Friday, July 4, 2008

Risks Of Sound Risk Management – Part 1

It has been slight over a month since I last wrote my 99th article. As I pondered the subject of my 100th article, I agonized over the topic that would grace the 100th writing, as I thought that the number symbolized something special. During my pondering, I realized that there is nothing significant in the number itself. Although we tend to hear the centennial being a major milestone – such as the 100th episode of a long running TV show, the first 100 days of the Presidency, etc. – its significance has largely lost its meaning in the today’s “do it now” society where a story that occurred more than a week ago is no longer news but trivia.

This is also true in the realm of business where “what have you done for me lately?” attitude is prevalent. In this environment of corporate upheaval, continual job cuts, economic uncertainty, and senior management lost in a myopic miasma of “try everything to stem losses” school of management, the risk managers are especially in dangerous waters as they have to try to bring reason and sanity to the this corporate environment.

As a risk manager, I have always practiced the following rules:

1. Never compromise my integrity. This means that that while the allure of the brass ring is tempting, a risk manager’s responsibility is directed to ensuring that the organization is abiding by all requirements as set forth by law, regulations, and its own policies and procedures. Staying your course in not compromising one’s integrity does not win you any favors with those who cut corners and operate openly in the interpretive gray areas. However, the risk manager is charged with the sacrosanct responsibility of being the beacon of rationality in face of blind greed.

2. Don’t sugar coat the truth. In the corporate world, the managers are in their position for a reason. They should be mature enough to accept the facts and consequences of the facts without the need for circumlocution. However, good business practice is to recommend choice of action plans to the manager. This way, the risk factors are properly “actioned” and potential losses minimized or even mitigated.

3. Watch out for unscrupulous managers. This is difficult to do, as most of these managers will not be transparent in their mendacity. However, if they arrived at their station by trickery or deception, then these unscrupulous individuals, who fear being caught by a diligent risk manager, will make the risk manager’s job difficult. Knowing this, tread cautiously as these people may have supporters in upper management.

4. Incompetence is throughout, so don’t be too efficient. Now, this seems counterintuitive and possibly a contortion of logic. However, this is a vital point that most risk managers fail to keep in mind, including yours truly. By incompetence, I mean those individuals whose job functions are antitheses to organizational profitability but perform them very well, to the detriment of the organization. The saddest aspects of incompetence come when an entire unit is happily doing work that other unit/units will have to undo.

When joining an organization, one is given a grand overview of the organization’s principals. This is especially true when joining a Fortune 50 company or an elite financial institution. However, a risk manager needs to realize that there are people of incompetence in all organization, even in the best organization. And the incompetence exists at the top. Take the case of Charles Prince of Citigroup when he uttered the now infamous statement: “As long as the music is playing, you’ve got to get up and dance,” In the immortal words of Dr. Seuss, Mr. Prince “said what he meant and meant what he said.” He honestly believed in his statement and stuck with it, even in the face of blatant fact to the contrary.

So, what is a risk manager to do? Firstly, don’t be a hero. A risk manager or a team of risk managers cannot fix such a process. Those who try are labeled Don Quixote or even worse. At best, the risk manager’s effectiveness is questioned. Now, this was very difficult for me to turn a blind eye to a group that cost millions in operational cost to the firm and it cost me my job. While I do not regret my actions, as I followed my first rule of never compromising my integrity, I caution other risk managers to seriously weigh their personal financial risks and rewards before acting against established incompetence.

5. Add value using dollars and sense (practical sense). Corporations toss around “value-added” a lot in their stated principals. This is also true in their risk management units. However, most people do not truly understand what “value-added” means or even how to enact it. Presenting a month-old risk report to senior management is not “value-added.” Rather, it is value lost, as numerous highly paid managers are forced to attend an hour-long meeting to comply with Basel II accord. Any action taken post event is not valued-added.

The value addition comes from two main practices: (a) concrete and practical preventative action plans that the business can implement and (b) identifying process improvements that reallocates existing workforce to a more effective (and profitable) use within the organization.

I will follow up later on these points; after all, I do want a rapt audience. So, enjoy the weekend and look forward to more insights and risk analyses.

Ed Kim
Practical Risk Manager

Sphere: Related Content