Jul 212011

Sunday evening my wife and I took in the musical “Chicago,” a sensational tale of sin, corruption and all that jazz, set in prohibition era Chicago, my hometown. The story is a sizzling satire on corruption in the administration of criminal justice and the concept of the “celebrity criminal.” Listening to the lyrics sung by the hapless character Amos, I suspected that even the most confident of us might empathize with him as he sings ‘Mr. Cellophane’:

If someone stood up in a crowd
And raised his voice up way out loud
And waved his arm and shook his leg
You’d notice him

If someone in the movie show
Yelled “Fire in the second row
This whole place is a powder keg!”
You’d notice him

And even without clucking like a hen
Everyone gets noticed, now and then,
Unless, of course, that personage should be
Invisible, inconsequential me!…”

I wondered if these lines might also express the sentiment of Paul Moore, a former senior risk officer at British Bank HBOS (Halifax and Bank of Scotland), who once claimed that he warned his bosses that the bank was moving too fast and raised concern that risk warnings were ignored. The discussion of the risks taken by HBOS was particularly pertinent when Lloyds Banking Group, which now owns HBOS, announced that its acquisition would be announcing full year losses of about £10bn. Moore said his warnings to his bosses—including former chief executive James Crosby, an economic adviser to then Prime Minister Brown—were dismissed and ultimately led him to finally be noticed just enough to lose his job.

Indeed, many risk managers may well harbor a special empathy for the musical’s Amos. A survey of FTSE 100 risk managers found only half view themselves as influential within their organizations. One in eight said they are not at all influential. One third said they are only quite influential. Apparently, ‘Invisible, inconsequential me!’ has plenty of company among risk managers.

Despite a growing population of risk managers, realized risk is a fact of life these days. In the current environment of economic uncertainty, where the painful cost of inadequate risk management is being demonstrated every day, it is disappointing that ‘Mr. Cellophane’ risk managers do not seem to wield enough clout (albeit not Chicago-Style “clout“). Effective risk management requires senior risk managers to become truly influential right on up to the board level and be respected across the organization.

As the role of risk manager has developed and companies have gained greater experience with it, the profile of the ideal risk manager has shifted. Leading-edge companies agree that a risk manager should be analytical and bright. He or she must, after all, assimilate and understand a mass of information from a variety of sources in the organization. In addition, the risk manager in many companies both guides the usage and understands the output of highly sophisticated modeling tools.

Nonetheless, those are not actually the critical competencies of the effective risk manager. The risk manager, above all else, is a leader and communicator. From the moment that the risk manager embarks upon the formal risk assessment process, all the way through risk identification, analysis, planning, tracking and controlling, the effectiveness of her communication will dictate how successful the overall process will be. In addition to that, she must be able to build strong political partnerships with business and corporate staffs, communicate to a wide variety of audiences in clear, understandable language, and be a skilled facilitator of organizational action more than simply a technical manager of risk.

Like Amos, risk managers need to overcome invisibility to become effective. Until then, they’ll be perceived like Amos as he sings sotto voce the final line,  “Hope I didn’t take up too much of your time.”


Scott Stribrny

Scott Stribrny is a Senior Consultant with Cutter Consortium's Business Technology Strategies practice and a leading figure in the world of process improvement. He is currently advising on techniques for effective product requirement specification and risk management.


  6 Responses to “Mr. Cellophane: Do Risk Managers Lack Influence?”

  1. Scott

    Both HBOS and Lloyds are primarily retail banks with a retail bank mentality ( deposits and loans ) with an event based risk assessment ( on application for a new mortgage etc. )

    Investment Banks take risk much more seriously. Risk Managers are respected members of the community all the way to the top of the organisation. In Investment Banks, the traders are the risk managers and the “Risk Managers” are really the risk police who monitor against limits (which are set by management). They also perform investigations (like the police). Risk Management in Investment Banks is continuous and risk is a preoccupation of most of the employees.

    Sadly risk is misunderstood by many, especially those
    in IT.



  2. Scott,

    Interesting article.

