Interview with Mohd Fauzi Rahmat, CRO, Bank Simpanan Nasional
In his long and illustrious career, Mohd Fauzi Rahmat has worn practically all the hats in the C-Suite. CRO, CCO, COO, CEO – he has been them all. With three decades of experience in the financial industry, it is quite difficult to imagine that he actually started in sales & marketing in an IT company. But he started working at a time of recession, and as a fresh graduate in 1989, he felt lucky to even be offered a job. “I’d just finished my studies,” he recalled. “Jobs were thin on the ground. It was my first interview, and my first offer. No hesitation; I took it!” But he quickly moved from the Singapore-based IT firm ECS Computers to Citibank, where he became a Relationship Manager.
As it turned out, Citibank was a good fit, and he readily acknowledges that he learned a lot in his time there. When he left Citibank to pursue his interest in Islamic financial services, he was its Vice President and Senior Credit Analyst for the Bank’s Country Risk Management Division. Early exposure to risk management in Citibank triggered an abiding interest in the subject, which he carried over to and applied in subsequent positions in other banks. Quite early on in his career, he found he was predisposed to detail, and actually liked the tedium of combing through reams of data for useable information.
This stood him in good stead when it came to monitoring the corporate loans he was in charge of, in most of the financial institutions. “We gave out very few loans but they were huge ones, and they needed a lot of due diligence, a lot of analysis, and very careful oversight,” he explained, adding that these were for players in the major industries like construction, electric utilities, shipping and petroleum. “And there was a lot of follow-up.” He “grew up” professionally with this multinational financial services culture. The intensity of its application differs between financial institutions, he added. “We had to not only keep in touch with the clients through frequent visits and calls, we also had to write reports for each visit and call made,” he recalled.
Such intensity spurred the development of a certain level of intuition. “Sometimes you get the feeling that something’s just not right,” he said. “You instinctively know when to proceed with an action, step back or just carry on in a holding pattern. Your intuition in that particular environment increases.” It was intuition like this, he added, that moved some foreign banks to minimise their exposure in the Malaysian property sector in 1996, just months ahead of the 1997 recession. “Foreign financial institutions sometimes have sharper intuition,” he said. “They are more sensitive to the environment, and know when to stop.”
Indeed, at least one subsequent position landed in his lap because his reputation of having finely-honed instincts for turnaround, credit and risk management preceded him. He stepped up to the plate with Bank Islam and was its CRO for two years before moving on to Bank Pembangunan as its Chief Operating Officer. From there, he moved to EXIM Bank as its Managing Director/CEO, before continuing to pursue his interest in Islamic Finance with the Asian Finance Bank in 2010, as its CRO. In a very short span, he became CRO with Al-Rajhi Bank, and then CCO with MIDF Investment Bank, before joining Bank Simpanan Nasional (BSN) as its CRO in 2014.
Here, he talks about different hats, different cultures and different challenges:
IERP: What were the main challenges going from an essentially risk background to the different C-Suite positions?
MFR: C-Suite hats are interchangeable! The shift from one C-Suite position to another in different financial institutions was not that difficult. The challenge was in getting the required support. A lot of a C-Suite’s time – sometimes as much as 85% to 90% – is spent managing people, although it may be less for CROs. But for the position of a CEO, equally important time is spent in the PR role as the key person representing a company that deals with key customers, business associates and the regulators (the Central Bank and other government-related functions). Days consist mostly of meetings but you need to have technical knowhow to deal with the questions, challenges and issues affecting the banks. It also depends on the institution itself. Some banks needed to be turned around – a lot of attention was given to fixing and improving the strategies, policies and day to day processes and systems. Often in some banks, there were legacy systems to deal with for example, or a large number of branches which may not be performing as expected. We had to think, could we take a hit? Would the legacy system be sustained in the stressed situation?
IERP: What was a typical day like as a CRO?
MFR: I was usually in the office by 7 or 7:30am – I switched the lights on! (laughs) My first meeting used to start at 8:30am but the early hours have always been a good time to reflect and order my thoughts about the things I need to do in the course of the day. I would clear my e-mails, and get my mindset in gear. By 9:00am all that’s done. You need to start two hours ahead of everyone else when you’re on lots of committees. In BSN for example, I was in two dozen! But having a risk framework shows where your priorities lie; you realise you can’t do everything so you do what you can, and carry forward what you can’t. Prioritizing is the keyword here. CROs have to tell a lot of things to a lot of people; you’re in the hot seat. My days as CRO didn’t end until 10:00pm, sometimes even later – although I did try to be home by 8:00pm as often as I could. I was usually the last one out of the office; I switched the lights off!
