I received an email a few years ago from someone just getting started in risk management asking if I had any thoughts or advice on the risk management skills they needed. The response quickly became several pages long and I thought it was worth turning it into a blog piece that others might benefit from. So here are 10 considerations for new risk managers (although this could also be titled ‘Letter to a 30-year old me’ or a 40-year old me.)
Beginning any career or specialist field can be daunting and getting started in risk management is no different. There are many challenges out there and some will continue to crop up as long as you are practicing risk management. Here, in no particular order, are 10 considerations for new risk managers: skills or abilities you should look to develop as you embark on your career as a risk manager.
1. Identify the differences between theory and practice
Most people have some kind of theoretical training before they get their start in risk management. Even someone who has been a practitioner should formalize their knowledge and skills before taking on a risk manager role. This is the approach I took and I found that I gained a great deal from some formal study. However, now that your technical risk management skills are in place, you will quickly discover that there are big differences between theory and practice. One of the first things you have to do is figure these differences out.
How theory is interpreted
There will always be some differences between risk theory / regulatory structures and what things looks like in reality, even in highly regulated industries. This could be as simple as using different terminology for a group (e.g. is the risk committee called something else?) or is a different methodology used for assessing risks?
These changes are necessary to ensure that the theory or regulation can be applied effectively within the organization. Most standards and guidance documents will include words to the effect that organizations can adapt the standard as long as they adhere to the central tenets.
This will usually result in the organization creating some kind of risk management policy and procedure explaining how risk management is managed in practice. These documents translate the theory into practical steps and will act as your day-to-day guidance for what you need to do.
Think of this as how is the theory is interpreted.
How theory is applied
Even if the theory or standard has been adopted without alteration, you need to understand what this looks like in practice. How is a risk assessment conducted? How does the risk committee meet? What is the format for the risk register? These are all things that you need to understand.
Sometimes there will be differences in procedures within the organization and some departments may apply the guidelines differently. There may be good reasons for this. For example, a department may have to follow a specific regulation. This can make it difficult to get a clear picture of how risk management is really practiced. Nevertheless, you need to understand what the day-to-day system looks like.
Think of this as how the theory is applied.
Mind the gap(s)
Once you understand how the theory is interpreted and applied, you will be able to operate within the organization’s risk management system. You can also put your theoretical risk management skills and knowledge to better use. Now you can now relate your theoretical knowledge to the practical, day-to-day risk activities in your organization.
Always keep the theoretical in mind. Sometimes rules are adapted or interpreted in such a way that they diverge from the intent of the theory or regulation. You are in a good position to spot any gaps between theory and practice as your knowledge is still fresh.
Remember that things change
Remember, theories are amended and regulations get updated so keep educating yourself. Stay up to date on developments in the field particularly as it applies to your sector. This will help you maintain a good sense of the theory as a touchstone you can always refer to.
2. Get to know your organization and industry
Read as much as you can about your organization and try to conduct your own personal ‘tour of the business.’ This helps you get to know how the organization works and you can then apply this to your role. For example, you will start to see where a rule or regulation might place undue pressure on a specific part of the business. Others might be required to change their work practices to comply. Going back to point #1 above, this will help you see how the regulations are applied, to spot gaps and to make suggestions.
To learn about the business, just try asking people something along the lines of
“I’m keen to learn my way around organization. Can I have 15 minutes of your time to understand what it is you and your department do?”
Even if you aren’t able or feel comfortable walking into someone’s office to try to set this up, you can often grab people after a meeting and ask them for a few minutes of their time.
I have found people to be incredibly generous with their time and have benefited from hours and hours of one-on-one tuition in everything from deep water drilling to pharmaceutical trials just by asking someone for a 15 minute chat over coffee. It’s much easier to say you don’t understand something when you are just starting so take advantage of being ‘new’ to the business. That said, you should never be afraid to say that you don’t understand something, even if you have been around a business for a while.
