Risk Management: a dive into the profession
Current labour market presents us with a lot of new professions. In the last 50 years not only new professions, but entire new clusters of jobs, new forms of education, new industries arrived.
This article will be of greatest interest for those beginning their professional career and looking to navigate through the job market and choose the right career path. I will be focusing on the fields of work you can choose as a risk management professional. At the beginning of a career it is difficult to choose the right education or certification because one does not know where it eventually leads.
Let’s first explore what type of work you may be interested in, and that will help narrowing down which education and certification to choose.
Given that I serve Insurance and Finance industry at this point in time, most of the areas will be focused around financial industry.
What Risk Management is?
Let’s jump to practicalities with right away, the definition you can find in Wikipedia.
For those of you who are at the beginning of your career or just choosing a career and you know you will be going into the business area you may benefit from looking at the financial statements of companies. In the USA, for example, businesses have to file Form 10-K - an annual report that describes the business in details.
The Form 10-K is an extensive document, required by the US Securities and Exchange Commission (SEC). Let’s check the 2018 Form for Apple Inc. - Apple Inc 10-K 2018.
In the very first part of it you can see the description of the Business and the second part - the Risk Factors.
Ultimately the description of the risks, reporting on them, managing on them and preventing them is the role of a Risk Manager. Notice – it comes as the SECOND ITEM in the Form and it is quite extensive, clearly it has great significance.
Not only for every cluster of risk, but for every single risk declared in the 10-K a company will have to have description, reporting, controls, mitigation and Key Risk Indicators set up and a lot of other supporting and reporting work completed.
Let’s look at the areas of Risk Management careers in which one you may be interested in.
1. Technology
Cybersecurity and tech risk management stand a little aside as a more specialized area. Cyber Risk professionals deal with company IT safety from internal and external parties. Mostly these jobs require degree in Computer Science and additional Cyber security certifications. Simply put this is an anti-hacker role. Some examples of Certifications include - CISSP, CISA, CRISC, FAIR, MBCP, CIA, CISM. Software requirements may include – CyberArk, IdentityIQ, Excel, Data Management and Data Science, reporting and visualization tools. Experience: Identity and Access management – IAM, programming, coding, IT security, IT compliance, PII management.
2. Finance
Financial risk management includes defining and managing any risks associated with financial activities. Some examples of these activities are: Anti-Money Laundering – ALM; liquidity, market, equity, finance risk management, SOC testing. Relevant certifications would include FRM and CPA, educational background is mostly in finance and accounting. Often professionals from audit and compliance move to risk management functions, the experience in two or all three becomes a strong asset for career growth.
In North America you may need to be familiar with institutions such as the Office of the Superintendent of Financial Institutions (OSFI) in Canada, the Federal Reserve Board (FRB) and Securities and Exchange Commission (SEC) in the USA. Risk Management professionals are involved in reporting, assessments, audits and investigations required by these institutions on behalf of the business. Risk Managers have to be familiar with the requirements of the regulatory bodies for their line of work – it is often a requirement for Risk Management roles to have had experience dealing with regulatory bodies.
3. Investments
Investment business by itself can be a source of high risk. All risk types mentioned in the Finance Risk Management are applicable to the Investment Risk Management. We are looking at Investment, wealth and asset management, Private Markets, Public Markets and other investment-related risk management business areas. This line of work usually requires an educational background in Finance, Accounting, Audit and experience working with various asset classes and investment products (example of complex investment products – derivatives, variable annuities, hedging).
If this area of Risk Management work speaks to you, I suggest you search though Investopedia – fabulous resource about investment and finance areas of business.
Work in this area of Risk Management is demanding in terms of reporting, speed of decision making and data management and aggregation.
4. Actuarial
Actuaries are insurance professionals. Insurance products require the business to perform Risk assessment, risk management and audits activities. Risk Management professionals who work within insurance directly with actuaries and actuarial lines of work usually come with actuarial education themselves or with major in mathematics. They look at various product risks, work in actuarial audit and have to have a comprehensive understanding of actuarial work and products. This area of risk management usually derives from actuarial work itself and cannot exist separately.
5. Audit and Compliance
Audit and Compliance are brother and sister of Risk Management, but deal more with higher level oversight. Often professionals from Audit and Compliance make a shift to Risk Management, though that usually happens after they get additional relevant credentials.
6. Risk modeling and data work
We can place those Risk Management professionals who look at the data for Risk Management functions in a separate category. They usually have a background in mathematics and Statistics (Ms of Finance, Ms of Quantitative Finance, etc). Their scope of work is usually global or across the enterprise. In many financial institutions this type of professionals are called Risk Management Data Scientists or Risk Management Analytics. They perform risk measurement, reporting, risk modeling (that involves coding), dashboard building. This area of the job market is currently in high demand.
