Taking a risk manager position is a great career step, whether it be for a short tour of duty or a long-term commitment. It is pivotal that a new risk manager gains a holistic understanding of the business and key principles on how to prevent large operational losses or strategic missteps as soon as possible. We have seen highly talented professionals become immediately overwhelmed and unable obtain a full grasp on the position for over 6 months after stepping into the role. Below is a guide on what to do and the right order to do it in during those first 30 days as a new risk manager.
Reporting & Governance
Management committees and board risk committees (e.g., asset liability management, credit, risk, and audit) typically have standard report packages for committee members. Request that the respective committee chair authorize your access to the content. Start with a year of reporting unless there is a specific issue requiring more research. The objective is to:
- understand the scope and content of periodic discussions,
- identify the presenters or authors of the content,
- list the regular attendees and ask to be added to the meeting invitation list, and
- gain insight into issues facing the organization; or current (or critical) problems.
Enterprise Risk Management Program Maturity Assessment
The strength of every organization’s risk management program (and its areas requiring enhancement) is first measured by reviewing the risk management policy, risk management committee charters (management and board, if applicable), and the full inventory of risk assessments. The objective is to understand the business process working model based on the committee charter and policy.
A high-performing risk function will oversee more than 20 annually updated risk assessments. The small or large number of assessments will indicate the maturity of the enterprise risk management program. Review each risk assessment and begin to inventory the top threats identified in each assessment. It is easy to drown in data during this activity. Focus on the big threats that could create big impacts (i.e., consumer complaints impact customer retention). There will be time in the future to dig deeper into the scope and methodology of each assessment.
Third-Party Relationships
Reliance on third parties is ubiquitous in every modern organization. The benefits of expertise and external capacity also bring the threats of transaction non-performance, cybersecurity, data security and privacy, and business continuity. The accounts payable department can produce reporting on total payments to vendors. Vendors that represent the top 10% of payments are a reasonable proxy for the most critical vendors. Vendor risk assessment should be done in order to correlate this finding.
The initial focus should be directed to the vendor monitoring program. A high-performing vendor monitoring program is focused on the specific vendor/threat relationship. Knowing this facilitates your understanding of critical third parties that make your organization successful.
Summary
Wolf colleagues who are also nationally recognized experts with 20+ years of experience note other areas that arguably should be considered a top area of review for your first 30 days.
Internal audit plans (internal audit, IT audit, compliance audit, third party model reviews) and test reports provide valuable insight into high-risk areas of the organization, and what must be improved in these areas. Cybersecurity testing, if outside the internal audit function, will provide insight into the organization’s critical data stores and how well they are protected.
Other management committees not mentioned above may provide insights into operating activities where important change is planned and underway. “Change” is a significant threat source for loss origination. Being a resource to those audit groups to prevent loss could make you a hero. Enhancing and developing significant improvements in the risk program can take many paths. Risk appetite, risk monitoring, risk staffing, and overall reporting and monitoring are areas of constant review and modification as strategic plans and partnerships evolve. As a risk manager, you will never experience stagnation or a lack of difficult challenges to which you can commit your energy.
If you need assistance maturing your risk management program, reach out to our enterprise risk management experts at Wolf & Company.
