themselves in an organization where their aspirations to serve a strategic role are not met should find another one that appreciates the value they can bring to the table.
Regards,
Robert Kugel – SVP Research