With crisis in financial markets still unfolding, most organizations are asking themselves, “How could we have avoided this crisis?”, “How does the current crisis affect us?”, or “What steps should we take to deal with the current crisis?”, or “Which is the most appropriate way to prevent such disruptions in the future?” There are endless debates about what happened, who’s at fault, whether we should revamp our internal controls and processes, and how this will impact the organization.
Irrespective of the conclusions drawn, organizations in financial industry today agree in unison that there has never been a stronger need than now for a sound financial risk management. It is imperative for us to understand more about what happened, and draw some parallels to our risk management and corporate governance situations. As put by a risk expert, “The essence of risk management is to know your key risks and to work at managing them, which is virtually impossible if you do not understand what they are.”
To help risk managers navigate through these complex issues, MetricStream organized a webinar titled "Risk Management in Financial Services". The panel discussion, structured on a roundtable format, featured prominent experts on risk management including David R. Koenig, Founding Partner of Ductilibility and Past Chair of the Board of Directors of the Professional Risk Managers' International Association (PRMIA); S. Jean Hinrichs, Former Chief Risk Officer at Barclays Global Investors (BGI); Dr. Robert Mark, CEO of Black Diamond Risk and Former Chief Risk Officer at the Canadian Imperial Bank of Commerce and Charles Goldenberg, Vice President of GRC solutions at MetricStream, Retired Partner, Deloitte and Former Partner, KPMG. The moderator for the discussion was Gaurav Kapoor, CFO and General Manager at MetricStream.
The webinar was attended by not just the financial organizations that were directly affected by the financial crunch, but also the financial and non financial organizations looking to combat the risks of present day’s volatile business environment. This diverse representation provides validation on the significance of this topic in the current economic scenario. We will start with a couple of views, on risk, that were put forth in this webinar.
Benchmarking the quality of your ERM program
Recent financial turmoil has heightened concern and focus of enterprises on risk management, asserting the need for a robust framework to effectively identify, assess, and manage risk. Companies are paying more attention to their risk and reward ratio. Risk management has become an area in which a company can differentiate itself from competition; and it is, therefore, a topic of strategic importance.
What are the critical success factors to implementing ERM technology?
Implementing a corporate risk management framework requires risk management to be embedded across the whole organization. The tone at the top should define the objective and risk appetite of the company, in line with corporate strategy and operations, and document it in a risk policy.
Dr. Robert Mark, the CEO of Black Diamond Risk puts, “To start with, it is critical for an organization to have a robust limit management. As the organization moves upward in risk maturity model, it should have an accurate estimate of Value at Risk and a measure of risk via stress tests or scenario analysis. This measure of risks makes the basis for calculating accounting capital, economic risk capital and regulatory capital and ultimately to performance measurement and pricing model.”
Financial institutions that comprehend risk holistically can strategically leverage risk-taking as a tool to strengthen their competitive position. A consolidated operational risk framework provides clear guidance on risk appetite or tolerance, policies, methodologies, and processes for day-to-day risk management. The framework, as suggested by Robert, encompasses -
- Policy: The ERM Policy set forth the governing principles and personnel responsible for specific aspects of risk management activities. Robert explained that, “To every strategy that is put forward you have a measure of Risk attached to it; ensuring that the organization’s business strategy is in tandem with its risk appetite and risk tolerance. Organizations today not only want their risk measures to be back tested, but also want that risk should be properly disclosed internally as well as externally on a drill down and integrated portfolio management basis. A good policy ensures that the board, senior management has a clear picture of risk portfolio. A good list has around 50 top risks that company faces; with enterprise-wide awareness of what the top 10 are. If something wrong happens, it should be something out of 10 risks listed in the list - indicating that you are measuring risks well.”
- Methodology: The CROs ensures that ERM methodology and ERM technology are in sync. Here Value at risk and stress test methodologies are integrated across all risks and all lines of business. Risk Related methodologies are properly vetted and back tested from independent source and positions are properly valued.
