Almost every industry is in the grips of a seismic shift driven largely by technology, resulting in an everyday business environment marked by the rise of new business models, new market players, and a greater need for agility, flexibility and changing skillsets. Effective risk management is critical to help organizations deal navigate successfully. This requires improvements to frameworks and processes, better tools used more effectively, better-trained people with deeper expertise, and better use of data. But, perhaps more than anything, it requires great risk leadership to make it all happen.
There are several fundamental challenges to developing strong leadership in these roles. First, risk management is still evolving as a profession. The role of chief risk officer and the concept of enterprise risk are still relatively new. Of those in risk leadership roles today, few set out to get there from the start—many came from highly technical backgrounds and, when they began their careers, there were no defined career paths or role models to follow.
Second, the demands of the role are distinctive. Risk leaders need to robustly and firmly challenge colleagues who are trying to drive the business forward, while all the time trying to position themselves as a “critical friend” and avoiding being seen as the dreaded “business prevention unit.” As a result, while any executive will tell you that can be lonely at the top, this is even more the case for a risk leader. While they may try hard to emphasize a focus on upside risks and opportunities, most often, risk goes hand in hand with preventing things from going wrong. This emphasis often isolates a risk leader further from the rest of the business.
And finally, to top it all, the value of effective risk management is rarely visible as it is typically embedded in policies, systems and processes. This makes it difficult for risk leaders to demonstrate the tangible benefits they bring to the organization.
Taken together, this presents a unique leadership challenge. To gain a better understanding of what it takes to be a successful leader, we interviewed 10 senior risk leaders and conducted a survey of more than 220 risk leaders. For the purposes of the research, “risk” was used as a catch-all term for a range of disciplines and roles relating to the identification, assessment, management, assurance and reporting of risk across all domains. This includes governance, compliance, technology risk and controls across the first and second lines of defense. A “leader” was considered anyone viewed by the organization as responsible for risk management and accountable for setting direction and leading a team. To get at “success,” we asked survey respondents to consider those risk leaders they perceived as effective performers in their role.
What Are the Main Challenges Risk Leaders Face?
Before exploring the capabilities and qualities that make an effective risk leader, we wanted to understand the current and future context and challenges they face (Figure 1).
Overwhelmingly, risk leaders saw the growing risk associated with technology-driven change as their top challenge. The other priorities differed depending on seniority: More senior leaders were especially concerned with demonstrating the value of risk management and accessing talent, while less senior leaders felt it was the challenge of leveraging the mountain of data and continuing pressures on cost. Finally, all leaders noted the need for greater flexibility and agility so that risk can be more responsive to changing expectations and threats.
The DNA of a Risk Leader
Across all organizations and functions, around 40% of internally promoted leaders fail within the first 18 months. That figure rises to 50% for external hires. To effectively understand what makes a “good” risk leader, we took a deeper dive to explore what factors are linked to long-term success. Research in the field of leadership potential points to four key components:
Competencies: Learned behaviors, knowledge and skills that are critical to success in the role (e.g., strategic thinking, leadership).
Critical experiences: Make-or-break situations that leaders need to have encountered and navigated successfully to be prepared for leadership roles (e.g., managing a crisis, influencing other senior leaders).
Personal qualities: Character traits and abilities that differentiate the most effective leaders (e.g., interpersonal skills, motivation).
Derailers: Personal traits that can undermine leadership success (e.g., getting caught up in the detail, over-confidence).
Exploring each of these components can help identify which factors are most critical to risk leadership.
Many of the competencies required of risk leaders are applicable to all leaders. Influencing effectively upwards, across and downwards; getting past the technical details to take a more strategic, enterprise-wide perspective; being a good team player who can work effectively across organizational boundaries—these are all well-worn, familiar leadership competencies that are the focus of any competency model, training program or leadership book.
This list is hardly exhaustive, however. For example, given that we know technology risk is one of the biggest challenges facing risk leaders, possessing technical savvy—an understanding of the impact of technology on the industry and the organization and a good grasp on resulting risks—is a competency that will become increasingly important over the next three to five years.
In addition, commercial acumen—appreciating business imperatives, being pragmatic and solution-oriented—helps risk leaders to build trust and credibility with other leaders and foster the perception of risk as an enabler and supporter rather than a business-blocker.
But this is not a checklist. Context matters. At different times, different competencies may be more or less important to success in a given role. Further, what works well in one organization may not work well in another. For example, one leader found that his brand of influencing—which involved “robustly debating” issues as was very much encouraged in his previous organization—was seen as too aggressive for the consensus-oriented culture of his new employer. Risk leaders need to pay special attention to the competencies that are most important to their organization.
Personal qualities are fundamental abilities and personality traits linked to longer-term growth potential and success, but are more difficult to change and develop.
Integrity, for example, is a characteristic that risk leaders regard as “table stakes” as it goes to the heart of the function’s role in the organization. This stems more from an individual’s character and values and, as such, is not a quality that can easily be learned or developed. Any major gaps in integrity are likely to be seriously career-limiting.
