What Makes a Good Risk Manager?

Mark Hughes, Retired Group Chief Risk Officer at the Royal Bank of Canada, wrote a nice white paper for the Global Risk Institute on what makes a good risk manager:
The scope of the “risk manager” role has increased considerably over the last 20 years. The global financial crisis shone a spot light on the importance of sound risk management practices and as a result, risk managers have become an even more critical business partner. Today, traditional risk capabilities such as credit and market risk are still necessary, but with increasing regulatory demands, changes in technology and the ever changing needs of clients, risk managers are expected to bring to bear experience within compliance, AML, regulatory (FBO, CCAR, etc.) and operational risk, data management and analysis, stress testing, business experience and much more. With the required skills and capabilities of risk managers changing at an ever quickening pace, how are organizations like RBC training, developing and recruiting the top risk talent of tomorrow?

Managing in a Changing Environment

In a changing global economy, what constitutes risk has changed as well. Credit risk, which has expanded over the years to include multiple facets, is an important part of risk management, but the risk management discipline is so much more today.

Post the 2008 global financial crisis, the risk function is dealing with many risks beyond the credit risk environment. Financial institutions now have a significant focus on market risk, which includes securities, fixed income, equities and foreign exchange. The 2008 global financial crisis also increased the focus on liquidity risk. Each financial crisis seems to be a little different at the time, and with the benefit of hindsight, there is an opportunity to learn and then apply those learnings to help avoid history repeating itself.

Another area which continues to increase in importance is operational risk, which covers a number of areas including cyber risk, sales practices, operational services, etc. Reputational risk is also significant to organizations as reputation is a huge strength for financial institutions and needs to be protected Strategic risk, which examines, for example how an organization will grow in a low growth environment, and how it will adjust to technological changes that could disrupt its business model, must also be explicitly considered.

Risk management is therefore a dynamic and ever changing responsibility.

Factors that are now taken into consideration by risk professionals include:
  • Macroeconomic variables (e.g., oil prices)
  • Market impacts of political regimes
  • Stress testing that measures vulnerabilities to severe events which could adversely impact the organization
  • Addressing volume and pace of regulatory change and evolving requirements (e.g., AML, IFRS 9, BCBS 239, Basel IV)
  • Operational risks such as systems failures, human error, fraud and cyber security
  • Risks associated with third party service providers and outsourcing arrangements
  • Technology driven innovation and changes to the traditional mode such as digital, mobile and social interactions and disruption to the traditional financial services model
New Perspective, New Tools

Recognizing the need to increase their employees’ awareness and understanding of risk language internally, RBC developed a Risk Pyramid to help identify and categorize its principal risks in new and existing businesses, products, acquisitions and alliances. The principal risks facing RBC have historically been organized vertically from the top of the Pyramid to its base according to the relative degree of control and influence RBC has over each risk type. A review in 2015 augmented the placement of principal risks within the Pyramid to include the dimension of risk drivers. Four risk drivers were identified that reflected the key factors that influence whether or not the principal risks materialize.

These risk drivers are:

Macroeconomic, Strategic, Execution and Transaction/Positional:


Adverse changes in the macroeconomic environment in which we operate can lead to a partial or total collapse of the real economy or the financial system in any of the regions in which we have a presence. Examples include a rapid deterioration in the Canadian housing market, severe North American recession, downturn in China, etc.

The strategic choices made in terms of business mix will determine how the risk profile changes. Examples include strategic expansion of risk appetite to accommodate increased exposure to leveraged financing or commercial real estate, acquisitions, responding to the threats posed by non-traditional competitors, responding to proposed changes in the regulatory framework, etc.


The complexity and scope of a financial institutions operations across the globe exposes the institution to operational and regulatory compliance risks, including fraud, money laundering, cyber threats, conduct/fiduciary risk, etc.


This driver of risk presents a more traditional risk perspective. This involves the risk of credit or market losses arising from the transactions and balance sheet positions undertaken every day.

Another change to RBC’s Risk Pyramid was the relocation of regulatory compliance risk from the base of the pyramid to the same level as operational risk to align more clearly with the concept of these risk drivers.

Global risks and trends that could impact an institution also need to be identified and considered as part of the strategic risk assessment. The Global Risk Institute’s Global Risks and Trends Framework (GRAFT) is structured to help organizations identify and assess potential impacts.

What Experiences Do Risk Managers Need Today?

RBC’s focus today is to develop risk managers so that they can acquire a breadth of experience across multiple risk disciplines. Traditional risk capabilities such as credit and market risk are still necessary; however, these skills are no longer sufficient on their own. The desired capabilities are also shifting with the changing regulatory landscape. Increasingly, risk managers are expected to bring experience within compliance, anti-money laundering, regulatory (FBO, CCAR, etc.) and operational risk, in addition to business experience. With changes in technology, also comes increased focus on developing risk managers who bring high proficiency in data management and analysis, mathematical modelling, programming and stress testing.