This is also a great way to practice asking good questions and listening which I think are critical risk management skills (see #9 below).
3. Ask ‘why?’ a lot (even if you have to keep it to yourself to start with)
To really understand a process, I think it’s useful to ask ‘why we doing it like this?’ So rather than just following the process from A through Z, try to understand why things are the way they are. That helps you really understand the overall intent and differentiate between steps that may seem similar but have significantly different purposes.
For example, there may be two notifications to be made once an activity is complete. One of these may be for internal audit whereas the other might be a mandatory external reporting requirements. Both are important but the implications of missing the second step would be more significant.
Another reason to ask why? is you can find ways to make processes more effective. You might find that some steps are there because of outdated practices or old systems that have since been phased out. You don’t have to suggest wide-spread changes on your first day in the organization but there will be opportunities to suggest improvements along the way.
I appreciate that this can be hard to do when you’re just starting out. Coming in hot on day one might ruffle feathers and we all feel exposed when we have to admit we don’t understand something. However, understanding why systems operate the way that they do helps determine why previous errors have occurred or spot potential breaches the future.
And remember, you bring a fresh, objective perspective to things which those who have lived with the system for years don’t have.
4. It’s not just about compliance and regulatory risk
Organizations face a wide range of threats on top of those that arise from a regulatory breach. Changes in the economy can threaten the organization’s business if the client base dries up. Bad behavior by senior executives can harm an organization’s reputation. Compromising your customer information will have both legal and reputational consequences.
Whatever your specific risk management specialty, you should try to maintain as broad a view of the risks your organization faces as possible. If you keep asking ‘so what?’ you might spot threats that would otherwise be overlooked.
5. Learn to speak money
Know how everything in the business is valued. Be able to explain things in dollars and cents. Know what a unit of time costs so you can understand the trade-off between
With very few exceptions, what happens in an organization comes down to money. Even if you think of time or resources, these still equate to salaries and costs. Being able to think in Dollars, Euros, Dinars or Pesos, allows you to understand how risks can impact the business and what the costs of mitigation are.
Remember that despite any other metrics tracked, businesses are judged on their short-term financial performance. Even complying with regulation can come down to a financial decision.
I have watched companies pay a fine of hundreds of thousands of dollars rather than incur the greater expense required to make changes to comply with a law. Such is the power of the quarterly earnings call.
6. Be data / fact driven and objective (until you need to be subjective)
Have the facts at hand to back up whatever you are saying or advising. This could be a set of guidelines, internal data or a set of observations collected in interviews. This also includes having well-defined levels for risk appetite and risk tolerance which can be used as benchmarks.
Facts and an objective approach helps strengthen your argument but also de-personalizes things. This way, you can have a robust discussion with others but it is the facts that are disputed, not someone’s opinion.
There is a time and place for subjectivity but I think that starting with a set of objective data points is key for the risk manager. You can think of this mix of data and gut feeling informed intuition.
“I like to be really data-driven, but I don’t ignore the human instinct element of it. For me, my process is, a lot of times, roll around in the data, get to know it and really understand it really well, and then make a gut-based call, which is often supported by data and a lot of hard-to-articulate factors as well.”
7. Think about what you will do when you are asked to change an assessment
As a risk manager, you will often be the bearer of bad news. Either there’s a problem that you’ve uncovered or you found an activity that exceeds the agreed levels of risk tolerance and needs to be stopped.
In these cases, you may find yourself under enormous pressure to make changes to soften things. In the worst case scenario, you might be asked to ignore things altogether. These requests are often very subtle and a small omission or tweak by itself might not mean much. However, if you allow lots of omissions or soften all your assessments, you end up with a system that’s ineffective.
This is when being data driven is very useful. It’s much harder to change things that arise from data, observations and empirical findings compared to anything that is more subjective.