    Given the analytical nature of the job, it’s probably common for risk managers to be low-key. In many organizations, sales and showmanship are necessary to avoid Amos’ fate. Then again, it’s possible that the manager is influential and respected, but does not recognize it himself.

    It’s human nature to pay attention to dramatic events. Too often, people who frequently participate in “hero syndromes” are frequently rewarded. Since effective risk management prevents bad things from happening, it is easy for contributions that cause “non-events” to be overlooked.

    Regardless, mature, high quality organizations learn to reward “non-events” and risk avoidance… but often the person responsible needs to “toot his own horn” a little to gain respect and recognition.


  3. Scott,
    Thanks. Your analogy provided an interesting read. Risk management is a daily encounter in the IT world. IT is a delicate balance between evaluating the risks, weighing those risks against the business strategy, and communicating those risks. Often times, IT is seen as a hindrance to progress because IT groups are constantly faced with risks in data loss, security breech, system integrity, scalability and so on.

    The challenge is to create a balance between the benefits provided by progress, implementation of technologies and the risks associated with a course of action. For our group, our efforts using agile development structure to recognize and communicate risks directly to the business owner provides a level of measure and accountability on the side of the business. If we recognize the risk, evaluate and create counter measures to minimize the risks, the business then can decide whether or not to proceed.

    Effectively educating the business to the cost of risk, should it present itself, is the key in my opinion. The success of the endeavor depends on the personal relationship that IT has with its business managers as well as the corporate attitudes towards their IT departments.


  4. Hi Scott,

    The influence of risk managers is, as you suggest, “it depends” — on the culture of the organization, the reputation of the risk manager, the reward/consequences tradeoff, etc.

    In many of the highest impact risk areas, the consequences of a risk becoming a catastrophe are relatively low, especially in areas such as finance. An investment banker can pursue billions of dollars of “high risk” investment where he or she has little understanding of the real risk and be reasonably confident that if the disaster happens, the feds will rescue them, and if the worst happens, they will get a $100M+ golden parachute. The risk analysis for the decision maker and the company all indicate that you should accept the risk, even if from a societal perspective, it’s insane. And the natural corollary is that any governmental oversight or regulation should be strongly resisted. Which is exactly what we’ve seen play out since 2008.

    Many industries such as oil and finance share similar risk incentive structures. That’s why risk managers have to keep a low profile in such contexts. Being right is the worst thing for them that can be demonstrated! (I realize this is a somewhat dramatic and cynical perspective, but I’ve been watching the debt ceiling debate…)

    Such dysfunctional systems have been around for years — it’s just a variation of the “tragedy of the commons.” So risk management is arguably only useful in environments where cost of bad decisions is actually imposed on the decision makers. There are plenty of such environments, so the value of risk management will continue to be readily available… and risk managers will continue to be ignored and/or abused when they move into environments where the incentive structure is dysfunctional

  5. avatar

    This is an great article and is most interesting as I was reading it during the speaches being made by our U.S. leaders and made me think who is the risk manager for the United States? We struggle with Risk at my firm but we have a Risk team that makes those decisions and to be fair they are doing a good job and our firm is very successful at our money making ventures but it does make it difficult for a project manager (like myself) to raise my hand to say but the risk of doing Project A first is that Project B might not gain income in the short term but ultimately it will be the best business move for us all. Having the courage to stand up and to make folks aware of Risk is not an easy task and to be fair I see more and more people hoping that others see the Risk so they just sit back and assume those people already know the Risk so they will just keep quiet and then say, “I told you so”.

    Interesting article that’s for sure and so relavant to our world today of finding the balance of being the guy who points out Risk and getting listened to and just allowing things to go wrong and then start pointing fingers without taking any responsibility.

  6. Risk managers who view the world through “insurance” are likely to have limited influence — risk managers with the technical saavy to apply quantitative methods to the measurement of risk will be very influential in the coming years — risk management is no longer about static risk exclusively — risk managers must be proficient with stochastic methods in order to understand and apply probabilistic methods in real time — the most influential risk managers of the future will be closer to actuaries than insurance agents in the 21st century — boards are already requiring this transition in practice standards.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>