(This article is drawn
from my presentation to the Seattle Chapter of the Risk & Insurance Management
Society, March 15, 2004. It repeats many themes familiar to my readers.)
What are the skills
we need in the future? I heard this question twice in the past eight months,
first from a parent of a junior enrolled in a sailing program in Tenants
Harbor, Maine, and later from a risk manager in Seattle, Washington. The
answer, I think, is found not so much in specific skills as in aptitudes.
Take sailing, for
example. The skills that we teach and that are required to handle a small
boat successfully in various types of weather and sea conditions include
being able to swim, knowing the parts of a boat, and its rigging, understanding
how sails work, sailing a boat both upwind and downwind, knowing what
to do in the event of a person overboard or a capsize, leaving and returning
from docks and mooring, tying the correct knots and understanding weather,
tides and currents. These are specific and necessary skills that are easily
taught. More important, however, are the aptitudes that serve as the foundation
for these skills. Independence is the first: the willingness to step out
on your own. Patience is the second: understanding that a sailboat cannot
go directly upwind, nor can it move when there is no wind. And third is
teamwork: sailing and racing a small boat requires exquisite timing and
cooperation in order to do well. Without these three aptitudes, a sailor
literally may be at sea.
My sailing analogy
applies equally to the discipline of risk management. Again, independence
comes first. In its current evolution as an integrated and strategic process
throughout any enterprise, its "champion" and guide must be independent
of conventional staff and operating functions. Too many organizations
attempt to force risk management into finance where it becomes both dependent
and restricted. Independence begins with a fresh and broader view of "risk"
itself. It is not, as too many safety, finance and insurance practitioners
construe it, merely a "chance of loss." It must be viewed as encompassing
the unexpected, both favorable and unfavorable. Risk is "a measure of
the possibility of unexpected outcomes." Under this definition risk management
becomes "a discipline for dealing with uncertainty," a far more strategic
approach than as construed by the narrow confines of finance, insurance,
safety, quality control, and business recovery planning. Risk management
independence thus requires a leader who has a direct reporting relationship
to both the CEO and the organization’s governing board. Only in this way
can that leader raise unpopular and even dangerous risk issues, those
risk issues that are truly material to the future of the organization.
As an example, the
most pressing current issue is that of excessive executive compensation.
Too many organizations have allowed their senior management reward systems
to skyrocket out of control, to obscene levels. CEOs are naturally unwilling
to take action and compliant boards exacerbate the problem. The result:
regulators, shareholders and stakeholders lose confidence in management.
We need chief risk officers who are both able and willing to address these
and similar larger strategic issues and who, at the same time, can present
these issues intelligently and dispassionately to critical board committees.
Otherwise, we will continue to focus on relatively minor risks to the
exclusion of those that materially affect our futures. As David Godfrey,
the CRO for Swiss Reinsurance Company, said recently, "And from time to
time you (the CRO) need the ability to say, ´I´m sorry, but I don’t agree
with what you say.´ If you (the CRO) only report to the CEO, it’s very
difficult to go beyond that in order to express disagreement, if the channels
aren’t there already to do so." (See "ERM, Operational Risk and Risk Management
Evolution," in GARP Risk Review, March/April 2004)
The Economist stated
the issue of trust and independence most succinctly in its April 22, 2000
issue (I quoted it earlier in RMR April 2001): "There may be two good
reasons for companies to worry about ethical behavior. One is anticipation:
bad behavior, once it stirs up a public fuss, may provoke legislation
that companies will find more irksome than self-restraint. The other,
more crucial, is trust. A company that is not trusted by its employees,
partners and customers will suffer."
Independence of risk
management is necessary to permit and stimulate both strategic perspective
and the courage to speak out when required. It is an aptitude that transcends
My second aptitude,
drawn from sailing, is patience. When the wind isn’t favorable, you may
have to anchor and wait for it to change. The Chinese for centuries used
bamboo as a comparable example. In a storm the bamboo shaft bends but
doesn’t break, springing back to its normal position when the winds subside.
Patience implies a long-term view of an organization and its future. One
of the most pernicious current problems is the overfocus, even paranoia,
on “shareholder value” and near-term stock prices. We have succumbed to
a mass frenzy trying to outdo each other in managed earnings and artificial
stimulation of the daily prices posted in New York, London, Frankfurt
and Sydney. The patient CRO understands the long-view of an organization’s
responsibility to its stakeholders, including shareholders, one that may
reach out as far as twenty to thirty years. Patience means revising the
goal of risk management (and the organization itself) to "building and
maintaining stakeholder confidence." "Shareholder value" is but a piece
of this equation, with all respect to the University of Chicago theories
of economic practice.
If a CRO accepts
this basic thesis, then it follows that the three basic objectives of
risk management must be:
Communicating the nature of risks, both favorable and unfavorable, with
stakeholders, and their responses, to enhance the support of these groups
for the organization.