- Infrastructure: Another key factor behind successful ERM is the infrastructure which is supporting the processes. From risk identification, assessment, management till risk mitigation and reporting- all these processes in an organization need to be well coordinated to have successful implementation. Rob stressed on the importance of having appropriate people in place as well. The view was supported by S. Jean Hinrichs who held that fostering a risk culture that encourages candid discussions about key risks can help increase our visibility into the risk portfolio.
Clearly what works in normal market might not work in abnormal market. Does this framework hold well in abnormal market conditions?
Most risk management frameworks are based on historical market fluctuations, which might not accurately predict forward-looking market conditions. Furthermore, the risk measures in normal market conditions reflect the potential risk of loss based on recent market experiences. Advanced risk assessment is recommended to calculate risk for abnormal market conditions, and for different business scenarios.
According David R. Koenig, risk management is really about managing changes; making financial instruments or systems change with external factors, and behave in a way that is acceptable to our risk policies.
This graph is a representation of distribution of changes in values. V0 is the current value of an asset, might be a stock or a company. Changes to the right of V0 represents increase in value, and changes to left represent decrease in value
Quantitative methods, cultural awareness, processes and control are all important to an enterprise risk management framework. However, a subtle but important contributor to the impact of a risk event, which defines future states of value, is often ignored in present-day enterprise risk management programs. Risk management is particularly good at working in the middle of distribution, as there is a very small change in value and we are in a ‘Safe Zone’. Our risk calculations are based on normal markets. These estimates, however, fail in the abnormal markets. As we move from Safe Zone to Unsafe Zone, our ERM policies give away. The robustness of an ERM program can be determined by the way it steers organizations to move from middle of the distribution out to the tail, without any adverse or negative impact. Yet another reason why organizations struggle during abnormal times is its failure to take risk of “low probability high impact events” in account while prioritizing risks.
This may lead to under-appreciation of the value of addressing risks and even false comfort levels. Intriguing psychological research has been published that shows that the impact of a “risk event” can be either attenuated or exacerbated by the human reaction to that risk event, factors such as “Social Amplification of Risk Framework”. The human reaction can be affected by present-day risk perceptions and framing, for example, or how risk is processed psychologically. This is why in subprime crises we have seen amplification from 500 billion to over 20 trillion losses in equity evaluation.
ERM and Governance:
Organizations today need a consistent risk benchmark that can be calculated on a regular basis and compared over time. So far, little attention had been paid to the role ERM plays in enabling a strong corporate governance framework. The concept, however, has been receiving increased attention recently due to uncertainties and fears emanating out of current financial turmoil. According to David, viewing governance as a fundamental risk management activity integrated into Enterprise Risk Management (ERM) rather than a compliance activity can help organizations in current financial turmoil. He advocates for enhanced oversight role of the board and stresses upon the importance of integrating corporate governance practices with a company's ERM program. This enables an organization to counteract the social amplification of risk through transparency, engagements, and stakeholders involved in the organization's governance.
On the similar lines, S. Jean Hinrichs commented, "While governance establishes the strategy and policies for how business should be conducted, ERM provides the framework to monitor whether the organization is working within the framework. Increasing ERM & governance can create standard improvements in quality and effectiveness of the management by providing clear links in objective settings, risk appetite and performance."
This also calls for a conceptually consistent and more transparent framework for assessing risks, identifying gaps and deficiencies, and, ultimately, mitigating risks in systematic manner. According to Hinrichs, we can create transparency into our largest risk exposures by fostering a risk culture that encourages candid discussions about key risks; by maintaining an effective ERM framework; and by being aware of how corporate culture and human behavior can hinder communication.
Moving towards Integrated ERM:
Will integrated ERM be a true paradigm shift for business management? The debate still continues. Most experts agree, however, that if properly implemented, ERM can encompass an integrated, enterprise view leading to better management decisions. Throwing more light on the current challenges and market drivers, Charles Goldenberg from MetricStream, brought a perspective that mapped the market drivers for risk management to the benefits of integrated risk management processes across an enterprise.
