Abhishek Paul: Associate Vice President, Risk & Conduct Assurance, Risk Hub India, The Royal Bank of Scotland
Abhishek Paul
Associate Vice President
Risk & Conduct Assurance
Risk Hub India
The Royal Bank of Scotland
How did you get your job?
Situation: After almost five years of striving in the financial sector from 2005 to 2010 and performing roles within the finance function I was pretty sure where my career was headed but I was not confident whether it was my forte or not considering that I was not a chartered accountant or a cost accountant and these could have been possible blockers in the road ahead.
Opportunity: It was around fall 2010 that I received a call from an independent consultant whose approach to interviewing me was quite different and when she told me about the role which was Supplier Risk Management (1st Line of Defence) for the global sourcing function at Barclays I didn’t believe that I would be considered eligible for the job, however, after a rigorous round of telephonic interviews the consultant concluded that I possessed the right attitude and approach for the role which the company was looking for as risk management was a pretty niche segment and not very lucrative for people in finance to join. She asked me whether I was willing to take a risk and switch my career stream to risk itself, to which I agreed to explore.
Actions: What followed was a series of technical rounds that tested my knowledge, attitude and aptitude in the broader space of risk management. I was asked extensively about how I would handle situations of financial crime and fraud and specifically with respect to the recent financial meltdown and how banks could strategize and develop key risk strategies in ensuring a more robust and “fireproof” environment. The interviews lasted for 3 rounds of about an hour each and it was probably the most extensive rounds of research I did in this context to be able to handle the questions raised.
Outcome: I finally got hired by Barclays in their supplier risk management space and was asked to handle the Africa region which at that point of time was high on non-compliance and low on expertise to remediate the gaps. The next three years were the most fulfilling years of my career where I decided what my forte will be and also after extensive research decided to enrol for a professional qualification to support my practice and that’s how I enrolled into the Certification program provided by IRM, London. Since my qualification was related to my area of work I even got a sponsorship from Barclays under their professional qualification program and since then I have never had to look back.
What’s a typical day like as a Risk Manager?
I will answer this question in three parts which will basically be the three aspects of my role that I have done so far in the last six years after my foray into the field of risk management.
1. As a Vendor Risk Manager (1st Line of Defence):
Environment: My first project was to ensure vendor contract compliance to existing policies, identify the gaps and remediate the same by supporting the sourcing heads of 10 different country entities in Africa where Barclays was operating in 2011.
Actions: A typical day as a vendor risk manager would start with reviewing the latest Key Risk Ratings provided by the countries considering the factors contributing to these key risks, reviewing the existing remediation plans for previous issues and incidents identified, discussing the progress on remediation with country sourcing heads and the new issues/incidents identified, prioritising the areas to be reviewed for the remaining part of the week, ensuring that all the countries were speaking the same Risk language when it came to reporting to ensure consistency, looking at specific progress on projects like implementation of Anti-Bribery and Corruption Clause into contracts and self-attestation of control checks performed by the Sourcing teams to ensure day to day management of internal controls to mitigate risk exposure and finally devising a self-certification review plan to ensure what was being reported in the risk management system was true and accurate for consumption of the senior leadership team and also the members of the 2nd Line of Defence.
Learning: I also realised during this process that every individual has a different perspective of looking at risk exposure and the ideology of risk management cannot be canned in a box. I also observed that risk management may have different interpretations in different geographies, in fact even in different countries within the same geography. The business controls in a country like Kenya were very different from that in Mauritius due to internal and external factors affecting the risk environment.
2. As a Risk Management consultant (1st Line of Defence):
Environment: My second project in 2015 within Barclays after my first ever in role promotion in my career span of 10 years from an Assistant Manager to an Assistant Vice President also was in lieu of primarily two things, my previous deliverables in the Africa Supplier Risk Management space and my professional qualification in risk management from IRM, London.
