People_and_talent_management_in_risk_and_control_functions_536x1536_Original

People and talent management in risk and control functions

By Julia Brüggemann, Joyce Clark, Arno Gerken, and Julia Graf

Risk-management functions in corporates and financial institutions face more and more challenges to recruit, develop, and retain the right people. Here are five strategic initiatives that can help.

Risk management has become an increasingly challenging endeavor for corporates and financial institutions alike. Unprecedented regulatory demands and increasing complexity have placed steadily growing requirements on the risk-management function and the individuals within it. The rising complexity has not only aggravated the detection and control of risks but also increased the damage in case it materializes. A survey on enterprise risk management conducted by McKinsey in 2013 among 50+ global banks and 15 global oil and gas companies revealed that people and performance management are perceived as critical issues for the risk-management function.

Current risk and control functions require not only employees with technical skills but also staff who are creative, assertive, and flexible in fast-changing business environments. In addition to individual talent management, which attracts and develops individuals, collective talent management ensures that an appropriate balance of talented people cooperate in the best way to realize effective risk management.

Nevertheless, the buildup of talent-management capabilities within risk and control functions has often struggled to keep pace with the new demands. The misperception that enterprise value is only generated by the revenue-generating front line and not by the loss-preventing risk function has led to far stronger talent-management initiatives and capabilities in frontline units. Furthermore, recent regulatory and compliance changes have demanded high levels of senior-management attention and often shift the focus away from longer-term topics, such as setting an agenda focused on strategic talent and people. Hence, strengthening the talent in the risk and control functions has not been sufficiently in focus in recent years. Consequently, this is now a priority to ensure that risk and control functions can cope with the more challenging and ever-changing environment as well as oversee and challenge the front line.

To assess the current state of talent management and evolving best practice in the risk function across industries, McKinsey & Company recently conducted a survey in cooperation with ESB Business School at Reutlingen University in Germany. We surveyed the talent-management practices of 8 global banks and oil and gas companies in their respective risk functions, relying on self-assessments combined with structured interviews. In addition, we validated our hypotheses in roundtable discussions with 10 European oil, gas, and energy companies as well as 16 European banks.

Based on this survey, talent management within risk functions is perceived as an important issue by most companies. However, our findings reveal that in reality only a small minority of companies are close to realizing the ambition to conduct meaningful and effective talent programs in their risk function. Although some corporates have launched dedicated initiatives and started to put talent management in the spotlight, banks are mostly lagging behind recommended practices and selectively have not focused on talent management at all in recent years. As one senior bank manager confessed, “We have neglected anything that has to do with talent for the last ten years.”

Banks and corporates alike need to strategically rethink their people-management approach in the risk function in order to enable sustainable change. For many companies there are several immediate no-regret moves, including the following:

  • Define target requirements on collective talent management for the risk function; individual-talent-management needs can be derived on this basis.
  • Perform an appropriate diagnostic along major talent-management dimensions to compare the company’s talent-management capabilities with the industry’s best practices and the company’s own target.
  • Perform a bottom-up transparency screening of the current workforce to identify patterns as well as talent and skill gaps and to compare with the self-defined requirements.

In addition, five universally accepted and applicable strategic talent-management initiatives need to be embraced by risk functions. The first four initiatives focus primarily on enhancing individual-talent-management capabilities, while the fifth initiative targets mainly collective talent management:

  1. Attract and recruit talented employees with compelling stories for working in risk management.
  2. Train and develop employees by institutionalizing holistic learning and cross-company trainings.
  3. Groom employees into well-rounded leaders by offering clearly defined career paths.
  4. Reward employees effectively based on risk-specific and diverse performance measurements and incentive systems.
  5. Foster connectivity across the entire company with dedicated cross-functional initiatives.

1. Attract and recruit talented employees

Across the board companies face challenges sourcing and hiring great employees. The challenges can be even more pronounced when recruiting risk talent, given the smaller talent pool and employment options. However, arguably the biggest recruiting challenge is the lack of a truly compelling employee value proposition for working in the risk-management function. Job offerings and compensation packages are often not tailored to Generation Y needs (for example, no sabbaticals offered, no option to work part-time)—partly due to increasing cost pressures. Moreover, jobs in the front office are often considered to be more prestigious and are often better paid.

“We are losing a whole generation,” one risk executive bemoaned, regarding the abolishment of fringe benefits. External hiring is often restricted due to head-count reduction targets, and internal sourcing mainly relies on other functions. Selection is then often based on unstructured or semistructured interviews that focus on technical skills.

Best-practice companies, however, are able to attract talent with a compelling story of risk management as a “talent factory.” Two corporate executives explained that their top performers in the risk department often leave after a few years for a better-paid job in the front office. Advanced companies also apply innovative sourcing methods, systematically involve frontline employees, and rely on a selection process that puts emphasis on the fit with risk culture. A growing number of companies are beginning to put greater value on communication and management skills and are willing to make compromises on technical skills. As one executive explained, “If I have two candidates, I prefer the one with the stronger values, even if he or she is technically a bit weaker.” Some best-in-class firms have recently introduced dedicated HR coaches for every risk employee as part of the employee value proposition.