Building an internal and external flexibility so that the organization
can respond to whatever unexpected event may occur, and in many cases
actually taking advantage of a downside event to improve market position.
Countering the prevailing over-focus on the short-term. Here Peter Schwartz’s
The Art of the Long View (Doubleday, 1991) remains one of the best expositions
of long-term perspective.
Patience, however, has an Achilles Heel. Most of the prevailing metrics for measuring the
success or failure of a risk management function are cast in short-term numbers. VaR is
one of these, and it, similar to many others, is flawed. No one has yet developed a
consistent and accepted metric for measuring the longer-term results of risk management.
We need one and we may be condemned to the short-term until and unless we can create a
My third aptitude
is teamwork. Because tactical risk management embodies so many different
skills, it makes good sense for its practitioners to reach out and try
and understand the problems and solutions of others. While we are making
some progress within organizations toward breaking down the artificial
barriers that kept us from communicating with one another, too many of
our major associations of risk management players continue to operate
behind impregnable fortresses. Most are unable, even unwilling, to bring
representatives of their counterpart groups to their annual conferences
and local chapter meetings. The result is an appalling lack of knowledge
of the work of others. Last December, I asked an audience of some 40 members
of the Society for Risk Analysis how many had even heard of GARP, PRMIA
or RIMS. Two hands were raised. I questioned registrants at the February
2004 GARP meeting: few had heard of SRA or RIMS. Then, at a RIMS chapter
meeting in Seattle in March, I asked the same question of over 100 registrants.
Only one was also a member of GARP; none were members of PRMIA or SRA.
Many members of one association had not even heard of the other groups.
This is the worst sort of parochialism.
Many specialist skills are required for risk analysis, the first step in the process (the
identification of possible unexpected events; their measurement in terms of likelihood,
timing, consequences and public perception; and their assessment relative to an
organization’s objectives). They include scenario analysis, quantitative and probabilistic
analysis, actuarial science, data management, knowledge of the law, econometric modeling,
intuition and the use of heuristics, and, of course, the value of experience. Similarly,
another set of skills is employed in risk response, the second step in the process (controls
adopted to balance upside and downside risk; measuring and monitoring performance; and
communicating with stakeholders). These skills include knowledge of safety and quality
systems (Six Sigma), audit and accounting controls, environmental controls, behavioral
economics (financial incentives and penalties), contingency and crisis management
(business recovery planning), and financing (credit, derivatives, hedging, pooling, use of
capital markets, insurance and claims management). It is too much to ask any one person
to be fully conversant and expert in all these fields. This makes teamwork the mandatory
aptitude. It is high time that the IIA, GARP, PRMIA, RMA, CAS/SOA, SRA,
RIMS/IFRIMA and ASSE, among others, cease their guild-like restrictiveness and reach
out to their counterparts, expanding the scope of our discipline.
The Swiss Re’s David
Bothwell addressed the question of skills in a similar fashion: “They
(risk officers) have to have skills that are seen to be relevant and at
a high level. They have to be seen to be balanced, to look at the total
picture, assessing the opportunity which the deal-doer is telling you
is the greatest thing since sliced bread, . . . while at the same time
balancing that with the broader picture. Risk managers have to be able
to articulate well their reasoning for a particular position or view-point
. . . . Risk managers have to be consistent – or they will lose respect
. . . . But in the final analysis, they ultimately have to be prepared
to stand up and say no.”
The major challenge
for any risk management team is the prevailing failure to communicate
intelligently and coherently with all of our stakeholder groups. Last
month (April 2004), I described the Bank of Montreal’s exceptional eight-page
description of its internal risk management program. Too few organizations
attempt even this. I know of no organization that employs a consistent
and effective continuing two-way dialogue with its stakeholder groups
on its analysis of risks and its responses. Perhaps improved teamwork
among the existing risk management groups can develop a better means of
are a critical part of the teamwork equation. More are beginning to stretch
their formerly narrow programs (finance; insurance; public policy; engineering)
to incorporate ideas and methods from the other sub-disciplines. I hope
that many of the association-run certification programs will also acknowledge
their competitors and expand their curricula to include, as least nominally,
other ideas and techniques.
Independence, patience and teamwork are three critical aptitudes for those who purport
to practice this evolving discipline of risk management. Within them one can develop
other technical skills; without them, these skills are meaningless.
But in adulthood, you’ll find that a talent for regurgitating what superiors want to hear
will take you only halfway up the ladder, and then you’ll stop there. The people who
succeed most spectacularly, on the other hand, often had low grades. They are not
prudential. They venture out and thrive where there is no supervision, where there are no
preset requirements. (What matters are) your perseverance, imagination and
David Brooks, "Stressed for Success?", The New York Times,
April 4, 2004