Be a risk chess master

David Tattam at Protecht explains why effective chief risk officers need to think several moves ahead and outlines the seven steps that will help them

 

In today’s business world, a growing number of new Chief Executive Officers (CEOs) are coming up from the rank of Chief Risk Officer (CRO), which is no coincidence. Not only does the role of CRO require intricate knowledge of both a business and the sector it operates in, but also the ability to anticipate the unknown, plan for a wide range of scenarios, and know exactly when (and where) changes are required.

 

The parallels between the two roles are obvious, which explains why more CROs are making the transition.

 

In many ways, the best CROs resemble chess masters, always thinking several moves ahead. While chess masters may not know exactly what their opponent will do, looking closely at the board will always yield clues as to their intent, which can be used to formulate a counter-strategy. The earlier this is put into action, the more effective it can be.

 

The same goes for risk management. While it may be impossible to see into the future, there are nearly always signs that point to the most likely outcome as well as the potential range of outcomes. Effective risk managers identify these signs as early as possible and react accordingly to mitigate potential issues. On the other hand, failure to spot these signs until it’s too late can be very damaging, and potentially even catastrophic.

 

A great example is the recent fate of Silicon Valley Bank (SVB). While the speed and severity of interest rate rises took many US banks by surprise, the combination of historically low rates and spiralling inflation meant the rises were largely predictable.

 

Consequently, SVB’s over-exposure to longer term government bonds could have (and should have) been picked up by risk management processes long before it led to the bank’s downfall. While the dust is yet to settle on the SVB collapse, many experts are already pointing to the bank’s poor, almost non-existent approach to risk management as a key factor in its demise.

 

An effective risk management framework

Of course, planning ahead in this manner takes significant time and resources. In order to do so, CROs need to have the right processes and people in place to take care of the day-to-day responsibilities that would otherwise consume the majority of their time and headspace.

 

Typically, this starts with putting an effective risk management framework in place that empowers everyone in the business to become more attuned to risk. First, they need to identify the key building blocks of a good risk management framework that produces reliable risk information.

 

Below are the seven building blocks of an effective risk management framework.

 

1. Identify objectives and critical processes

Risk is the effect of uncertainty on objectives and so a good risk framework starts with the identification of your operational and strategic objectives together with the critical processes and projects that need to be successfully operated and completed to deliver on the objectives.

 

2. List key risks to the achievement of the objectives

A comprehensive identification of the key risks to the objectives linked to a strong risk categorisation/taxonomy allows employees to aggregate risk up to the highest levels of the board when required by using the risk information readily available to them underneath.

 

3. Conduct regular risk assessments

Regular risk assessments help businesses to identify any new risks faced, together with the key controls needed to mitigate them.

 

4. Periodically assess control effectiveness

Once the key controls have been identified, the next step is to conduct periodic control effectiveness. Doing so enables CROs to accurately assess how effective existing controls are being used in real-world scenarios and adapt them accordingly.

 

5. Continuously collect risk metrics (key risk indicators)

Risk assessments aren’t particularly dynamic in nature, so risk metrics, or key risk indicators, particularly leading metrics should also be continuously collected, analysed and reported as well. This helps CROs maintain a more up to date and dynamic view of risks and key controls currently in place.

 

6. Maintain accurate records of past incidents

Learning from past mistakes is a crucial part of risk management. Keeping an accurate record of past incidents helps CROs understand what has gone wrong previously and how they were resolved. This way should similar incidents arise, they will be much easier to deal with.

 

7. Identify control gaps

The combination of all the previous steps can help CROs identify areas of existing risk processes that they aren’t happy with. These are known as control gaps and once identified they can be addressed accordingly, helping the business’s overall risk posture become stronger as a result.

 

Once all of this information has been collected, it needs to be consolidated into a single view, an integrated dynamic risk profile, that enables all risk professionals (and wider business personnel) to quickly get a snapshot of the risks faced across the business at any given time. 

 

Fortunately there are numerous technology tools and platforms available today that can be used to bring this risk information to life in highly visual ways that’s easy to understand with just a single glance. Should the need arise, it can also be used to update and inform third party experts, rapidly bringing them up to speed in times of crisis. 

 

As recent high profile cases have shown, risk management has never been more important than it is today. Much like a chess master, effective CROs know that the best risk management isn’t about reacting to the here and now, but studying all the pieces on the board, spotting threats early, and planning ahead to mitigate the danger they pose.

 

Doing so isn’t a one man/woman job either. It starts with putting an effective risk framework in place and building an organisation-wide team of people that share the risk burden, enabling CROs to focus on what’s around the corner.

 

Silicon Valley Bank is just one example of a business that could have been saved by better risk management. Don’t let yours be next.

 

---

 

David Tattam, Chief Research & Content Officer and co-founder of Protecht

 

Main image courtesy of iStockPhoto.com