There is an increased understanding that developing and deepening leadership capabilities are vital because ultimately, our leaders shape the future. The role of a leader includes identifying first and foremost those who can act as stewards of the enterprise to service clients, drive and reinvent strategy as appropriate, work effectively within and across boundaries and build the next generation of talent.

Leaders need to set the tone and act with integrity in everything they do. They need to be role models for their teams – take action where necessary, deal with uncertainties, be accountable, engage their employees and create an environment where people find meaning in their work and know how important their contribution is to a firm’s success. This drives growth while changing the way we work, breaking familiar patterns to work in a more customer centric manner, simplifying and being more agile.

It has also become a more common expectation that risk managers have business experience such as marketing, sales, account management, which is often easier to do earlier in career. When developing risk managers, there needs to be deliberate and focused planning through professional development programs, cross platforms experiences and rotational programs, especially for the top talent. Supporting and enabling client facing experiences and increasing breadth of experience across different risk disciplines helps to foster connectivity and understanding between the risk function and the business it supports. This leads to stronger and more mature risk managers. Rather than being viewed as an impediment, risk managers need to be seen as strategic partners and colleagues, able to foster mutual appreciation with the business while also in a position to interact with and challenge other firm functions.

The next generation of risk managers will not only need to provide a higher degree of client focus, agility, strategic orientation, global perspective, innovation and business acumen to remain competitive; they will also need to have a growth mindset, understand how to engage employees and actively sponsor and develop talent. Employees are an organization’s key differentiator and their development and engagement level is something that leaders can directly influence.

Continued Focus on Diversity

If the rise of new innovations has shown us one thing, it’s that the way we did things in the past may not lead us to success in the future. In the same way, we now know that diversity and inclusion are key ingredients to driving successful risk management approaches and ultimately, sustainable business growth.

To best support an increasingly diverse and global client base, organizations need to ensure that their employees reflect that diversity. Diversity is imperative for innovation and growth. By understanding and leveraging different perspectives, experiences and cultures, an organization is able to tap into perspectives and approaches that wouldn’t otherwise be considered.

This diversity in perspective is also needed to broaden our thinking about risks.

The Increasing Role of Technology

Technological advances are reshaping financial services, presenting both challenges and opportunities. New ways are being found to transcend traditional industry barriers and deliver compelling and differentiated client value propositions. For example, big data, and exploration of predictive analytics capabilities, will help banks to glean insights from structured and unstructured data repositories.

While technical innovations will be a competitive advantage for some financial institutions, they also pose new and previously unexplored risks.

Ongoing development of risk technology and resiliency through cyber security initiatives and ongoing technological innovation will continue to help financial institutions better prepare for the changing landscape.

For risk managers, the shift to analytics focus will be significant over the coming decade. Big data, for example, enables risk functions to use structured and unstructured customer information to help them make better credit risk decisions, detect financial crime and predict losses.

Machine learning also improves the accuracy of risk models through the detection of non-linear patterns in large data sets and could have large scale implications for risk managers.

Identifying the Right Talent

Building future leaders begins with recruiting for key skills and behaviours. Organizations must look for risk candidates who, have an analytical mindset and who bring relevant business experience in areas such as business or functional areas such as capital markets or finance. A Masters or PHD in a quantitative discipline is an increasingly desirable designation. For external candidates in particular, it is especially important to look for people who display behaviours in alignment with the organization’s values

At RBC, we identify high potential talent from our internal employee population based not only on performance, but also on indicators that show potential for growth at an accelerated rate. High potential employees have aptitude to grow into a senior leader, i.e., they are broad thinkers who take decisive action, stand out amongst their peers and are aligned to RBC’s Leadership Model:
  • Drive to Impact
  • Adapt Quickly, Always Learn
  • Unlock the Potential of Our People
Talent identification starts early in a career and differentiates those employees who are in consideration for senior leadership roles. Additionally, thorough the year, the senior management team discuss talent needs and opportunities within their teams. These discussions enable the leaders to discuss top talent and determine any gaps or development opportunities to ensure the employee is/will be successful.

Planning for the Right Roles

The market for risk talent globally is tight, particularly in a period of heightened regulatory scrutiny, hence financial institutions are finding they are increasingly challenged by a competitive environment when recruiting risk professionals. Common challenges include extensive time to fill given the specialized nature of the work, increased competition from more established firms, and the fact that candidates often have a choice of where they want to live and work. Risk professionals also have new options available to them as fin-techs and more traditional technology companies put increased focus on building their risk management functions.

There remains a need to balance hiring early career talent (with the intention of overseeing their development) with experienced hires who bring a critical skill that is required. To stay competitive and seek out and attract the best talent, financial institutions need to continue to source for experienced hires, both internally and externally. At the same time, they need to identify critical skill set gaps where early talent hires would add immediate value or shorter term succession potential for senior roles.

