Becoming a risk manager can seem to be more art than science. There’s not a clear pathway from degree to junior risk manager to senior risk manager to CRO (Chief Risk Officer) in the same way that you can chart the progress from freshly minted CPA (Certified Public Accountant) to head of Ernst & Young. (Financial risk management is the exception here as there is usually a clear path there.)
🎧 Listen to a recording of this post 🎧
So why is the risk manager career path fuzzy compared to other professions?
Risk management is a less structured profession
First, I think there are many risk managers for whom risk is a secondary element of their role. For [functional] risk managers – safety risk managers, project risk managers – their professional qualification and expertise is rooted elsewhere, no matter how much time they spend managing risk. Moreover, they’re expected to be functional experts first and foremost. Therefore, risk management is on their job description and a skill they need, but they aren’t hired as risk managers.
(You can read more here on exactly what we mean by risk management.)
Second, there isn’t a hierarchy of risk managers in most organizations, so you can’t start as a junior risk manager and work your way up. There are the risk managers in functional areas and then an executive responsible for risk, but nothing in between. And for many of these executives, managing risk will be a secondary role: they’re not a formal CRO. So there’s no risk department with a hierarchy of expertise and levels of seniority to work through.
However, before you get too despondent and toss your risk management degree application into the trash, there are routes into risk management, and you can map out a pathway to get you where you want to be.
Here are three paths I’ve seen work on multiple occasions.
The happy warrior
A simple way for people to become risk managers is to learn on the job, slowly amassing more and more knowledge and responsibility as they go. Sometimes, this is deliberate, but it’s not uncommon for people to get to a particular stage in their career and realize that others see them as ‘the risk guru.’ They’ve slowly amassed more risk responsibility and knowledge as time went on.
And taking on more and more risk responsibility is often surprisingly easy for one big reason: no-one else wants to do it.
This reluctance might seem odd – after all, risk management is essential – but remember that in most instances, risk management is just another responsibility people have in addition to their primary role. Anyone who comes along and enthusiastically offers to take that work off their plate will be welcomed with open arms.
That’s why I call this approach the happy warrior.
However, don’t be greedy and overstretch yourself. Start by offering to pick up and shepherd any risk-related issues that come up in your team. Then, ask to represent the team at any risk management meetings. Ensure you educate yourself along the way in parallel, and you will quickly find that you are taking on and mastering a larger and larger risk management portfolio. Over time, that will set you up as the risk guru for your team, the department, and eventually the organization. Just make sure you balance this interest in risk with your other responsibilities until you can formalize your role as the risk manager.
(Note that this progression might eventually require you to move firms as there is always an inertia to how people see you versus what you can do. So if you find that no matter how much risk management knowledge and responsibility you have, people still think of you as Frank the engineer, you might need to make a switch.)
The second route to becoming a risk manager is probably the most common. You start by becoming a risk management expert in your field and then branch out. In some ways, this is similar to the happy warrior approach: you take on jobs and attend meetings that others in your department don’t want to. Over time, you build up your risk management expertise in your functional area before switching over to general risk. So you piggyback off your domain expertise into general risk management.
However, there’s a significant danger here.
Unlike the happy warrior who is probably dealing with organizational risk from an early stage, this approach requires you to become a risk management expert in your field first.
And the better you are at that, the harder it is to be seen as a risk management generalist. That’s partly because you’re reinforcing the idea that you’re a silo expert: Sophia from Tech Support is now a cyber risk expert. However, it’s also because the qualifications you pick up in the early stages will be specific to your function. Cyber is a good example of this because cyber risk management is often treated as entirely different from other forms of risk management. (Spoiler, it isn’t.)
However, you can take a wide and deep approach to avoid this issue. Become a deep expert in your field while also broadening your general risk management knowledge, possibly by employing elements of the Happy Warrior approach.
Of course, being a functional risk management expert is in itself a rewarding and challenging role, so you may not want to make the switch to general risk management. However, always try to maintain a broad, organizational view of risk to ensure that your function supports an ERM (enterprise risk management) approach and doesn’t become a silo.
Embrace the Dark Side: join a consultancy
The third route into risk management would be to start with a consulting firm and learn on the job there. This often requires experience or a degree in one area to get in the door, particularly with specialist firms. However, consulting is a specialization in its own right so, as you become more competent as a consultant, you will find other opportunities open to you. That means you can start with a general consulting firm, or one specializing in an area you’re already familiar with, before moving somewhere more risk-focused.
Many people (me, for example) will predominantly work as risk management consultants instead of in-house managers. So consulting can be something that is its own pathway to becoming a risk manager. Alternatively, you can jump from consultant to employee in some cases, but that’s often a matter of timing.
