Could you please briefly describe your career, especially in risk management?
I have always been involved in the management of risk, even in my early career, working for federal and state government agencies. Back then, we did not call our efforts “operational risk management”. Yet, I have found that everyone, even government employees, wish to eliminate process and control failures and determine and mitigate the root causes for systemic deficiencies in order to improve performance and control. When I moved to financial services in the 1980’s, I became responsible for financial analysis and reporting, risk management and administrative matters in various business divisions. Creating new control infrastructures and establishing segregation of duties in securities trading areas were among the first areas I led. I am proud of those efforts, because I was able to accomplish them cost-efficiently.
Could you describe briefly the main points of your book?
The book has many points. Four concepts I would want every reader to remember would be: 1) managing operational risk and business processes simultaneously is more effective than managing them separately; 2) risk management should be proactive and not reactive as it has been in most companies; 3) many easy and inexpensive ways to evaluate and manage risk already exist, so there is no need to re-create them (and the book provides several that I have used and some I created myself); and 4) it is okay to take a risk – just make an informed decision and know the risk you are taking.
What are the main improvement areas in ORM in the coming years?
As I state upfront in “No Excuses” and reiterate throughout the book, in order for operational risk management (ORM) to be successful in any enterprise, it needs to be proactive rather than reactive, evaluating potential risk before things go wrong. Additionally, because of the current environment we all work in, ORM professionals will be forced to use easier, low-cost and practical methods for risk assessment and risk mitigation. Let’s stop defending complicated systems that require expensive technology and staffing support.
Which is the most important opportunity for risk specialists in the coming year?
The challenge facing risk professionals is to be relevant. Many people in the risk profession tend to exaggerate potential risks, like many auditors do, and eventually generate skepticism from management. Risk professionals need to be realistic and recommend practical actions that can be implemented and completed timely in the current environment.
What is the best way to embed RCSA in the organization?
Self assessment of control effectiveness is controversial in many businesses and some companies and even some external auditors have preferred independent testing in lieu of self assessment. I believe that a combination of both would be worthwhile. Management needs to have a comprehensive structure to understand and evaluate the effectiveness of its own controls. Ultimately, the methods available become limited and result in combinations of self assessment, review of performance and risk indicators, and independent testing. Mort importantly, management should embed a risk and control self assessment culture in the organization, and the best way to do that is to lead through example. By embracing a risk management process that includes self-awareness of risk and an appetite to admit to the necessity to improve controls, other employees will follow suit.
How can you verify that a specific risk management strategy is working?
If a risk management strategy is an active approach that provides guidance for decisions and those decisions are based on this guidance, even if some decisions explicitly ignore or conflict with the guidance, then you have a basis for measuring the effectiveness of that strategy.
What is your opinion about the state of risk management training and what are the best ways to improve it?
Risk management training is still in a young stage. Competing regulatory compliance and other training programs make it more difficult to provide stand alone risk management training, which may not be a bad thing, depending on the training program the risk management training would be part of. Any risk management training for employees should be created in partnership with the organization’s training staff – they are the experts in communicating awareness and coaching employees. In general, risk management training should be easily accessible and concise, or produced in several brief modules that allow an employee to take online, either several during one session or individually at different points when the employee has the extra time to view a new module. The training should be interesting and, most importantly, the training should deliver on the promise that when the employee completes the training, the employee will know something new.
Dennis Dickstein's Bio
Dennis Dickstein has over 30 years experience in risk management and business process in both private and public sectors. He installed a control framework to manage operational risk for the US arm of a leading global financial services firm, where he also developed and currently manages a new framework for information security and identity theft protection. Before then, he held chief operating and financial planning positions for various businesses in several Wall Street firms and financial analyst positions in Federal and state governmental agencies. Dennis has spoken about operational risk and data protection at numerous conferences and seminars. He has a master’s degree from Harvard University and a bachelor’s degree from MIT.
Dennis is co-author of a new book on risk management, No Excuses: A Business Process Approach to Managing Operational Risk, published January 2009 by John Wiley & Sons. The book explains operational risk management and business process management and provides a set of "tools" for any enterprise, whether a small business, a public institution or within a large corporation, to manage operational risk by “partnering” a risk management framework with a business process framework. Chapters begin with case studies that most readers will recognize, ranging from Enron to Exxon and doctors operating on wrong organs to toys manufactured in China. Reader reactions to the book have all been extremely positive, noting that the book and tools are easy to understand and very practical and that the case studies are appealing and relevant.
You can buy the book here: