Events of the past year have put enterprise risk management into the spotlight, pushing financial institutions further towards holistic risk management processes.

Risk is becoming more complex. Whether it's the perception of risk or its true nature that's changing, is, in a way, immaterial; more risk is being identified and therefore must be managed in one way or another.

A report recently released by PricewaterhouseCoopers highlighted the need for holistic risk management across organisations in today's uncertain world. "Given the events of the past year - from economic slowdown to September 11, from the slew of accounting scandals to the debate over the Basel regulations - it's hardly surprising that risk is back on the boardroom agenda," stated the report. Although financial services organisations are increasingly focused on risk management techniques, these tend to be in the sphere of financial, predictable and quantifiable risks. A forthcoming survey from PwC looking at the financial institutions' view of risk shows a continuing dominance of credit risk concerns, while changing regulations "are only of moderate concern, while risks from rogue traders, key person retention and e-business security remain a low priority."

Even so, these organisations are open to new exposures. For example, US investment banks are being scrutinised for possibly skewed investment advice; local branch closures in the UK and Australia have led to reputational problems; and insurer failures in the UK are damaging the sector's reputation.

According to PwC, integrated risk management needs to be driven by senior management and embedded into strategic planning initiatives at the very top of the organisation, as well as in analytical and control processes throughout the organisation. This falls into a four-step process:

  • strategy - risk management must be integrated with strategic decisions, and common objectives for management of risk must be articulated on a firm-wide basis;
  • organisation structure - risk management must be a board/CEO priority, and the risk management organisation must have power, visibility and clear escalation lines to senior management;
  • processes - common approaches to measurement must be adopted to enable comparison and aggregation, and policies and methodologies for controlling and managing risk must be re-engineered in line with firm-wide objectives; and
  • infrastructure - firm-wide risk management systems must be implemented to provide management information to support risk management objectives.
  • Implemented correctly, holistic risk management not only leads to loss avoidance, but can increase shareholder value. "Chief executives who understand risk when making strategic decisions and who clearly communicate their risk appetite inside and outside the company have the best chance of striking the optimum balance between risk and reward, which is fundamental to value creation," asserted PwC.

    PwC has identified ten attributes of a world-class risk management culture. These are:

  • equal attention is paid to both quantifiable and unquantifiable risks. The temptation to ignore risks that cannot be quantified, such as reputational risk, is avoided;
  • risks are identified, reported and quantified to the greatest possible extent. This means setting up extensive historical risk and loss databases, and identifying risks precisely rather than burying them into general categories such as credit and operational losses;
  • an awareness of risk pervades the enterprise. Performance measurement and pricing are risk-adjusted. Pay structures also reflect risk management priorities - compensation schemes encourage risk-taking behaviour that is aligned with risk appetite. Risk-adjusted forecasts and returns give shareholders and analysts a full understanding of the risks being run;

  • risk management is everyone's responsibility. Risk is not fragmented into compartments and silos - risk management shouldn't be either. People from IT, legal, compliance and even communications departments are involved in decision-making to inform senior managers of non-financial risks associated with the launch of new businesses and products;
  • risk managers have teeth. Everyone involved in monitoring risk, even non-financial risk, has a power of veto over new projects they consider too risky. Equally, the chief risk officer has the power to drive the risk awareness and management agenda;
  • the enterprise avoids products and businesses it doesn't understand. Proper risk management depends on knowing enough to comprehend the dangers that are faced. A product or a business that is delivering outstanding growth but is too complex for management to understand is a risk too far. Put another way, if you don't understand it, don't do it;
  • uncertainty is accepted. Companies use scenario planning to make sure their strategy embraces uncertainty, not hides or eliminates it. Rather than basing strategy around fixed assumptions, leading risk managers try to factor all possible developments into decision-making;
  • risk managers are monitored. Risk management is too important to be left to risk managers alone. Internal audit procedures ensure that systems are running properly and the right results are being achieved;
  • risk management delivers value. It is not designed to stop people from taking risks but rather to create value by enhancing the chances of a project or product succeeding and by enabling managers and shareholders to understand the level of risk they run and to manage accordingly; and
  • the risk culture is defined and enshrined. The enterprise's risk appetite is clearly and widely understood. Whether a company's culture is entrepreneurial or conservative, risk management is aligned with that culture to give managers and employees the requisite freedom of manoeuvre.
  • What puts financial institutions in a unique risk position is that they manage both their own and others' risks. In order for such an organisation to be successful in its holistic risk management, the CEO must make that responsibility his own, and ensure risk management remains a strategic priority. "In reviewing the variety of embarrassments, sanctions and losses in the past couple of years, it is apparent that a number of these incidents can be traced back to a lack of risk management leadership from the top," according to the PwC report. " A company's chief executive should lead by articulating the risks being run, the risk appetite of the organisation, and the methods used to balance risks and returns. Senior executives make the strategic decisions and shape the corporate culture - they cannot delegate away responsibility for risk."

    If anything, that pressure is increasing, as shareholders and regulators continually expect CEOs to take personal responsibility for the company and its actions. Whether, as recently seen being tested in the US, it is for the accuracy of the company accounts, or under increasingly tight corporate governance requirements for adequate risk management, the CEO is more and more held responsible for the actions of the organisation.

    But it isn't just the fear of corporate collapse in the wake of shaky risk management practices that should motivate the CEO, argued the report. "The prize that awaits leading risk managers is not simply an avoidance of losses but more importantly, increased shareholder value. CEOs who understand risk when making strategic decisions and who clearly communicate their risk appetite inside and outside the company have the best chance of striking the right balance between risk and reward which is fundamental to profitable growth."

    Best practice must be paramount in ensuring evolving and improving risk management processes.

    Assessing the gaps between current processes and infrastructure on a regular basis enables the board to design a plan to deal with these issues. At the organisational level, authority for risk management should be delegated throughout the operation, with clear understanding about who is authorised to take risk and how much they are able to take. "Examples would include setting a maximum permitted value for an equity portfolio, maximum likely losses in a derivatives book, and the limits set on an individual manager's ability to grant something like bridging loans - an unhedged exposure potentially lasting for a couple of years," explained the PwC report.

    Ultimately, the people running the risk management systems should be a mixture of specialists with modeling and quantitative analysis backgrounds, and generalists with a broad knowledge of the business who will be able to provide information on less quantifiable risks. "By developing the right risk management framework and instilling risk awareness into the corporate culture, managers can properly evaluate the trade-off between risk and reward across the business," said the report.

    "Shareholder value comes not from chasing revenue growth, but from understanding the trade-offs between desired growth rates, profitability and the potential effects of the risks being run. Risk management is the key that unlocks that understanding."