We’ve all heard the statement “you cannot manage what you cannot measure.” In the case of chief risk officers and other professionals working in enterprise risk management (ERM), they cannot provide oversight of business activities and risks they cannot measure. This poses a challenge when the scope of activities under their leadership is increasing. Data governance, model governance and risk scenarios are all in scope for risk management functions, and their effective delivery requires specialized skills.
The ERM function is expected to identify and monitor risk exposures across the enterprise, identify the amount of risk the institution has in each exposure and ensure that risk-taking activities do not exceed the company’s risk appetite. To achieve that mandate, an ERM team needs to capture the appetite for risk as well as the board-approved tolerances and limits used to measure that appetite.
To achieve those goals, ERM is responsible for gathering, aggregating, and reporting on data used to establish the risk profile of the institution. ERM teams identify and capture the quantitative and qualitative data that serves as an early warning when the institution approaches its established limits. The value of ERM is in the early warning it provides.
Data demands emerge in two similar but distinct ways. The ERM team uses and analyzes available data from around the institution and data sourced and analyzed by various first-line functions. The risk professionals reporting to the executive team and board need assurance that the data they are analyzing and reporting has been sourced and evaluated with skill and integrity. If the data quality is not there, the ERM team needs the skill set to recognize and act on the data limitations.
Often, the number and nature of risk management activities are out of alignment with ERM staffing, and risk professionals struggle to keep up. Risk professionals commonly find that their day-to-day activities and accountabilities are not specifically articulated in their job descriptions. As a result, ERM skill sets may not match the actual role requirements. This mismatch is happening more and more frequently around activities related to data management, data analysis and management reporting.
The default approach to ERM staffing tends to be heavily weighted toward recruiting individuals from operations or auditing. An operations or auditing background is often useful for operational risk management, but those skill sets alone do not meet the needs of today’s ERM leaders.
Data management and reporting, then, become critical features of ERM value creation. They have also become key focuses for regulatory authorities: in 2020, the Office of the Comptroller of the Currency (OCC) fined a large financial institution $400 million due to its inability to demonstrate the quality of data used for regulatory and management reporting.
Specific members of an ERM team—if not everyone in the team—should possess skills in data management, data analysis and management reporting. Look for candidates who can demonstrate an understanding of database design, data lineage, business process mapping, account and file management, pattern identification, data sampling techniques, data integrity and business communication. Even a familiarity with management reporting software, graphs and charts can be a big move forward in communicating what data tells us and where critical deficiencies lie.
An appropriate mix of skills and capabilities is the goal. When staffing an ERM team, data skills are necessary but not sufficient. A mature ERM team also requires individuals with a depth and breadth of banking knowledge to be effective across all financial services functions. An effective ERM team needs a balance of banking knowledge and the ability to gather, analyze and understand what the institution’s data reveals about its performance and risks.
In summary, the core business knowledge required of ERM leaders should be complemented by proven data analysis skills. Settling for anything less will only result in a less effective ERM program.
Denise Rinear is the managing principal at Capco.
