“You’re not supposed to be sycophants; you’re supposed to be sceptical. (…) And having you in this building has made this workplace better. It keeps us honest, makes us work harder.”
This may be a quote from Obama addressing the White House press corp for the final time whilst in office; however, don’t these words also absolutely ring true for operational risk managers?
Having worked in financial services risk management and recruited for countless risk managers during the past 20 years, we have seen many operational risk candidates and worked with countless operational risk managers.
In the past, operational risk tasks were sometimes viewed as compliance or administrative rubber stamps and were handed to someone as a ‘side of the desk’ task, or given to someone junior or inexperienced.
In reality, the operational risk manager role is crucial for the effective running of your firm and compliance to regulatory obligations, thereby minimising losses within your processes – not least taking account of the reputational impact of breaching a regulatory requirement. Organisations are waking up to the benefits of an operational risk management department resourced with experienced, highly effective individuals.
Highly effective operational risk management requires a specialised skill set and a strong personality, with the analytical, technical and relationship management skills required to tread a delicate balance with colleagues and senior management daily.
So, what makes a good operational risk manager? Here is our list of the most important attributes that we look for in a good operational risk manager:
1.Always looking for improvements and wanting to make things better
The business processes, products, internal and external environment are constantly changing, therefore the operational risks, the control environment, KRIs, reporting, and operational risk frameworks also need to be revisited, adapted and renewed in response. A good operational risk manager knows this and will be continually looking at the changes in your business and the impact this has, and by supporting you in ensuring the most effective, efficient and relevant operational risk framework is in place
.2. Robust and credible relationship manager
An effective operational risk manager will want to drive the right results for the risk management of the firm. They will be comfortable challenging within any of the 3 Lines of Defence and at any level of the organisation regarding the operation and application of the risk framework. There have been many examples throughout history where the boss, or those in authority, have not been challenged appropriately, even though the error had been noted, with disastrous consequences.
it’s no wonder that so many organisations point to a lack of operational risk capability as one of their key areas of weakness.
Credibility is key to relationship management with the business. Credibility does not imply the need for ‘greyed hair gravitas’, however you do need to have knowledge of the business, products and processes, of what good risk management looks like, and to be able to ask those tough questions.
The business and functions do not have to personally like the operational risk manager, but they do have to respect their position and opinion.
A good operational risk manager will be able to nurture and maintain a good relationship with the business which can withstand a ‘healthy tension’ to ensure the right level of debate and challenge.
3. Professionally sceptical
Scepticism should not be confused with pessimism. A good risk manager will maintain objectivity with the business, not jump to conclusions, but should naturally seek to validate answers they are given, before coming to a decision. If there was no need to validate, there would be no need for the 3 Lines of Defence.
Going back to the quote from Obama “You’re not supposed to be sycophants; you’re supposed to be sceptical. (…) And having you in this building has made this workplace better. It keeps us honest, makes us work harder.”
A good operational risk manager will instinctively question everything and want to find out more, from what they read about the industry, or what change is happening in the 1st Line, or how a process works, and what went wrong when the process didn’t. They will analyse all potential scenarios of a process to identify the risks.
4. Can focus on priority and materiality
The ability to recognise and focus on priority and materiality within a business or function is essential for an operational risk manager. Risk management tends to attract individuals who are precise and although a risk manager needs to ensure that the framework is applied accurately and completely, they always need to bear in mind both priority and materiality. There is little to be gained from attending to a graze on the knee of an injured person when they have blood gushing from a wound on their head.
Not focusing on priority and/or major material items significantly impacts the effectiveness and credibility of the operational risk management, as well as the engagement and support from the business.
5. Understands the business, their needs and their challenges
A risk manager cannot be effective if they do not understand the business and its priorities. Only with this view do they understand the real risks, the reliability of the assessment, the performance of the controls, and the appropriateness of the KRI and reporting. Only with this knowledge can the risk manager understand the real challenges and the gaps in the control environment of the business.
This will also build the credibility of the risk manager and facilitate the relationship between the risk manager and the business, the other lines of defence and Senior management.
6. Can run an effective risk management meeting
We have all experienced a risk management meeting where:
- the debate focuses on trying to ascertain blame, rather than how to remediate
- the meeting is a download of the latest events that have happened which is the equivalent of having a newspaper read to you (somethings there will even be unnecessary pre-meetings, just to ensure the download of information is rehearsed and therefore seamless!)
- the main priority of the meeting appears to be to stick to the time allotted on the agenda for each item, however valuable the current discussion is, and any challenging questions are met with ‘let’s park that one for now, or ‘let’s take that one off line’
A good risk manager can hold a risk meeting that maintains discussions on:
- the risks of the organisation that are not mitigated within appetite, root causes, next steps and responsibilities
- encourages challenge and debate, and can be flexible to allow valuable discussions to continue if required, and be inclusive
- without seeking to lay blame, but ensuring identification of remediation plans and future prevention strategies
7. Always with an eye on what is coming down the track
A good operational risk manager sees the train coming down the track long before the horn has sounded. They keep abreast of all impending regulatory and business changes and escalate any potential impact appropriately. They plan for this and ensure the risk framework is flexible to react as necessary.
8. Genuinely wants to do the right thing
A good operational risk manager genuinely wants to do the right thing for the organisation, their colleagues, shareholders and the regulators. They want to log off at the end of the week knowing that they have done the right thing, even where that has bought them into conflict with colleagues or even management.
With such a demanding brief, it’s no wonder that so many organisations point to a lack of operational risk capability as one of their key areas of weakness.