A Day in the Life of a Risk Manager
For a typical first line Risk Manager, the majority of his or her days are punctuated by the occurrence of incidents. Starting the day around 9am, risk incidents or events – different banks will assign different terminologies – drive much of what a Risk Manager will do on a day-to-day basis.
The hours a Risk Manager keeps can be as generic as the typical ‘9 to 5’, or 9am-6pm in the case of Risk and Control Professional, Krish Lalwani, based in Hong Kong; although he explains it all depends on whether you are regional or providing local coverage, which country you’re in, who you’re working for and whether you’re managing projects globally and so on. Generic as the hours can be, the work itself is not.
Speaking to Lalwani, it is important to understand that not all risk incidents require the same extent of action. “The role of a Risk Manager is not just to manage operational events; we are here to prevent it. Some of the events might be near-misses, some might equate to operational losses,” explains Lalwani. Near-misses of course do not result in the same financial impact as an actual loss, however, if there is a regular recurrence of similar events, the Risk Manager will perform a root cause analysis to determine if there are any systemic issues in the business processes. In the instance of a loss event, the Risk Manager will have to escalate the incident as per the bank’s policy and refer to the right stakeholders within the bank. “Smaller amounts we can just write off, but bigger amounts might require escalation,” explains Lalwani, “so depending on the amount of loss we may have to escalate to senior management, and also to the compliance team as there may be a regulatory impact.”
Following escalation, the next step is remediation. The Risk Manager will work with the business to strategise and implement an action plan to remediate the issue so as to prevent it from reoccurring again in the future. Part of this is helping the business to conduct their RCSA (Risk Control Self-Assessment), something a first line Risk Manager is responsible for as a key partner to the business.
Working in risk on the first line of defence, it is necessary for the Risk Manager to understand what the key risks are that the business is facing currently. Then once those risks are identified they must assess whether any controls were in place and whether they’re effective enough to manage the risk. “Then we assess whether the risk impact is high, medium or low,” says Lalwani. “Different businesses work with different risks and ultimately it comes down to a cost vs benefit decision as to whether the business will do anything to remediate a high impact risk or accept it if the cost of remediation is too great.”
Accepting the risk generates paperwork and the need for relevant approvals, but if the choice is taken to invest in remediation, the Risk Manager is tasked with drawing up action plans for the business to implement.
The final stage of the assessment will see the Risk Manager laying out some key risk indicators, which are designed to monitor the levels of risk to the business on a regular basis.
“On a monthly basis we will also attend risk management forums with key business heads,” says Lalwani, “where we discuss risk performance for the past month, accounting for number of incidents, number of near-misses and losses, any changes to key risks, any key initiatives or projects and so on.” These forums present an opportunity for management to review the key risks they’re facing and for Risk Managers to facilitate an action plan to help the business manage their risk.
The business will come to the Risk Manager for advice and guidance on the application of risk frameworks, which sees those working in risk management needing to be well-read in company policy. Any changes to policy may give way to necessary training as the risk management team advises the business to act in accordance with the prescribed changes.
A Risk Manager’s role will also involve some control testing, performing assurance reviews and involvement of internal audit as they ensure all controls and processes are working as they should. Challenges from the internal audit team will direct the Risk Manager to collaborate with the business on how to handle the audit so as to provide the right information to assist the internal auditors.
“The job of Risk Manager is definitely exciting,” says Lalwani. “You are critical to helping the business minimise the impact of the incidents that are occurring all day long and people are appreciative of your efforts; that’s the beauty of the role.”