What are your measures of success for evaluating risk management initiatives?
We always ask ourselves three things whenever we do any initiative. One is: How does it improve our risk management capabilities? That very broad question throws up a series of more particular ones: Would we be able to get better insights to our risks when we've done this initiative? Would we be able to understand the risks that we take? Would we be able to manage those risks that we take?
That's one important aspect. The second question we ask is: What business value does it bring? We don't want to do something just for the sake of doing it. We want to make sure that if we do this, we can actually bring value to the organisation.
That leads directly into the third question: Does it have the overall effect of lifting our performance? Ultimately, it has to have a positive impact on our bottom line. In any initiative we do, we make sure all those three questions are asked and the objectives are met.
Going back to when you started at Maybank and started running these initiatives, did you face any unique or especially difficult challenges?
Getting buy-in on an enterprise-wide is critical. Once the buy-in is there for a project, meeting that project's objectives is significantly easier. I think if you start on the basis of being clear about the objectives you want to meet, what outcomes you want to derive-getting buy in from above and from across the rest of the organisation, can be easily obtained. My job as GCRO essentially is to influence people to understand the objectives that we want to meet so that everyone-from risk management, to the business, the Board of Directors or the rest of the senior management team-has a clear understanding of each initiative we run.
What are key attributes every senior executive must have to be successful?
I think when it comes to being a risk officer, in particular chief risk officer in any bank, technical competency is a given. So, the key requirements to do well in a job like this will not have to do so much with technical competency, but rather more to do with leadership and relationship building. As such, the chief risk officer must typically have the power to influence people and to convince people. That requires technically proficient risk officers to step up from the basics of their jobs. If you are just a technician looking at the risk numbers and all-you may feel good about yourself because you understand the risks. But if the other people at your organization don't understand what you're trying to do and don't understand the benefits what you do brings to the business, then you will get lost in the organization. To put it bluntly: once you come up to the CRO position, the power to influence, the EQ part, is more important than the IQ. The IQ is almost a given for you to be able to assume that position.