If you have been reading the Australian financial press in recent months, you would be forgiven for thinking that you’re reading excerpts of a horror novel. From financial advisers selling dodgy advice to unsuspecting customers to senior bankers misleading regulators, its the stuff of nightmares. Here in the UK, a research article published by the New City Agenda thinktank estimates that the cost of the payment of the payment protection insurance (PPI) misselling scandal has reached £37.3bn.
It begs the question – what role have risk and compliance managers played in the slow-motion unfolding of these scandals? Where were they when crucial decisions were made to intensify already aggressive sales targets? How did they neglect basic compliance checks and balances that would have identified flaws in record keeping requirements? Or, and this is a scarier proposition, did they raise issues only to have their reports ignored because “those risk guys are not thinking commercially”?
In my career of over 13 years in banking and consulting, its fair to say that I’ve seen it all – from true displays of courage by risk teams in the face of opposition to utter complacency from inexperienced staff. I’ve seen risk managers wanting to do the right thing, but being pressured to water down the outcome of a report so as to avoid remediation. Conversely, I’ve seen business managers engaging their risk managers to report as they see it so as to uncover any hidden skeletons that might be hidden and exposing it so that they can be remedied.
While overall organisational risk culture is a major determinant for whether people will inherently do the right thing, there are general traits that can be observed in divisions of companies that are able to successfully navigate the need for adequate commercial return while operating within appropriate risk appetite:
- Risk managers are naturally engaged with their business stakeholders and are proactive
- Risk managers are engaged early by their pragmatic business manager/s
- Risk managers are highly experienced and understand the complexities of a specific product class vis a vis the regulations and requirements that underpin them
- Risk managers deliver the tough messages without wavering
- Risk managers have the fortitude to major on the majors, and minor on the minors, presenting pragmatic solutions to any issues raised based on severity
I would argue that hiring and/or retaining the right risk talent is crucial for overall organisational success. A good risk manager not only knows how to articulate risk in a way that is understood and accepted by their stakeholders, but also influences and embeds the right behaviours and actions through human-centric processes, controls, supervision and guidance.
So, the choice is obvious – hire and retain risk talent that is fit for purpose for the job needed to be accomplished, or take a risk with hiring or retaining risky talent, where the outcomes are as vague as the process of getting there?