Objectives: In this space my objective was twofold; one was to identify duplication of governance and controls assurance activity being performed on the India Sourcing Team, present the findings to the global sourcing management team and segregate the global controls from the local controls to have better focussed reviews and controls assurance activity by the respective teams. This involved working with the India Sourcing Head to identify the duplication of control testing activity based on location split, understand each and every control owned by her and distinguish the global and the local controls, agree with the existing local teams rather convince them of the difference in practice and requirements and formalise a better synchronisation of efforts reducing the total man hours spent by the India Sourcing Team in provided control testing evidence as they were being tested by three different local teams on the same controls.
Actions: A typical day after project implementation was to identify gaps in classification of High, Medium and Low risk vendors, ensure that supplier managers were adequately apprised of their roles and responsibilities, reviewing self-attestations of compliance to procedures for internal control and reporting the progress to the Head of India Sourcing. After completing this project I was then asked to move to a more global role within the 1st Line of Defence to work on identification of Key Risks, developing Key Risk Indicators and Material Risk Indicators, performing Key Risk Assessments, preparing the key risk control inventory, managing the issues and incidents raised by business and also supporting the controls assurance activity for the business and acting as a 2nd Line of defence by testing the key controls identified against the key risks for the Operational Risk Exposure of the bank from the point of view of Global Sourcing and Supplier Management. The controls I reviewed and tested here included Fraud Risk, Legal Risk, People Risk, Information Risk, Financial Crime Risk, Technology Risk, Payment Risk in addition to Supplier and Vendor Risk.
Outcome: I am thankful to IRM for providing the curriculum which has helped me not only in performing my job but also planning my career ahead, as after my success with the Certification Program in 2015, I was sanctioned by Barclays to further pursue my career interest and progress into the CMIRM program which would entitle me to an International Diploma in Risk Management.
3. As a Risk Manager in the 2nd Line of Defence:
Environment: After a long and fruitful career at Barclays from 2011 to 2017, I decided to explore and work in the space of Market and Credit Risk to increase my spectrum of knowledge which had been limited to Operational Risk, this is when my current job opportunity came by for the role of an Associate Vice President in the area of Controls and Conduct Assurance for Market and Credit Risk within the Risk Hub of The Royal Bank of Scotland.
Actions: A typical day here is to review the testing plan based on the inventory of key controls for both SOx and Non-SOx controls and deciding the allocation of testing to be done during the year. Once this has been sanctioned by the leadership team the routine would include reviewing control walkthroughs with control owners within the span of Traded/Non-Traded Market Risk Controls and Credit Risk Controls and making an independent assessment of the Adequacy and Effectiveness of the controls through sample based testing following the COSO framework and Enterprise Risk Management guidelines by BASEL as the 2nd Line of Defence to validate the controls being operated and owned by businesses are being adequately designed and effectively operated to mitigate the risks that they are intended to mitigate. This also includes reporting the findings to the leadership team and the Group Risk Committee, mitigation of issues identified and working with the business to ensure a robust control and conduct assurance environment.
Aspiration: My expectation from the current role is primarily to learn the various aspects of Market and Credit Risk controls in more detail and understand the overall operating methodology of the 2nd line of defence, alongside completing my CMIRM this year to position myself into the career space ahead.
What do you enjoy most about your job?
I think the best part of being a risk manager is that you learn a new trait almost every day, the ambit of risk is the same across industries and functions which is to understand a process identify the controls and ensure the controls are adequately designed, operated and reported for the Group Risk Committee to take crucial decisions in understanding the risk appetite for the firm and prepare the organisation to be able to face risk exposures in the best fit manner without compromising the sustenance of the organisation and ensuring that these controls either fail only marginally which is within the risk appetite or not fail at all.
Being from operational risk or not being from credit risk or market risk background does not prevent me from analysing what could be the potential failures in a process looking at the process map or understanding how a control owner operates his controls. The only requirement for being a risk professional is to have strong analytical abilities and a sense of seeing what no one other sees in terms of the scenarios that can occur out of failures due to people processes or systems which are expected to continue without failure.
What are the challenges?
The challenges that are most obvious are people and their mind-set. As humans we do not prepare for the worst but believe in aggressively planning ahead. This trait is very eminent in businesses as well who are operating for profit and setting aside risk capital is probably not the most profitable use of budgets, however, one needs to think of situations like the Tsunami in Japan, the financial crisis of 2008 and case studies relating to the failures of top industries and businesses in lieu of inadequate planning of risk exposure of their highly inspirational projects where they are willing to risk it all putting years of existence at stake without considering the perils of failure or gearing up to face the risk exposure in a more equipped and fortified manner.