Risk leaders see courage as the most critical quality. Backbone, a willingness to challenge others, to make tough choices and “to ruffle feathers” are necessary for a risk leader to be effective. While courage may also be called out as an important quality in other leadership roles, it is rarely identified as the frontrunner. Further, the highest number of senior leaders rated this as the most important quality, suggesting that it becomes even more critical in the C-suite.
While courage is often gained through experience, senior risk leaders suggested that culture also has a major role to play in “encouraging courage.” Leaders who actively seek out and welcome challenge and who positively reward people for speaking out on a regular basis will develop a stronger pipeline of courageous future risk leaders beneath them.
Finally, risk leaders need to be savvy about people. This involves understanding and working well with a diverse range of people, demonstrating a healthy dose of humility and being able to read political dynamics. While risk leaders are often called on to challenge and push back, they also need to balance this with tact and diplomatic skill. Without this, they risk being perceived as too abrasive, which can isolate them from their peers.
The 70/20/10 rule, a research-based guideline for leadership development, says that real-world experience is the best teacher and that three types of experience are important: challenging assignments (70%), developmental relationships (20%), and coursework and training (10%).
You can think of critical experiences as the kind of make-or-break situations that differentiate great leaders from average ones. It is preferable if one has steadily encountered these situations on the way up rather than being thrust into a leadership role and having to deal with one for the first time under the full glare of senior management scrutiny.
So, what type of experiences do risk leaders need to accumulate on the way up (Figure 2)?
High levels of responsibility emerged as the stand-out experience required by aspiring leaders. This includes experiences that involve successfully engaging, influencing and challenging senior leaders and being held accountable by them. From the risk function perspective, providing future leaders with exposure to senior executives is important in building their visibility and credibility. For the individual, seeing behind the curtain and gaining an insight into how the senior leadership team operates, how they debate and make decisions, their priorities and agendas, and how they hold one another accountable can be invaluable in learning how to operate and conduct oneself effectively in the C-suite.
Given that the risk function is often most visible when things go wrong, it is perhaps not surprising that overcoming adversity is an important proving ground for future leaders. This may involve managing a crisis, a challenging business environment or recovering from a failure, but it does not have to involve a catastrophic event. It is helpful if, at a minimum, the individual has lived through difficult times or faced real challenges.
Few leaders in any organization or role are strong in developing talent. In fact, a Korn Ferry study on leadership effectiveness looked at 67 competencies and concluded that managers are the weakest at developing talent, finding that an “ability to grow talent” was ranked the lowest of all competencies. However, according to risk leaders, experience in successfully building and leading high-performing teams and a track record of coaching and developing talent is increasingly critical.
“The work is increasingly demanding and operating environments are increasingly complex—organizations need to support the personal development of risk leaders to enable them to perform at a high level, but also to avoid burn-out,” said one respondent.
Traditionally, leadership development has focused on developing the skills, knowledge and behaviors required to be successful. Not enough focus has been placed on derailers—qualities that can get in the way of progress. These may be strengths that get the individual to a certain point in their career, but can then get in the way, particularly when they move into a more senior management position. Given that derailers tend to be activated in high-pressure situations, they can often be hard to notice until it is too late.
For example, it is not uncommon to find first-time managers who are promoted because of their technical expertise, diligence and attention to detail. While these qualities were important to their success as an individual contributor, these same strengths may make it difficult for them to prioritize, stop focusing on the detail or delegate, all of which are foundational skills of an effective manager.
The significance of derailers increases with the level of leadership. Given the scope of a risk leader’s responsibility, the impact of ineffective behavior can reverberate throughout the organization. Merely having a derailer is not the issue—many leaders demonstrate some potentially derailing tendencies. The key issue is whether the person is aware of it and has strategies to manage it. Figure 3 summarizes potential derailers as identified by risk leaders.
Putting It All Together
A significant proportion of the development available to many risk leaders focuses mainly on technical skills and generic leadership competencies. But as we have seen, while these are important, they are only part of the picture. After examining how they stack up against the key competencies, personal qualities, experiences and derailers, risk professionals can determine where their strengths are and which of these elements is a priority for their development.
It is important to note that you do not need to be strong in every single factor—indeed, successful leaders are rarely well-rounded in all areas. Instead, they will have exceptional areas of talent, usually offset with some significant development needs. The goal for a risk leader is to develop a foundational level of capability in the most important areas, play to their distinctive strengths, be aware of development gaps and ensure that there are measures in place to compensate for them.
The key is to keep the process simple: Trying to work on multiple development goals while attending to a demanding day job is a recipe for failure, leading to a quick loss of focus and motivation. Instead, the best way for leaders to develop new skills and habits is to work on one thing at a time, consistently, for several months.
It is also critical to take ownership of your own development. Few of the capabilities detailed here can be learned solely in a training course. Instead, experience and relationships are the primary way that leaders learn, so you need to be proactive in ensuring you gain such exposure.
Enlist the support of others such as human resources, managers, mentors or coaches. Ask them to help you plan how to close your experience gaps, perhaps by taking on selected assignments or special projects, through a job rotation, or some other means. It is also helpful to appoint an accountability partner—someone that you trust, who checks in and challenges you on your progress or provides you with ongoing, uncensored feedback.
By taking these steps in your risk leadership development, you will be able to enhance your profile within both your company and the risk profession as a whole.