Q&A with Tomas Hazleton, Chief Risk Officer

I recently interviewed Tomas Hazleton, an experienced Chief Risk Officer with over 30 years in the Risk profession. Tomas gave me his opinions and insight into the current state of the Risk industry, predictions for the coming years and advice to anyone wanting to get into the industry.

Jessal Shah: Hi Tomas, In your opinion, with all the economic and political change in recent times, how would you asses the current state of the risk market?

TH: Overall, the current state of the risk market is still reactive rather than forward-looking and proactive. The risk market always seems to be preparing to fight the last war, rather than anticipating and mitigating emerging threats. This is not always by choice; political and regulatory mandates—which some would argue are oftentimes disproportionate and/or of questionable value—often crowd out risk budgets, IT capacity and organisational wherewithal to absorb change.

JS: Do you anticipate any significant changes in the risk market in 2018?

TH: Not really. As discussed in the previous question, the risk change agenda is still largely playing catch-up with the raft of regulatory changes arising from the last crisis. Post-implementation there will need to be a period of evaluation and calibration to see if these changes are yielding the intended benefits. Everyone will still be learning how to drive the new car. Ironically, the true test of these changes will most likely come from a new crisis, after which the next set of reactive changes will arise.

JS: With technology (in particular A.I.) affecting all industries, how do you see the role of technology affecting the risk industry?

TH: As someone who defines risk broadly from an enterprise risk perspective and has experience managing across the Risk, Compliance and Anti-Money Laundering (AML) functions, I see the greatest near-term promise of Artificial Intelligence (A.I.) in the AML and Financial Crime space.

Combining A.I. and Big Data should help the industry be more proactive in preventing suspicious transaction and other financial crimes, by identifying suspicious patterns, sources and methods than today’s conventional approaches.

JS: You’ve been in the risk industry since the early 1990s, having seen the industry grow to unexpected and unprecedented levels. What are your thoughts on these changes?

TH: Since the 1990s, the Risk function has gradually moved from a back-office or middle-office function to a front office C-Suite function. To earn its seat at the top table, the Risk function needs to continue to evolve from risk identification and reporting to a fully empowered challenge and risk mitigation function. Risk needs to demonstrate that it’s adding value and not just additional bureaucracy and cost.

JS: What will be the biggest change facing the risk industry in the short term and also the long term?

TH: In the short term, technology will be the biggest change facing the risk industry—both from the perspective of how to best leverage technology to manage enterprise risk in general and the risk that technology (including the abuse of technology) presents to the financial industry.

In the long term, the biggest change in the risk industry will be its ability to deal speed and complexity. The direction of travel for the financial industry is for real time everything on demand--24 hours a day, 7 days a week--with open access architecture to an ever increasing universe of both traditional and non-traditional participants. This means the risk landscape will be increasingly more fluid and that risk frameworks will need to be more flexible to adapt.

Your experience

JS: Having worked in the risk market on both sides of the Atlantic, what are the main differences between the two markets in terms of working culture and the industry as a whole?

TH: The main differences are mostly stylistic rather than substantive. At the substance level, all of the organisations I have had experience with truly believe they understand their risks and want to deliver the best outcomes for the firm and its customers. No one wants to lose money, make operational errors, or fall afoul of regulators or customers.

Americans will tend to be more direct, such as “here are the findings and this is what we expect you to do about to do about it.” In Europe, the delivery of the message tends to be more passive voice and third person, such as “Management should consider the adequacy of their arrangements with respect to…” In practice, they mean the same thing. I can assure you that if a European regulator ever sends a “Management should consider” letter, they expect more than thought exercise by management—they expect action.

JS: In addition to Risk, you have also been directly responsible for the Compliance, AML and Data Protection functions at the same time. What are you thoughts on this model?

TH: In my view, the direction of travel in the industry is the convergence of what has been coined “Governance, Risk & Compliance (GRC)”. From an enterprise risk perspective, a firm benefits from taking such a holistic approach to risk in many ways. By consolidating the second line of defence under a single leader, the firm’s Risk Management Framework can take a unified approach to the identification, assessment and mitigation of risks wherever they occur—using the same risk language, risk ratings, risk and compliance review methodologies, etc. Staff can be cross-trained across all aspects of the second line of defence instead of being limited to Risk, Compliance or AML silos with artificial boundaries and remits. Additional efficiencies can be found by reducing multiple control group contacts or reviews with the business—a “once and done” approach.

JS: How have you seen the role of the risk professional develop over the years?

TH: Over my career, the population of full-time “professional” risk managers has increased significantly. In the early days, there was little if no distinction between a first or second line of defence risk managers and the risk title was often given to staff members who already had other full-time (and often conflicting) roles. For example, the CEO or Chief Investment Officer was also the Chief Risk Officer, the Head of IT was also the Chief Information Security Officer, and the Head of Operations was also responsible for Operational Risk (apparently because they both had the word “Operation” in the title). There are still vestiges of these examples of bad practice in the industry today. However, nowadays the risk role is increasingly seen as a career path in its own right, with its own training and qualifications. Nonetheless, there are still examples where the senior Risk roles, including the CRO role, are given to senior line managers who have had no professional risk management experience or training whatsoever. While the organisations in question offer spurious rationales for such assignments (e.g. it’s a “growth opportunity” for the senior leader; we need a CRO who “understand the business”), this misguided practice actually undermines the integrity of risk profession and demoralizes career risk professionals. It will be interesting to see if the Senior Managers and Certification Regime (SM&CR) is effective in reinforcing and protecting the role of the risk professional going forward.

JS: What career advice would you give your younger self?

Be flexible. Risk is as much of an art as it is a science. There are oftentimes many different views that are equally valid and many different approaches for mitigating perceived risks. In which case the role of the CRO is to help identify and reconcile the many different views and approaches to achieve the best (or most realistically achievable) outcome for the firm.

JS: What advice would you give any risk professional starting their career in the industry?

TH: Avoid falling into the pitfall of only being a risk generalist—being a Jack or Jane of all trades but a master of none. Choose at least one of risk discipline (such as Market, Credit, or Operational Risk, etc.) in which to focus and distinguish yourself as a go-to subject matter expert in that discipline. From that point, begin to explore the other risk disciplines while at all times maintaining your core expertise. As the world becomes increasingly more complex, specialists will earn their seats at the table quicker than generalists.