Leading Enterprise Risk Management at Bank Simpanan Nasional

Muizz Farid leads enterprise risk management at Bank Simpanan Nasional.

As Chief Risk Officer (CRO) at Bank Simpanan Nasional (BSN), Muizz Farid anchors his approach to enterprise risk management on the real-world impact of decisions.

“The decisions we make affect people who rely on the bank not just for convenience, but for opportunity,” he says.

Muizz did not set out to specialise in enterprise risk management. Fresh out of RMIT University, he didn’t have a grand career roadmap, choosing instead to take roles that made sense at the time and focused on hands-on experience.

“Over the years, I found myself in situations where decisions mattered and where the consequences of those decisions were visible,” he reflects.  Those situations often involved making calls with incomplete data, where the consequence sat with the business, not the model.

“That was probably where my interest in risk began to take shape, although it wasn’t something I consciously labelled early on. I was more interested in understanding why things worked, why they failed, and how people made choices when the answers were not obvious.”

The opportunity with BSN came much later. Muizz credits this milestone to the right exposure, peer encouragement, and leaders who trusted him with responsibilities before he felt fully prepared.

Risk management in banking: Why more data doesn’t automatically lead to better outcomes

Technology has transformed how businesses gather information, but massive data volumes can quickly overwhelm them.

According to SAS’s Data and AI Impact Report: The Trust Imperative, 46% of organisations worldwide are caught in a “trust dilemma” where they are either over-relying on unvalidated artificial intelligence and data systems or underusing them due to a lack of confidence.

Navigating this dilemma means ensuring systems are validated before they influence customer outcomes. For risk management in banking, the real technology risk lies in the quiet assumption that more data automatically yields better decisions.

“The reality to me is that data reflects history, not intent. Models work well when conditions are stable, but they can struggle when customer behaviour changes or when we begin serving segments that have historically been excluded from formal financial systems,” Muizz shares.

“That is especially relevant for a development institution like BSN, where many customers do not fit neatly into traditional profiles.”

To avoid over-relying on algorithms, the Chief Risk Officer emphasises that technology must support human judgement, not replace it.

This is where enterprise risk management bridges the gap, prompting practitioners to ask practical questions: “What assumptions sit behind this model?”, “Where might it fail?”, and “Who is accountable when it does?”

Furthermore, early exposure to real-world decision-making shaped his approach towards risk management.

“Earlier in my career, I saw how often decisions had to be made with incomplete information, under time pressure, and with competing objectives,” he recalls.

Repeatedly seeing this changed his perspective on the field, making him more interested in practicality than perfection.

Through his experience, another core lesson emerged: context matters. A control that works in one environment can yield entirely different results when the variables shift.

Today, these insights help him treat risk management not as an abstract function, but as a practical discipline that supports better choices.

Cultivating a risk culture: Balancing discipline, progress, and people management

Established as a statutory body in 1974, BSN holds a long-standing mandate to encourage savings and investments among all Malaysians.

As CRO, Muizz works to balance institutional experience with evolving expectations on risk, governance, and resilience. He notes that practices need to be reviewed continually to stay aligned with a changing environment.

For Muizz, cultivating a risk culture isn’t just about enforcing stronger practices; it is doing so in a way that respects the institution.

He adds that a large part of the challenge involves people management, both within his risk management department and across senior leadership.

“Different individuals come with different exposures, experiences, and reference points. Aligning expectations, building a shared understanding of where the industry stands, and explaining why certain standards matter today takes time, patience, and consistent follow-through.”

Instilling a shared risk culture across these different backgrounds also requires a consistent framework.

Whether he is addressing day-to-day operational gaps or overseeing technology risk management, Muizz credits his Institute of Enterprise Risk Practitioners (IERP®) Operational Risk Leader (ORL™), Sustainability Risk Manager (SRM™), and Digital Risk Manager (DRM™) certifications with shaping his approach towards enterprise risk management.

The IERP® graduate credits these certifications with bringing structure and consistency to how he evaluates threats. They also reinforced the importance of clarity: clear definitions, clear ownership, and clear escalation.

“The impact shows up in smaller, cumulative ways…how risks are articulated, how discussions stay focused, and how decisions are recorded and flowed through. Over time, these practices reduce uncertainty and improve the quality of conversations.”

‘Ask the right questions’: Building a career in enterprise risk management

For aspiring Chief Risk Officers, Muizz highlights one core habit.

“Learn how to ask the right questions. Early in your career, there is a natural tendency to focus on doing what you’re told and getting things right,” he says.

“While that is important, growth tends to happen when you start asking why something is being done, what assumptions sit behind it, and what could change those assumptions. Over time, those questions shape how you think.”

Asking the right questions, however, is only half the equation. Muizz built his career by tackling unclear, uncomfortable, or slightly higher-risk tasks that exposed him to new problems, people, and perspectives.

He also considers himself fortunate to have worked with leaders who gave him space to try things, make mistakes, and recover quickly.

“The expectation was not perfection, but ownership and learning; that environment made a lasting difference,” Muizz shares.

By taking on situations that stretched his capabilities, Muizz found that these experiences developed a level of judgment and confidence that “no single role or qualification can provide.”

Beyond risk mitigation: The future of enterprise risk management

A common misconception is that risk practitioners merely serve a protective function rather than creating value. Looking ahead, Muizz expects risk leaders to be integrated more deeply into strategic discussions; not as a counterweight to ambition, but as a partner that helps it endure.

“As organisations grow more complex, success is no longer defined purely by how much value is created, but also by how consistently that value can be sustained,” he says.

He noted that risk management and risk practitioners played a central role in that resilience by helping organisations protect what they have and make progress with confidence, even in uncertain environments.

Fortunately, the tide is turning. A 2025 KPMG Enterprise Risk & Resiliency Survey suggests that 64% of organisations have formally integrated risk and resilience into their business strategy.

Backed by advances in data and analytics, Muizz is confident that risk functions can deliver sharper insights and support clearer decisions than ever before.

“The role of a CRO, in particular, is well-placed to bridge strategy, execution, and resilience,” he notes.

For him, the aim is straightforward: building environments where risk practitioners are valued for their judgement, trusted for their intent, and respected for their contribution to sustained performance.

Share the Post

Upcoming Events

IERP® Global Conference 2026

Aug 17, 2026

Latest Articles

Share the Post

Subscribe to our weekly newsletter
and stay connected!

Subscribe to our weekly newsletter and stay connected!

Receive the latest update on our risk management program, industry news, events and more!

Subscribe to our weekly newsletter