2. Train and develop employees

Nearly all of the surveyed companies have a “corporate university.” However, because of cost cutting, they often lack the required budget and are heavily focused on communication and management skills. Particularly in smaller risk functions, technical training (in risk modeling, for example) is typically conducted by external providers. Often these trainings cannot address the specific needs of the risk-management department and are scaled back to be fairly basic and general. While trainings are perceived as important by nearly all companies, opportunities are often restricted to upper management or a narrowly defined set of top talents, creating “winners and losers,” as one bank manager lamented.

In contrast, best-in-class companies offer training opportunities to a wide range of risk employees. These firms have developed comprehensive training curricula along the following four dimensions: leadership skills, client-organizational behavior, connectivity, and links to business initiatives. Further, some corporates have recently started to collaborate to launch strategic training initiatives. In multiple learning sessions over the course of 9 to 12 months, employees receive training on functional, technical, and people skills and have the opportunity to exchange ideas with practitioners from other companies.

3. Groom employees into well-rounded leaders

The importance of drawing a clear vision of risk leaders and defining a systematic process for identifying them emerges gradually within companies. Potential leaders are often identified on a nonsystematic basis, depending heavily on the relevant line manager. Often the assessment of capabilities is not harmonized at a divisional level. Risk-management role models with a successful track record are limited in number; especially in banking, risk can be seen as a “dead-end for second-class people,” as one bank executive bluntly put it.

In contrast, best-in-class companies have clearly defined two to three well-differentiated risk-career paths, to accommodate for technical profiles in risk management; the philosophy is that not everyone can be a successful manager but rather that a top-notch knowledge expert is also key for a well-functioning risk function. A dedicated chief risk officer at the board level can act as a prominent role model to motivate and retain skilled risk personnel. As cross-divisional rotational programs are often difficult to implement in practice, some companies have experimented with instruments such as shadowing, dual-hatting, and short-term exchange programs that mimic to some extent the positive effects of rotation by minimizing the required effort and cost. These programs fulfill the ambition of risk management as a genuine talent factory.

4. Reward employees effectively

Across industries, many companies still lack the ability to effectively measure and reward outstanding performance in the field of risk management. Evaluation processes are often complex, time consuming, and, in some cases, perceived as highly subjective. Only one of the surveyed companies has performance metrics that explicitly reflect the adherence to the company’s risk culture. Rewards still rely heavily on financial incentives and, in some cases, perceived as “one size fits all,” that is, too vague and not suitable for risk roles.

Benchmark practice, however, includes consistent measures across roles that link to impact against risk objectives. Appraisals are conducted as multifaceted 360-degree feedback on automated interfaces. Feedback, an integral part of the key performance indicators that are set for senior managers, follows a multiyear perspective. Compensation consists of a variable based on the 360-degree feedback as well as individually predefined milestones (for example, a specific project to be completed). In addition, recognition can take the form of mini-bonuses, public appraisals, or reward cupboards to allow for instant gratification. Companies using such innovative tools have reported very positive experiences at the team or department level, since such measures are quick to implement and clearly linked to individual job performance.

5. Foster connectivity across the entire company

Collaboration within and across the risk function is a big challenge, especially in banking, where risk is often perceived as an impediment more than as a form of support.

To increase connectivity between the front line and the risk function, companies should implement systematic programs and approaches to foster cooperation, such as tandems and cross-mentoring. In addition, leaders within the business units should also receive regular training on aspects of risk management, conducted by risk-management leaders.

Overall, this close connectivity is all the more essential, because successful talent management requires a well-positioned and well-integrated risk organization as a strategic enabler. Risk and control functions should have an appropriate degree of seniority and decision-making power to interact with and challenge other firm functions. Risk and control functions should be recognized for their appropriate level of skills and expertise and have a complete reach across the organization. Ideally, risk opinions are actively sought for strategic business decisions, and a well-understood risk culture is lived by all members of the organization.


The recent rise in regulatory and business complexity has increased companies’ awareness of a potential shortage in sufficiently skilled risk-management personnel. Dedicated initiatives to build up and enhance existing individual- and collective-talent-management capabilities can help to remediate the skill shortage. As initial no-regret moves, companies can assess their current risk-talent-management gap. They should first assess their talent-management status quo, and then benchmark this against their self-defined target level and potentially against industry best practice.

Five long-term initiatives have been identified that support the development of necessary talent-management capabilities. Those initiatives, among others, ensure sufficient talented and well-trained risk employees who are well prepared for current and future business environments. Moreover, those initiatives foster a risk-aware collaboration across the company.

About the author(s)

Julia Brüggemann is a McKinsey alumna and a professor at the ESB Business School, Reutlingen University. Joyce Clark is a principal in McKinsey’s Düsseldorf office, where Julia Graf is a consultant. Arno Gerken is a director in the Frankfurt office.

The authors would like to thank Florian Pollner for his contribution to this article.

More on Risk
Article - McKinsey Quarterly

What’s missing in leadership development?

Article - McKinsey Quarterly

Culture for a digital age

Article - McKinsey Quarterly

The CEO’s guide to competing through HR