A framework to restore confidence

In the wake of recent high profile stories of mismanaged risk, including the failure of Northern Rock, the rapid fall of Wall Street firm Bear Stearns and the rogue trading scandal at Société Genérale, many financial services companies are rethinking their risk management approaches. While managing the risk versus reward trade-off has always been at the core of a financial services company’s business, companies are adopting new strategies to address the kinds of failures that have characterised recent times, and many are coming to the conclusion that they need to better integrate the risk management functions across their companies.

This rethinking of risk management strategies is driven in part by the spectre of increased oversight from the regulatory agencies that govern the financial services sector. On 16 April 2008, the European Commission announced that it would be seeking public comment on possible changes to the Capital Requirements Directive (CRD). Among other things, the focus will be on ‘hybrid capital instruments’ and ‘supervisory relationships’. The results are expected in autumn. Companies are eager to avoid a wave of regulatory change and so are taking active steps to adjust their risk management strategies to address the current risk landscape.

The Senior Supervisors Group, a committee of UK, German, Spanish, French and US regulators of the Bank for International Settlements, recently studied how the largest banks in Europe and the US handled the market turbulence associated with exposure to US mortgage-backed securities. Observations on Risk Management Practices during the Recent Market Turbulence notes that ‘firms that avoided problems demonstrated a comprehensive approach to viewing firm-wide exposures to risk, sharing quantitative and qualitative information more effectively across the firm and engaging in more effective dialogue across the management team.’

It would be overly simplistic to argue that just a view of firm-wide exposures to risk will save a company from realised risk, and clearly, there were many causes of the recent credit crisis and many to blame in the handling of the subsequent events. In its recent summary findings of its handling of Northern Rock, the UK Financial Services Authority (FSA) bluntly admitted that it could improve on many of its internal processes. But regulatory agencies should address systemic risk; the onus is on individual firms to manage their internal risk.

At other times, internal control failures or poor policy are to blame. Apparently, Jérôme Kerviel, the rogue trader who cost Société Genérale €4.9bn, never took vacation days in 2007, a typical control policy for traders. This is just one of the controls he allegedly was able to circumvent. In another high profile operational failure, the UK retail bank HSBC lost the names of 370,000 customers when a disk that was sent through the post never arrived at its destination. While the disk did not contain bank account details or addresses, the incident was an embarrassment nevertheless. As these two events illustrate, it is critical to ensure a company’s key risks are being mitigated by effective controls and that policy violations are flagged for inspection at the highest level of the organisation. This inspection is just good governance.

Nevertheless, many companies are thinking about a more strategic approach to how they manage risk in the business and are paying particular attention to what the Senior Supervisors Group noted about the companies that escaped the worst of the subprime crisis: that they had a view of ‘firm-wide exposures to risk’. In order to accomplish this firm-wide view, many companies are focusing on their organisational structure and enterprise risk management (ERM) programmes.

Rationale for integration

The rise of the chief risk officer (CRO) is some indication of the change in how companies are thinking. In many companies, the CRO acts as an organisational catalyst for integrating risk across functional areas. In some financial services firms, the CRO is actually taking over managing the risk associated with financial controls, normally the purview of the CFO. In these companies, both operational risk and financial controls, two areas of risk management for which there are particular synergies, would be reporting to CRO.

The rationale for integration is that risk management functions will operate more effectively and efficiently when integrated or aligned. Take the example of Credit Suisse who reported earnings in early February that showed they had avoided the large losses of other banks. One week later they announced a $2.85bn write-down because of a mispricing by traders of asset-backed securities. This mispricing appears to have been the result of a realised operational risk, a failure of the pricing process or controls associated with the pricing policy. The outcome might have been different had there been a tighter linkage between the market and operational risk departments. To address this risk of operational risk in the market and credit risk pricing processes, there has been an increase in projects to do with ‘model validation’, one of the key operational risks associated with those functions.

A comprehensive approach to viewing firm-wide exposures to risk requires both executive commitment to a risk management culture, and an integrated organisation, sharing responsibility for all aspects of risk within the company, including setting policy across risk-taking activities. Such policies must be ingrained throughout the organisation so that executive leaders have the confidence to allow lower-level managers to manage and mitigate risks at the business unit level.

