Events of the past year have put enterprise risk management into the spotlight, pushing financial institutions further towards holistic risk management processes.
Risk is becoming more complex. Whether it's the perception of risk or its true nature that's changing, is, in a way, immaterial; more risk is being identified and therefore must be managed in one way or another.
A report recently released by PricewaterhouseCoopers highlighted the need for holistic risk management across organisations in today's uncertain world. "Given the events of the past year - from economic slowdown to September 11, from the slew of accounting scandals to the debate over the Basel regulations - it's hardly surprising that risk is back on the boardroom agenda," stated the report. Although financial services organisations are increasingly focused on risk management techniques, these tend to be in the sphere of financial, predictable and quantifiable risks. A forthcoming survey from PwC looking at the financial institutions' view of risk shows a continuing dominance of credit risk concerns, while changing regulations "are only of moderate concern, while risks from rogue traders, key person retention and e-business security remain a low priority."
Even so, these organisations are open to new exposures. For example, US investment banks are being scrutinised for possibly skewed investment advice; local branch closures in the UK and Australia have led to reputational problems; and insurer failures in the UK are damaging the sector's reputation.
According to PwC, integrated risk management needs to be driven by senior management and embedded into strategic planning initiatives at the very top of the organisation, as well as in analytical and control processes throughout the organisation. This falls into a four-step process:
Implemented correctly, holistic risk management not only leads to loss avoidance, but can increase shareholder value. "Chief executives who understand risk when making strategic decisions and who clearly communicate their risk appetite inside and outside the company have the best chance of striking the optimum balance between risk and reward, which is fundamental to value creation," asserted PwC.
PwC has identified ten attributes of a world-class risk management culture. These are:
What puts financial institutions in a unique risk position is that they manage both their own and others' risks. In order for such an organisation to be successful in its holistic risk management, the CEO must make that responsibility his own, and ensure risk management remains a strategic priority. "In reviewing the variety of embarrassments, sanctions and losses in the past couple of years, it is apparent that a number of these incidents can be traced back to a lack of risk management leadership from the top," according to the PwC report. " A company's chief executive should lead by articulating the risks being run, the risk appetite of the organisation, and the methods used to balance risks and returns. Senior executives make the strategic decisions and shape the corporate culture - they cannot delegate away responsibility for risk."
If anything, that pressure is increasing, as shareholders and regulators continually expect CEOs to take personal responsibility for the company and its actions. Whether, as recently seen being tested in the US, it is for the accuracy of the company accounts, or under increasingly tight corporate governance requirements for adequate risk management, the CEO is more and more held responsible for the actions of the organisation.
But it isn't just the fear of corporate collapse in the wake of shaky risk management practices that should motivate the CEO, argued the report. "The prize that awaits leading risk managers is not simply an avoidance of losses but more importantly, increased shareholder value. CEOs who understand risk when making strategic decisions and who clearly communicate their risk appetite inside and outside the company have the best chance of striking the right balance between risk and reward which is fundamental to profitable growth."
Best practice must be paramount in ensuring evolving and improving risk management processes.
Assessing the gaps between current processes and infrastructure on a regular basis enables the board to design a plan to deal with these issues. At the organisational level, authority for risk management should be delegated throughout the operation, with clear understanding about who is authorised to take risk and how much they are able to take. "Examples would include setting a maximum permitted value for an equity portfolio, maximum likely losses in a derivatives book, and the limits set on an individual manager's ability to grant something like bridging loans - an unhedged exposure potentially lasting for a couple of years," explained the PwC report.
Ultimately, the people running the risk management systems should be a mixture of specialists with modeling and quantitative analysis backgrounds, and generalists with a broad knowledge of the business who will be able to provide information on less quantifiable risks. "By developing the right risk management framework and instilling risk awareness into the corporate culture, managers can properly evaluate the trade-off between risk and reward across the business," said the report.
"Shareholder value comes not from chasing revenue growth, but from understanding the trade-offs between desired growth rates, profitability and the potential effects of the risks being run. Risk management is the key that unlocks that understanding."