A brief window of opportunity
A successful move ‘in-house’ requires someone who can shift from being a consultant and become a corporate ‘type.’ Sadly, the longer and more set in your ways as a consultant, the harder it can be to move into an internal role.
Nevertheless, there’s a mid-career sweet spot where you’re competent as both a consultant and as a risk manager, but still young enough to be seen as adaptable. That’s when you’ll often find clients inviting you to come in-house but note that this window opportunity is fleeting: the chances of going in-house as a consultant of 10-year’s experience is much higher than that of a 25-year veteran.
Don’t fake it till you make it
However, the consulting route’s big challenge is that consulting places a series of perverse incentives on those involved. One of the biggest is the idea that you fake it till you make it, working on the assumption that the client has a knowledge deficit, so anyone with slightly more knowledge can add value.
That’s not entirely wrong, but it doesn’t mean it’s good practice to put an inexperienced consultant into an engagement they aren’t ready for and expect them to make it up as they go. Unfortunately, that’s what many firms do. Rather than spend the time and effort training junior consultants and having them shadow someone more senior, many firms throw them in at the deep end, expecting them to wing it.
Learning on the job is hugely important and a great way to learn a craft (it’s what I did for years before I started my degree), but that shouldn’t be at the client’s expense.
So if you do want to take the consultant route, spend some time learning about a firm’s approach to training, education, and mentoring before you join. If you feel there is a good onboarding process and training regime, embracing The Dark Side and becoming a consultant is a great way to start.
What about trying all three?
Do you have to pick one route and stick to it? Absolutely not.
A very good friend of mine left the military and joined a consultancy, where we met. He was highly competent but inexperienced in the corporate world. However, after a short period of working together in a semi-mentoring capacity, he was successfully running his own portfolio. Dark Side embraced!
He then had the opportunity to move in-house and become the security risk management for a client. That quickly morphed into more of a general risk and audit role, and he quickly moved up into the organization’s senior management. This change was partly piggybacking off his security risk management role, but he’s also a true happy warrior and was picking up risk-related tasks that the others weren’t.
A few years later, an opportunity arose for him to move into a very strategic, pure risk role at another large firm which is where he is now.
So he started with no formal risk management experience, used consultancy to gain domain expertise, transitioned to an in-house functional risk role, piggybacked into a general risk role before finally moving into a pure risk role as a senior manager.
That took about 12-15 years, so it wasn’t fast, but you need to consider the amount you need to learn and master along the way.
I think this illustrates how your pathway to becoming a risk manager is a case of mixing and matching approaches to suit your circumstances.
Failure is still an option
I’d be remiss if I pretended that things were as simple as picking one of these strategies and *boom*: suddenly you’re a risk manager. These opportunities won’t always present themselves, and sometimes you get stuck where you are.
And the same biases that plague the workplace – gender, race, and age discrimination – are equally present in risk management. Moreover, these biases are amplified if you’re in a sector dominated by younger white men – IT – or old white men – security.
More perspectives = better risk management
As an OWM myself, I’m not going to tell a young woman of color how to overcome these barriers or tell someone how they should behave to get ahead. Removing the obstacles isn’t their job – that’s a job for managers, recruiters, and incumbents like me. And other than some basic rules we should all be able to agree on*, we need people to be themselves at work because we hired them for who they are and what they can be, not to make corporate clones. (*Practicing civility and kindness to each other and striving to do a good job are things I think we can all get behind.)
Moreover, this need for people to be themselves, and for teams to reflect society and all its differences, is vital in risk management. We need to see different perspectives, issues, and problems that won’t be obvious to a homogenous group.
A broad perspective allows you to understand your risk environment more clearly – particularly societal and reputational risks – and to communicate with stakeholders and communities more effectively. Without diversity and a range of opinions and experiences, you’ll miss a large part of the picture.
So the burden here is on the managers who hire people and senior professionals in the field. We need to remove barriers to entry, particularly when these are unrealistic expectations of prior experience or education. (We have to have some competencies to start in the field – say, analytical thinking, and ability to express our ideas on paper and in person, creativity and curiosity – but many people have these abilities when they leave high school or complete their undergrad degree. We shouldn’t require 10+ years of experience and an advanced degree or specialist diploma just to get started.)
Opportunities need to be created and taken
So, as well as the techniques I’ve outlined above – becoming a happy warrior, piggybacking off your domain expertise, or even taking the path to the Dark Side as a consultant – becoming a risk manager also relies on there being opportunities to make this switch.
That’s wholly on incumbents who are already in the industry who, instead of being gatekeepers restricting entry, need to be bridge builders, creating additional pathways into the profession.
So whether you are thinking about becoming a risk manager, or someone who can create opportunities for some fresh faces in the industry, I hope that this has given you some ideas, inspiration, and perhaps a way to chart a path forward.