In what way are your IRM qualifications relevant?
Certification: I think the certification program gives a base for understanding the fundamentals of risk management which is essential for all those who manage or support businesses in anyway as it will help them to understand the basic requirements to make a process or business risk proof.
Diploma: The Diploma program is probably more suitable for risk professionals who are planning to make a career in risk and operate within the 2nd or the 3rd line of defence. For me the certification was the reason for my first in-role promotion and expansion of my risk profile, however, the Diploma is what will make my profile exclusive and also give me the much needed in-depth subject knowledge and expertise required to deliver excellence in this sector.
Key Highlights: The fact that this qualification is subjective and requires a sufficient number of hours of study and research to clear the exams makes this more niche and attractive. I do think that the marketability of the qualification does depend on how accepted the qualification is across the world and not only in predominant European MNC’s and for that I believe we as students need to spread awareness in association with the institute to ensure that such highly skilled professionals are recognised and we can reach out to others who are struggling in this field to inspire them to enrol for the qualification and also for organisations to sponsor developing their talent pool by enrolling them for this qualification.
What would you say to others thinking about joining IRM as a member?
I would strongly suggest joining IRM as a student member/professional member not only because the affiliation would help in your career but also because the forums and discussions help to keep you aware of the most recent trends in this sector. Enterprise Risk Magazine gives an insight into other risk professionals, their views and their thoughts about how the changing world is influencing the way people look at risk and value risk management. This also gives you insight into career opportunities and helps in continuous learning and skill development.
I would suggest not looking at membership as just a mere payment of fees or association but actively involved in taking the institute forward by supporting its vision as the visibility that it creates will eventually benefit all the members and students who have qualified from the institute. Given an opportunity, I would love to not only spread awareness of this institution in India formally but also look at opportunities to participate and contribute as a faculty to classroom trainings by sharing my experiences and enable other students who have enrolled into distance learning programs to have classroom training exposure and excel in their careers and help in developing the Risk Appetite Culture which can be a strong pillar to longevity and sustenance of many organisations who are insensitive to Risk Exposure.
How has your role developed and what are your career ambitions? Has being linked to the IRM helped?
Starting with a career in Fidelity as a accounts payable associate managing credit controllers and their payment expectations to pricing of financial software for Ariba and then validating savings from Sourcing Projects in the first 5 years of my career to a 6 year stint at Barclays into Risk Management life has progressed at a very fast pace and I can say that I am now much more clearer in my career ambitions from considering myself to be a “finance professional” to being a “Risk Expert” and I owe my professional growth in this field to both my experience at Barclays and my professional qualification in Risk from IRM. Being linked to IRM has also helped me to make my career visible to other through this testimonial that I am writing today hoping to inspire many more individuals to look at Risk Management as a potential long term career.
Top Tips:
My suggestion to those who are wanting to switch their field to risk management or would like to start their career in risk management would be that you enrol for the Certification program and invest 6 months to a year in completing the certification before applying for roles within 1st or 2nd Line of defence or as a member of a controls testing or controls assurance team as it would be the stepping stone to a long term career, you may also consider getting this course sponsored if you are in the same line or make a development plan to switch to risk management within your company through internal job posting if you organisation is flexible enough to provide you with such an opportunity. You may also connect with risk professionals on LinkedIn for career guidance or mentoring as it would help to gather some direction in your approach.
Three Tips:
1. It’s never too late to start or switch to risk management, as you can become a risk manager in the field of experience you have as no one would understand the business and the gaps better than you.
2. There are no shortcuts to becoming a good risk manager, try reading management case studies and content on the internet for continuous learning even if you already are professionally qualified or have the desired role at hand.
3. Increase your visibility on the professional networks. Make sure that you spend some time reading about people on how they have reached where they have reached, it’s easy to do this on LinkedIn to help you figure out whether your approach today is aligned to your ambition for tomorrow, if not then try and make adjustments and ensure that you are visible to the right people both within the organisation and outside.