Competition for risk professionals is significant and places further pressure on banks to develop tomorrow’s risk leaders from within. This means succession and retention planning for senior leadership roles, and continued focus on the active development of all employees, with differentiated development of high potential talent.

Robust succession plans for leadership roles within the risk management function are necessary and these need to be reviewed regularly to maintain their strength. Annual activities that strengthen succession planning and development processes should include targets around developmental moves, proactively developing external talent with diverse and critical skills, creating a strong university campus recruitment presence, and accelerating development of high potential women and visible minorities.

High potential talent development is designed to provide foundational skills while also supporting a tailored approach to individual development needs. Knowing that a lot of this development will not happen in the classroom, RBC looks at three different ways of providing future risk managers the right development in their early career:
  • Experience – Cross platform moves, stretch assignments, special projects, rotational assignments
  • Exposure – Assessments, sponsorship, mentoring programs, coaching (internal and external)
  • Education – Internal leadership development programs, external leadership development, major educational sponsorships and business and functional specific development programs

Risk management is something all employees are accountable for – all employees have a shared responsibility for doing what’s right, which contributes to the company’s strength and stability and helps its client thrive and communities prosper. How risk is assessed and measured to capitalize on opportunities and how it is analyzed and mitigated to protect the business, competitive position and reputation is integral to an organization’s success.

Risk management has evolved significantly over the last two decades and, with it, so has the role of the risk manager. One of the responsibilities of leaders is to help guide employees toward clear and sometimes diverse paths that encourage them to pursue advancement opportunities and leadership roles. To develop risk managers for tomorrow, it is incredibly important to have targeted development plans in place, to be transparent with future leaders about their required development and to provide them with opportunities to gain the breadth and depth of the required experience. By developing and empowering our leaders, we enable them to drive change, shape and strengthen culture, impact employee engagement and performance and ultimately position their organization for greater success.


http://www.mckinsey.com/business-functions/risk/our-insights/people-and-talent-management-in-risk-and- control-functions



You can download the PDF file to this paper here.

I thank Hugh O'Reilly, OPTrust's former CEO, for posting this on LinkedIn.

This paper is very well written and covers a lot of material. It is written from a banking perspective but most insights also apply to pensions and other institutional investors.

The role of a risk manager has evolved considerably in the last 20 years and this paper explains all the angles as to why risk management encompasses so much more than credit and market risk.

Some of the changes come from technological advances as organizations increasingly rely on big data to manage operational and investment risks.

Here, I will share some insights from a friend who is a data analytics expert. He told me that there's often needless tension between data analytics experts and IT departments and unless the big data department has the full backing of the CEO, it's very difficult to advance projects.

Of course, while I'm all for better data analytics, I also believe in good old fashion qualitative analysis to supplement this data. You can automate a lot nowadays but you cannot simply rely on algorithms to catch all risks.

There is something else this white paper doesn't cover, the governance of risk. Should a risk manager report to the CIO, CFO, CEO or board of directors?

I asked Hugh O'Reilly about who a Chief Risk Officer (CRO) should report to, the CEO or the Board, and he shared this:
"My answer to your question is both. I think that the CRO can only be organizationally effective if the person has the support of the CEO, hence the need for the direct reporting relationship. The CRO should also hold a regular in camera with the Board."
Typically, at Canada's large pensions, they report to CFO or directly to the CEO and sit on board meetings, but the role a risk manager plays in a large pension where investment managers invest across public and private markets is a tricky balancing act.

As Canadian pensions invest increasingly more in private markets, risk managers are required to assess risks of private assets and to do this properly, they need people with certain skills sets and to rely on external advisors (mostly auditors) to make sure valuations are in line with internal models and to make sure they can get a good grasp on risks of these assets if a downturn occurs.

Private markets present a whole set of risks traditional risk managers are not typically comfortable with, like illiquidity risk, valuation risk, regulatory and currency risks.

In my opinion, a good risk manager at a pension fund needs to understand all risks and work with investment managers and senior analysts to lend support where they can and to make sure all risks across public and private markets are accounted for and mitigated if needed.

By the way, this includes ESG risks, something this white paper doesn't address (see here and here).

As I stated, it's a balancing act, one that requires cooperation and the full backing from the CEO and board of directors.

Lastly, writing this comment, I'm reminded of something Doug Pearce, the former CEO of bcIMC (now BCI), once told me: "The time to worry about risks is when everything is going really well."

I couldn't agree more, especially this late in the cycle, you need to be really vigilant and attune to all potential risks across all markets and be cognizant of geopolitical risks too.

Below, Rocky Ieraci, Managing Director, Head of Investment Risk and Steven Richards, Managing Director, Head of Enterprise Risk represented CPPIB at a recent FCLTGlobal forum discussing how risk is a balancing act. The video transcript is available here.

And Hugh O'Reilly, senior fellow at the C.D. Howe Institute, joins BNN Bloomberg to discuss the outlook for markets amid current trade tensions.Watch it here if it doesn't load below.