IERP: What would a typical day’s activities vis-à-vis risk management be?
MFR: It usually involved a mix of planning, assessing and executing the BAU matters, and unplanned activities; attending meetings of various committees and sub-committees; attending to regulatory and internal reporting; and preparing with the risk management team for upcoming engagements with the regulators, Board and Management. The previous day’s deliverables would also have been reviewed, and all communications cleared at the start of the day as well.
IERP: Were there any strategies you crafted or implemented that did not turn out as intended?
MFR: Yes, but not often. Most of the risk management-related projects would have been approved by the Board Risk Management Committee, so these projects would have had Board support to begin with. Sometimes we had to reprioritise certain projects or deliverables, depending on the needs and functions of the institution at that time.
IERP: What were the tipping points? Were you able to backtrack, reconfigure or recuperate?
MFR: One indication was when the deadline of the project was exceeded. Another was when support for the projects appeared to be absent – either at the operational, Management, or Board levels. Sometimes we had to backtrack and reassess the situation; sometimes we had to reallocate resources or reschedule the plans.
IERP: What were your greatest ERM challenges?
MFR: Initial buy-in from middle- and lower-level staff was difficult (especially in institutions with long history and many legacy systems and practices); building and retaining a risk culture as well. Justifying ERM-related costs was another. Building a long-term risk culture is a stressful journey as it involves a multitude of awareness activities, system support and, most importantly, development of internal buy-ins from all levels – at a consistent level and intensity. This was difficult because ERM is often not immediately associated with obvious short-term revenue-generating activity but more about meeting regulatory and compliance requirements. Only long-term, ingrained risk culture within the organization can prove that ERM is beneficial not only in “avoiding” costly risks and mistakes, but also ensuring sustained revenue-generating capacity of the institutions’ business. I prefer to compare ERM to the “brake” of an institution. We know that the fastest car in the world would need the best brake system to ensure that the car not only stops in time when needed, but also to help navigate winding and challenging roads or race tracks.
IERP: Were there occasions when you had to make difficult or unpopular decisions?
MFR; Yes! That’s the heaviest burden of any CRO! Being CRO means being in the hottest seat of the organisation. Over the years I had to make many unpopular decisions, including stopping a business move. I once had to recommend to the CEO that management stop the auto-financing business of a bank, to ensure that the division re-instituted its processes to ensure 100% Shariah compliance.
IERP: What are some of the factors that inhibited the development of risk culture in the various organisations you were with?
MFR: There were cases where moral and financial support from the Board and management were lacking – the requisite “tone from the top” was sorely missing. Occasionally, members of the Board and management themselves were not knowledgeable enough about risk management, so they could not really take the role to “lead” (i.e. no tone from the top). This situation also meant that when the top leaders did not have the requisite passion for risk management, the culture unfortunately cascaded to the lower levels, resulting in low acceptance and awareness of risk management among staff. Additionally, training and development in risk management can be costly; an organisation’s staff development program is often ROI-driven (priority is usually given to its revenue-generating activities). At the other end of the spectrum, there was (and still is) a definite shortage of talent in risk management in the industry, particularly in support of activities at business and operational levels to support the risk function at HQ. CROs also had to deal with entrenched practices in some organisations. Old habits do die hard; it is a major challenge trying to change culture or practices carried over from the previous leaderships. Risk culture development was also stunted sometimes by the lack of IT and other support systems, the size of the organisation itself, and the way it was operationally structured.
IERP: What resources do you wish you had as a CRO?
MFR: Dedicated, suitable, trainable talents from various backgrounds (both from the business and financial as well as technical disciplines), and that the institutions had been able to offer them competitive support and compensation. The risk function (and the talents) must be supported by clear, consistent strategies and directions from the top; clear, consistent, firm actions from other functions like Compliance and Audit; accurate, reasonably complete data and information; good IT systems and tools like rating tools, market risk monitoring systems, RCSA, and BCM tracking for instance. As a CRO, I wish I could have been less involved with day-to-day management-related activities as well, and not be overloaded with internal meetings and committees – which in reality are almost impossible to be effective in, given the respective organisation’s situation and development levels.
IERP: What kept you awake at night as a CRO?
MFR: The thought of expected or unexpected events that could trigger massive BCP activities or cause a total system meltdown; massive cyberattacks; natural disasters – earthquake, floods etc. I’d worry about the systems and staff safety, as well as credit and financial health (and of course reputation) of the institution – and that if those massive events ever happened, whether the institution could take the hit and be able to recover.