Ever since reading The Hard Thing About Hard Things, by Ben Horowitz, I’ve often thought about one of Ben’s classic blog posts, Good Product Manager, Bad Product Manager. Despite being written back in the web 1.0 days, its concepts are relevant today, and I frequently recommend them to my team and colleagues. In fact, the good/bad construct can apply to other types of jobs, and I recently thought it would be useful to apply it to the practice of risk management in financial services.  

The job of a Chief Risk Officer and his or her team is complex, requiring a mastery of high-level strategy and precise detail, and it’s critical to the success of any lending business. As fintech continues to proliferate, with even non-financial-services businesses adding lending as a product capability, the risk role gains more importance and greater scope. Over the past 15 years, I’ve worked with probably thousands of people in the world of risk, people who are responsible for strategy and execution of customer-facing decisions, capital allocation, portfolio management, and generally the lifecycle and performance of a lending business. These include my colleagues at massive institutions like Amex or Citi, or the many clients, colleagues, and partners I’ve gotten to know through Orchard, Kabbage, or Ocrolus, and in the global fintech community. 

I’ve compiled a set of principles to apply this good/bad framework to risk managers. Obviously, there are a lot of ways to do a job well, and some of these may indicate my own style or biases. Nevertheless, I hope they are helpful and can spark reflection and conversation on what is a critical role in the world of financial services.

• A bad risk officer tries to predict the future and lures himself and others into a false sense of precision. A good risk officer simulates many versions of the future, generating a distribution of scenarios and a flexible strategy to account for unforeseeable risks.
• A bad risk officer focuses only on fancy new modeling techniques as a source of outperformance. A good risk officer recognizes that data is more important than models and seeks the most comprehensive and accurate information about his customers and the environment in which they live and do business.
• A bad risk officer only develops a control function, focused on protecting downside. A good risk officer builds a high-performance learning organization dedicated to profitable growth, without surprises, and with a great customer experience.
• A bad risk officer develops risk strategies and policies and tosses them over the wall to technology and operations groups for implementation. A good risk officer sees herself as a technologist and operator and seeks end-to-end partnership, knowing that operational risk, though often harder to measure, can bite you in the ass.
• A bad risk officer hires lower-skilled analysts that create a bunch of manual, non-reproducible work in Excel. A good risk officer builds an analytical team with top-notch, modern software skills who create modular, performant, and high-quality code, where each development is a building block for the next stage of innovation.
• A bad risk officer asks his team for an endless set of ad-hoc manual reports. A good risk officer, knowing that most reports in most companies are never even read, invests in a scalable and automated reporting strategy that combines reports, alerts, and interactive tools to have a constant pulse on the performance of his portfolio.
• A bad risk officer is overconfident in the ability to translate success with one product or customer segment into success with a completely different one. A good risk officer is wary of trying to model outside of one’s data and seeks new data and new approaches for new areas of business.
• A bad risk officer focuses only on systems and rules, believing that lending is just a math problem to be optimized. A good risk officer recognizes that credit is fundamentally based on human psychology, and that a trusted brand and high-quality customer experience can be one of the most advantageous assets in managing risk.
• A bad risk officer thinks of borrowers as good or bad people based on whether they perform on their loans. A good risk officer realizes that good people often face unforeseen financial hardship and builds processes to identify these situations as early as possible and resolve them in a positive-sum way.
• A bad risk officer gets complacent about fraud risk, either naively believing they don’t have any or by employing overly blunt measures that punish good customers for the sins of a few. A good risk officer is constantly innovating, searching for new data, and exploring new ways to identify and prevent illegitimate activity while minimizing the impact of false positives on customer experience.
• A bad risk officer focuses on short-term performance and ‘looking good’ today. A good risk officer builds a learning system, identifying key tests, questions, and KPIs. She ensures that data systems, culture, product structure, and operational processes are all oriented towards collecting reproducible and well-documented lessons that can serve as building blocks for future high-quality growth.
• A bad risk officer sees customer service as a sales and operations job. A good risk officer makes sure everyone in the organization has frequent customer and market interaction and seeks out feedback directly.
• A bad risk officer treats technology as a cost. A good risk officer is a technology innovator, constantly exploring new ideas and pushing his/her team to adopt forward-thinking solutions enabled by technology.
• A bad risk officer focuses on managing an organization in a narrow vertical. A good risk officer builds relationships with other executives in the organization as well as with industry peers, clients, regulators, capital markets participants, and vendors.
• A bad risk officer thinks only in abstracted KPIs. A good risk officer realizes that everything in their portfolio is ultimately the result of a decision involving an individual business owner or consumer.

The job of risk management continues to grow in importance and impact, particularly as lending expands beyond the domain of large banks and one-size-fits-all products. In fact, the role has indeed become so broad and all-encompassing that it potentially needs a new name. Most importantly, good risk officers are constantly learning and growing, seeking to drive change both in themselves and in the people and business around them.