There are few life decisions as consequential as your choice of career. Get it wrong, and you’re in for a world of discontent.

Perhaps you currently have a risk management position and are wondering if you can make it a career. Or maybe you are just starting out and are contemplating risk management as a career. First ask yourself this. “Is risk management even a career?”

Admittedly, you can make a career out of any income-generating activity you like. So let’s rephrase the question: “is risk management a profession?”

That is what you need to ask.

A profession is …

Some job functions are professions. Being a doctor is a profession, as is being a police officer, architect or accountant. All require specialized education and offer a career path—a progression of related job functions of increasing responsibility and remuneration. That is what makes them professions.

In a typical business career, you may pass through a progression of job functions. But these require no specialized education—you learn the function on the job. And the progression is something you make up along the way, based on your evolving interests and aptitudes—not to mention the uncertainties of the job market.

Imagine someone who starts in the mail room, moves to sales support and from there to accounts receivable. Thirty years later, she has changed companies a few times and done several stints of night school, when she lands a job as CFO at a small technology firm. Her profession is business. It is not delivering mail, or doing sales support, or collecting accounts receivable, or being a CFO. Those are all just job functions she passes through.

So is risk management a profession or a job function you pass through?

I will tell you my opinion shortly, but I must warn you there are plenty of people with a financial interest in convincing you that risk management is a profession.

They want to sell you their version of a specialized education and make you think there is a progression of risk management positions waiting for you—starting with junior risk analyst and ending with CRO.

What am I talking about?

I’ll show you an interesting result. Actually, its an eye-opener.

Some eye-popping data

This relates to the prices advertisers will pay per click related to certain search terms on Google.

You probably know how this works. Whenever someone performs a search on Google, they receive search results accompanied by several sponsored results—advertisements that look similar to search results. The advertisers pay Google if the user clicks on their sponsored result. The amount they pay for that click is determined by an automated auction, so Google is continually auctioning off search terms to the highest bidder—to whomever is willing to pay the most for clicks related to those search terms.

I just checked with Google to see what advertisers are paying per click for several risk-related terms. Here are the results.

Costs per click advertisers are paying Google for various risk-related search terms. Yes, those numbers are in US dollars, and they are prices for one click by one user.

Wow! There is a lot of information here.

First of all, risk management appears to be a lucrative market to serve. Any cost per click (CPC) above $1.00 might be considered high, and all of these CPCs are. Advertisers are paying handsomely to reach us risk managers.

But many of these CPCs are more than high. They are eye popping.

Think about it. You need an extremely lucrative product to sell if you are paying $5.00 a click. That is $5.00 to have one visitor click through an add to look at your webpage—once. There is no guarantee the visitor will buy your product. Most won’t.

At $5.00 a click, if just one visitor in 100 buys your product (a pretty good conversion rate), you are paying an average of $500 for each new customer.

The eye-popping CPCs are being paid mostly by two groups of advertisers:

1. those selling risk management software to corporations, and
2. those selling risk management certifications or degree programs to individuals

I can’t think of an adjective to describe anyone paying $21.66 for one click, but that is what the latter group is paying for the search term “risk management MBA”.

It boggles my mind.

I haven’t seen any profit statements, but it looks like “educational institutions” and “non-profits” selling risk management degree programs and certifications have created a money making machine. And to keep it running smoothly, they need to convince you and every other potential customer that risk management is a profession.

There is marketing muscle behind the message. If you spend time researching risk management on the Internet, you will find plenty of information that—subtly or not so subtly—promotes the notion that you need specialized training to be a risk manager—and that once you have paid handsomely for that training, there will be an established progression of job functions waiting for you to pass through on your way to becoming a chef risk officer in a corner office.

That’s the message—risk management is a profession.

No one has a financial incentive to promote the alternative view, but I will try.

Risk management in the real world

Risk management practices vary significantly among industries, and even among companies within an industry. This is partly due to differences in risk exposures, but it is also a result of each company, over time, developing risk management solutions that work for them—for their board, their management team, their culture.

This fact alone tells you risk management is not a profession—there is no standardization of practice.

Whenever you accept a risk management position at a new company, expect to relearn and rethink much of what you know.

That is one reason risk managers learn their trade on the job, but there is another.

Let me explain.

I have had the honor of working with plenty of risk managers over the years. They learn their skills on the job, and they learn them best performing functions other than risk management. Here are examples.

• One risk manager was an engineer who oversaw construction of a nuclear power plant. When his employer got into power trading, they asked him to head risk management. His many accomplishments include, on two separate occasions, catching rogue traders before they could cause significant harm.
• Another risk manager learned his business on the ground in Africa, sourcing agricultural commodities for his firm. When he later moved to the home office to do risk management, he knew the business, literally from the ground up.
• A third works at a bank where he has built a career switching back and forth between risk management positions and front office roles such as trading, structuring and marketing. He is a banker first and a risk manager second—that makes him an exceptional risk manager.

That captures what I am trying to say. Generalizing a little, to be an effective risk manager, you need to be a business person first and a risk manager second.

Let’s say it again with emphasis:

To be an effective risk manager, you need to be a business person first and a risk manager second.

You need to know how business decisions are made, how mistakes get covered up, how to read the tea leaves of inter-departmental politics, how to confront wrong-doing without adding to the problem. You need to know when to take a stand, when to back down, when to bide your time, and when to go to the CEO.

You don’t learn this from a book or sitting in a classroom—and you don’t learn it working as a risk manager.

If you are going to be a business person first and a risk manager second, you have to learn business. Trying to do so working as a risk manager is like trying to learn soccer as a spectator. You have to get into the game.

You have to take positions outside of risk management, in operational departments. It could be in marketing, or engineering, or billing, or shipping. Wherever it is in the company, that is where you will become a business person.

The great divide

What do companies look for when they hire for junior risk management positions? If they are smart, they don’t look for fluffy risk management certifications or degrees. They look for specific skills that might include

• general math
• probability, statistics and time series analysis
• education in a physical science
• knowledge of analytic software such as MatLab
• experience with html, css and content management systems

These are the skills needed to perform analyses, compile those analyses into reports, and distribute those reports.

It is at more senior levels that risk managers need the business skills I have mentioned.

So where should companies look to find senior risk managers? Promoting junior risk managers won’t work if they have had little opportunity to learn the business skills senior risk managers need. The best place to look is in operational departments within the firm—finding people who are seasoned business professionals. Coming from within the firm, they will already know the firm. If they have held a more junior risk management position at some point in their career, all the better.

Stated another way, there is a great divide between the skills required of senior risk managers and those that more junior risk managers have an opportunity to develop. Rising through the ranks holding exclusively risk management positions is difficult, if not impossible, because there is no established progression of risk management positions to follow.

If you aspire to someday be a CRO, plan on spending at least part of your career in jobs unrelated to risk management.

So risk management is not a profession. You can make a career of it, but be a business person first and a risk manager second.

And one more thing: Avoid labeling yourself as a risk manager. You will have an easier time switching between risk management and operational jobs if you are seen as a savvy business person and not as a risk manager.

That is another reason to avoid risk management certifications and degree programs: they will label you a risk manager.

Make it your mantra: a business person first and a risk manager second.