Banks have been wrestling with the issues and processes I have been discussing in this book for the past several decades. These days, it is never enough for banks and other financial services companies to merely take risks. Firms must calibrate their risks and monitor them as much as they project return on investment. Every prudent risk is taken with an eye toward avoiding the imprudent one.

It is now a given for any high‐functioning, risk‐taking institution to have an internal department—or departments—devoted full‐time to measuring and setting the firm's risk meter. I call this a company's risk organization. Supervised companywide by the chief risk officer, the risk organization comprises managers who report to the CRO, including those tasked with overseeing specific risk areas (operational risk, market risk, credit risk, etc.), as well as business‐line managers directly attuned to the risk sensitivity of each revenue center.

Banks that are prioritizing the risk organization are seeing ever‐increasing resources devoted to risk management. However, those resources alone do not achieve effective risk management. High‐functioning risk organizations I have observed and worked with share and exhibit certain common traits. Here is my list of the seven traits that increase the likelihood of success.

Mature Governance Structure

The first trait of a high‐functioning risk organization is a mature risk governance framework. This establishes the objectives, principles, and action plan for how the risk organization will manage risk, as well as the structure of committees and other bodies where key managers discuss risk‐related issues and ensure that action items are followed.

Whatever technologies and complex risk management processes a bank has put in place, nothing will work if the organization does not construct an effective risk governance framework. The framework addresses the following questions: How quickly do problems get escalated, and are they escalated to the right people? Are the right people involved in the governance of risk? Are there appropriate working groups and subcommittees to address ongoing issues? When things do go wrong, are the decision makers aware of the root causes, and how are those causes being addressed?

When a company is hurt by a risk failure in some trading unit or branch, it is often a failure of leadership to understand and then question how unusual levels of profit are really being generated by individuals or trades. Think of various rogue‐trading failures or the subprime lending debacle. Problem identification may not have occurred, or it may not have been escalated effectively. A risk governance framework can address both of these needs.

Top‐to‐Bottom Risk Culture

The second trait is a living and breathing risk management culture. A risk governance framework is only helpful if the culture allows those with lower‐level responsibilities to take action where they see unusual or unexpected risk exposure. The tone for being proactive is set from the top. An effective CRO spends time on the trading floor and in the branches making sure that everyone in the company receives the message: It is not just risk managers who manage risk, but all employees.

This is an important message because it is those on the front line who ultimately make the difference. Do they know why it is important not to open the door to someone who does not have a proper ID card? Do they understand how opening that phishing email can unlock the company's network? The tone that is set by those at the top can make a vital difference to those who execute on a day‐to‐day basis. Are senior executives acting in a way that demonstrates and reinforces the importance of the risk message?

An Open Mind about Regulation

Third, effective risk organizations see regulatory requirements not just as a bureaucratic overhead but as an opportunity to strengthen business decision making.

For example, one CRO has discussed with me the applicability of scenario‐based stress tests required under the Dodd‐Frank Act beyond regulatory compliance. Since the stress test model had to be created anyway, the CRO reasoned, why not also develop it as a tool that can support business case analysis and decision making for a wide range of business purposes?

The same is true for developing an operational risk framework that, while being required by the regulators, can have broader utility. Some banks view it as a check‐the‐box exercise, but the winners turn it into a data‐based risk decision‐making tool.

Understanding the Firm's Unique Risk Profile

Fourth, high‐functioning risk organizations have a high level of self‐awareness of the types of risks that they are prepared to take and the boundaries that they should stay within. We discussed this in relation to Berkshire Hathaway and Facebook earlier in the book. Both these companies have been amply rewarded in the marketplace for their risk management successes in this regard.

On the flip side, the consequences for firms that lack self‐awareness and fail to understand the limits of the risks that they take pay a heavy price. The failures of firms such as Knight Capital in market technology, Bear Stearns in managing client assets, and Rochdale Securities in providing customized brokerage services are all such examples.

Not Just Throwing Money at the Problem

The fifth trait is a constant search for efficiency: how to carry out effective risk management with fewer resources. The growth in risk management spending since 2008 is undisputed and potentially unavoidable, given the short‐term need to address regulatory requirements, such as those connected to Dodd‐Frank, including the Volcker Rule. The winners, however, are those organizations that over the long term can manage their risk and regulatory requirements effectively while on a tighter budget.

Innovation and Technology

The sixth trait is a drive to do research and invest in technology. In the past, this has led to the development of tools such as value‐at‐risk (VaR) and various risk‐scenario tools. Today, organizations that have prioritized innovation can analyze data in more powerful ways to identify emerging risks more quickly and accurately. Those organizations that have outsourced certain repetitive tasks have nurtured a rich risk talent pool to focus on solving difficult analytical questions. They will be able to make the best use of new analytical tools, and will be more sophisticated in managing key risk categories such as anti–money laundering, capital market manipulation, insider trading, and potential global market dislocations. In the future, managing these risks with such tools should become more like managing the traffic of a busy city: Jams will surely occur, but they won't lead to major take‐downs.

Constant Self‐Analysis

Perhaps the most important trait is a bank's ability and willingness to improve risk management elements that are lacking, which hinder the institution's success. Managing the transformation into a high‐functioning risk organization is a long‐term but still vital endeavor.

It starts with the ability to look in the mirror and conduct an honest and accurate assessment of the organization in relation to each of these traits and identify where the company falls short. When a company is hit by a high‐profile risk failure, it is natural to ask which risk management shortcomings the episode revealed, and then try to address those shortcomings. But an even more winning strategy would be to avoid knee‐jerk reactions, asking enough skeptical questions about any efforts to fill gaps—to ensure the new initiative is indeed a right fit for the organization—so the business isn't blinded by its own sense of immediacy.

The acquisition of these seven traits is not simple, but developing the right path will ultimately bring significant rewards to those able to navigate it.