I won’t pretend that doing the right thing is simple – if it were, I don’t think Wells Fargo would have had the problems that they did a few years back. It can be really hard, especially when you are just starting out!
Of all the risk management skills, this might be the hardest to master. All I can advise is to judge each situation as it comes and do what you feel is right. You may have to pick your battles but be careful not to start overlooking small things because this can make it difficult to take a stand later. You have to be able to look yourself in the eye when you brush your teeth each morning. If you can’t, you probably aren’t doing the right thing.
But, whatever you do, keep a note of your work and have a written back up of what you advise, suggest and submit.
If you are uncomfortable with a recommended change, get that in writing. Either ask for written amendment or send a polite follow-up email after the meeting. E.g. ‘I just wanted to confirm the key changes requested on the XYZ report…’ Just make sure you aren’t the last one left standing when the music stops.
Finally, remember that in all but the most exceptional of organizations, if your assessments don’t make people slightly uncomfortable, then you aren’t digging deep enough. The risk assessment report shouldn’t be a comfort blanket telling people what they are doing right. It’s there to tell them what is threatening their organization. You are supposed to be telling them what’s wrong so they can fix it.
This doesn’t mean you need to be confrontational, just honest.
8. Remember, risk is a support function
It can be easy to forget that our own role isn’t the most important thing in a business, especially for something as important as risk management. Nevertheless, we are still in a support role. Keep your eye on the organization’s overall objectives and ensure that you are supporting these with your work.
Learn how to negotiate, build alliances, cooperate and compromise with other functions and departments. This will help you fulfill your role when there are additional pressures or limitations. Also, remember point #5 – learn to speak money. Keep reminding yourself of the financial implications of what you are doing.
9. Soft skills are risk management skills too
Quick – what’s the most important risk management skill? Being an Excel whiz? Great at math? A love of detail? A passion for checklists? What about being a good listener?
If you aren’t a good listener, you’ll miss the key piece of data that explains why something isn’t working. You’ll ignore that all-important pause before someone answers a hard question. You won’t pick up that you are getting ‘canned’ answers and aren’t getting a realistic picture of things.
Being an effective risk manager requires you to mix softer skills alongside your technical risk management skills. Good interpersonal skills, problem solving and imagination are critical ‘softer’ skills. These skills develop as your emotional intelligence grows but start working on these as early as possible.
Risk management is so much more than simply being the ‘regulations police.’ There are creative ways to mitigate risks but you won’t find them without these soft skills.
10. Finally, seek out the things that inspire you
No matter what stage you are at in life or your career, as a risk manager, you have the opportunity to do all kinds of interesting things. You will be involved in important decisions to make your organization more effective, stay ‘on the straight and narrow’ and help the people you serve.
And you have a pretty wide remit.
Risk management covers everything in an organization: every location, every function and every activity. You have an excuse to noodle around and learn, developing and expanding your risk manager skills along the way. This will make your day-to-day work more interesting and you can start to focus on areas that you find more interesting.
Want to make a better CDO? Interested in mitigating kidnapping risk? Attracted to the challenges of managing reputational risk? Each of these is very different but they all require a solid understanding of risk management principles to do well.
I’ve been a risk manager for
over 15almost 20 years and am still being challenged by the range of what falls under ‘risk management’. I love picking apart a problem, trying to work out the root cause or solve an issue. I’m grateful I can sit with senior executives from all kinds of different organizations and learn about their businesses. I learn something new with every client engagement or project and am continually developing my risk management skills. However, there is still a huge amount that I don’t know and unexpected areas of knowledge to explore.
I won’t pretend that there isn’t also a lot of stress with some engagements. Wading through a new regulation can be a dull way to spend an evening or weekend (even though part of me enjoys it). Thankfully, there are multiple paths available to you, one of which will ignite an enthusiasm and passion which you can bring to your role. This will more than make up for having to wade your way through that next set of audit reports!
Note – this is a revised version of the original post from 2019