7. Various Third Parties Risk Management
This type of Risk Management work may be embedded in all areas of risk management previously mentioned or can be a stand-alone risk management work. It leans more towards finance and legal functions and requires strong writing skills, experience in developing policies and procedures. For this type of work a degree in law may be helpful (in case if you did not pass the Bar exams for some reason, you can move to the Risk Management area where writing is essential, if interested, of course).
8. Physical and environmental Risk Management
Every industry will have their own set of risks, thus their own focus for risk management. Construction and engineering will look at physical and environmental risk areas. Health & Safety stands as an independent profession. There are also Risk Management professions specific to Healthcare industry that will demand more medical or epidemiological background. Environmental studies will have a lot of future with this type of risks.
Manufacturing related businesses will have to look at technological or industrial risks, as well as at production process and products risk of course. Some of those professional areas are called reliability engineering and stress testing, but this will be an entirely separate story.
9. Enterprise Risk Management
Enterprise Risk Management is a form of aggregate large-scale risk management work that targets the survival of an enterprise. Any of the risks from any of the above-mentioned areas may threaten an enterprise existence if got out of control. ERM professionals also look at global economic, geopolitical and social factors, natural disasters and large internal forces within the business that may affect its survival as a whole.
These teams often work across an organization with all other risk management teams and business layers and create aggregate risk management dashboards and reporting of high complexity.
Where can you study risk management?
Risk Management is an important activity of any business. Back in the day, working in risk management did not require a specific degree or form of education. That is why it was essential for professionals in that space to have credentials and certificates.
Yes, it does matter to have few letters appended to your name if you intend to build a career in Risk Management.
Traditionally, risk management professionals had bachelor and master degrees from fields directly related to the industries in which they were working. They hence had to achieve additional credentials/certificates and earn risk management titles.
Only in the last few years have universities established standardized risk management programs and degrees. Couple of schools that have done so include Rotman School of Management (Business School of the University of Toronto) and Haskayne Business School (Business School of the University of Calgary). Now, the educational market offers complete Master's degrees in Risk Management, and thus, things have become more streamlined in this profession.
Credentials and certifications
General certifications - will be helpful if you are looking to build your career within the Risk Management field in any business:
- CRM - Canadian Risk Management
- RMP - Risk Management Professional
Other risk management certifications include:
- CRMA - Certification in Risk Management Assurance
- CERA - Chartered Enterprise Risk Analyst
- FRM - Financial Risk Management
- RiIMS - Risk & Insurance Management Society Fellow
- SOA - Society Of Actuaries
- CPA - Accountants / Chartered Accountants
- ISACA - Information Systems audit and Control Association
- CISA - Certified Information Systems Auditor
- CISM - Certified Information Security Manager
- Enterprise Risk Management certifications
- Operational Risk Management certifications
This list is not exhaustive and there are many other certifications, most of them related to specific industries or business types.
Soft Skills for Risk Management professionals:
- Critical thinking and analysis: as a risk manager you pretty much have to be able to see what is not yet there and predict its probability and behavior. Super cool.
- Literacy in Data: understating of reporting, ability to tell a story from numbers, quantifying things, measuring them, in IT related work – to do coding, programming, data manipulation and modeling. It’s a new cool to be a geek.
- Negotiation and conflict resolution: Risk Managers have to perform training and education with the same business that they may need to put through audits and investigations. Tough love.
- Project Management: risk management processes, policies, frameworks and reporting undergo constant improvement and review, internal and external organizational environment are ever changing, thus it is a project management-based work. Roll up your sleeves.
Risk Management function works through 3 lines of defence (plenty of information available online - I will touch base a little):
1. First line of defence sits within the business functions: they own and manage the risk taken (they get the policies and procedures from the second line of defence)
2. Second line of defence is also called Operational Risk Management, those are actual risk management teams and compliance professionals. They develop Risk Management tools and procedures for the first line and oversee training and implementation.
3. Third line of defence is represented by independent parties, regulators and internal and external audit.
Metaphorically speaking – you and a Security Guard in your residential building are the first line of defence, the Head of Security and the Property Manager are the second, and the district government, the Police and the external property management audit are the third.
As I close these lines, I have hopefully provided you with an overview that will help you in your career choice. These insights are drawn from my years of professional experience working with various risk management functions. It is fun and a great learning opportunity to work with risk management professionals. I have felt throughout my experience working with them that they are very collaborative, open minded and good decision makers.
Remember: we spend one third of our lives at work, choose wisely – be happy.
Katerina
*** A special Thank You goes to Soni Nougtara for auditing this article for professional accuracy.