But beyond culture and organisation, effective risk management organisations will also embrace the modern software platforms that can help identify, manage, monitor and mitigate firm-wide risks. Such platforms reflect the policies and risk management framework set by the board and the executive team. The risk management framework also needs to encompass the business processes that connect to other organisations, including business partners and providers of outsourced operations, so that they, too, can model and mitigate risk, reducing the chance of systemic failure within a supply chain.

“Many companies are thinking about a more strategic approach to how they manage risk in the business.

One of the benefits of modern risk management platforms is that they can cover a whole spectrum of internal risks. In addition to the well-known domains of market and credit risk, organisations rethinking the risk management strategies are giving careful consideration to a more programmatic approach to risk management domains that are emerging in importance:

Compliance risk the risk of legal or regulatory sanctions, financial loss, or reputational impact due to a failure to comply with laws, regulations, standards, codes of conduct and/or internal policy

Operational risk the risk of loss due to inadequate or failed processes, or due to external events

Technology risk the risk of loss associated with failed, compromised or inadequate information technology, which can further expose an organisation to additional risk

Strategic risk the risk of loss arising from adverse business decisions that poorly align to strategic goals, failed execution of policies and processes designed to meet those goals, and inability to respond to macro-economic and industry dynamics.

What is needed in most cases is a policy-driven approach that provides understanding and visibility of risk exposure across all domains, and the potential impact of realised risks in each domain. Such visibility requires a flexible risk and control framework that clarifies the state of risk in the business, so that managers can make risk-aware business decisions in a timely manner. Such a framework should allow businesses to share processes, risks and controls across business units to reduce complexity, eliminate duplication of efforts, reduce cost and understand interdependencies between key risk, controls and business processes.

Looking to ERM

ERM establishes a framework for identifying, measuring, monitoring and managing risk. It acknowledges that business risks are intertwined and should be managed in an integrated manner. A comprehensive ERM programme will:

Align a firm’s risk appetite with business objectives

Identify and manage multiple and cross-enterprise risks

Enhance and optimise the control environment

“Testing should ensure that internal controls and continuity plans can withstand high-impact events.

Reduce the frequency and severity of operational surprises and losses

Enhance the rigour of the firm’s risk-response decisions

Actively seize on the opportunities presented to the firm

Improve the effectiveness of the firm’s capital deployment.

Much has been written about companies pursuing an ERM framework to help identify and manage interdependencies among all the risks facing the firm. ERM should help in the establishment of a consistent approach across the organisation’s businesses by providing minimum standards for risk management.This will ensure that risk policies and procedures are adequate and effective.

However, there are several success factors that are critical to establishing an integrated ERM framework and process that can be effectively implemented, managed and maintained.

Senior management buy-in and commitment Senior management must make the risk management programme a high priority initiative throughout the company and foster a culture emphasising the central importance of ethical behaviour, quality control, and risk management. In addition, risk manager accountability and responsibility should be tied to individual incentives.

A strategic vision and realistic implementation plan There has to be clear connections between the risk programme’s vision and the company’s strategic and business objectives. The implementation plan should follow a phased approach, creating smaller successes that serve as building blocks. Firms should strive to build a risk-aware culture where risk management processes are embedded into the DNA of the company.

Converged and harmonised methodology and processes For example, firms will need to establish a common risk rating methodology for all risk data, such as loss events, risk assessments, and key risk indicators. They will also want to eliminate duplicate and redundant assessments by implementing a single sign-off. Testing should ensure that internal controls and business continuity plans can withstand the shock of high-impact events.

The role of technology Meeting the increasing demands of ERM in a large organisation requires effective technology support to manage enterprise risk in a rigorous and systematic way. Technology should be an enabler – supporting the risk and compliance management process and methodology – but should not define either of them.

In the current business environment, risk management has taken on a higher profile than ever before. Executive management and boards of directors need a deeper understanding of how risk is being managed in their businesses and, in particular, how to manage risk to create the greatest reward for their shareholders. As companies rethink their risk management strategies, many will adopt an enterprise risk management platform to be able to recognise when there is a disconnect between policy and reality, and to reduce the inefficient duplication of effort that plagues so many siloed risk management efforts. Adopting such a platform could be a vital step in restoring confidence in management’s risk management capabilities.