According to Charles, “ERM is creating some tremendous risks and opportunities. On one hand it is best of the times, and on the other hand it is worst of the times; depending upon where you are in the market place. You need to make sure that you have appropriate governance, risk, and compliance processes across the enterprise.”
The benefits of an integrated Governance, Risk and Compliance program are enterprise-wide, and a clear business case can address the requirements of current market drivers. As put by the CEO of a US Financial Services Company, “Without an integrated, consistent, and repeatable set of control metrics, we could never achieve our true goal of aligning our risk appetite with our risk tolerance.” Understanding enterprise values and objectives, and mapping it to the organization’s current state, is the first step in describing the case for implementing integrated GRC. Based on these inputs and a clear vision of the future, a business case will address how to align resources towards these goals.
Charles pointed out, "As a direct result of implementing holistic, enterprise-wide GRC initiatives, companies can manage risk with more predictable business performance and risk visibility; increase opportunities within the company's risk tolerance; and increase value via a common language for risk and value that can help you integrate the company more effectively." Talking about technology benefits, he held, "Technology can truly provide some benefits. Technology enables centralized visibility that provides holistic view of the company via a central repository for risk and control information; decentralized accountability leading to broad ownership for company's risks and broad accountability risk and internal control activities; and rigorous repeatable process which reiterates that risk management is a process and not a project which needs to be implemented holistically."
He added, “MetricStream as a company believes that technology can play a key real role across this entire process. There are key points where you can apply policy management, where you can put in place key risk indicators, where you can apply risk analytics, collaborative risk assessment, scenario analysis, compliance management processes to help you manage this process much more effectively.”
Here are some of the questions that surfaced during the panel discussion of the webinar.
What role is the rating agencies play in the initial stages of current financial crises?
Blaming it on the rating agencies, Dr Robert Mark said that they unwittingly exposed investors to losses and risks. Looking back at the initial years, he said, many people invested in the super tranche collateralized debt obligation and residential mortgage back securities that were rated AAA by the rating agencies. They backed it by monocline insurers such as MBIA, which was also rated AAA. So there was AAA investment backed up by AAA insurance. Unfortunately due to the AAA rating, the risk in these vehicles went unnoticed. This played a major role in the current financial crisis. He emphasized on doing your own drilling down of the investment vehicles rather than trusting the rating agencies.
Recognizing that there are many areas where risk management can be improved, what is the one blind spot that you believe should be addressed in all organizations?
Jean Hinrichs stressed on the need for increased risk communication across the enterprise. With organizations becoming more complex, consistent communication of information is increasingly becoming difficult; especially across the several layers of management or multiple locations or cultures around the world. She cited a survey by David Koenig and Micheal Keiner, which researched on 65 firms across several industries. The results showed that there was an over-confidence on the part of managers, that their policies were well understood throughout the organization; which might become the weakness of the organization, as it hampers the discussion and communication about risk exposures. Another possible barrier in communication, she held, is the reluctance to challenge your colleagues, especially those who are at the executive posts or at the board levels. This combines with the culture that doesn’t encourage open candid discussions about risk issues and can prevent transparency into risk exposures. So transparency via efficient risk communication is the key to manage risks comprehensively.
Fair market value has shown a negative impact in the financial market development while mark to market will force the banks to face huge loss. Should we reverse the accounting rule, or should we keep them as it is?
While answering the question, David stressed on the need for enhanced transparency and visibility. He held that human perception is one of the issues involved in fair value accounting. Panic creates a perception that there is much more to a problem than it actually is. Without adequate transparency, fair value accounting can lead to fear. Organizations need match the transparency so there isn’t amplification taking place, simply because of an accounting rule.
Integrated governance, risk & compliance processes can executively protect a company from wide range of downside risks. What could have caused the breakdown of the GRC processes?
Financial services companies generally have rigorous and relatively strong risk management and compliance processes. The possible disconnect might be possibly due to weak governance for weak tone at the top coupled with strong Risk and Compliance. Organizations with weak governance but strong risk and compliance generally have good analytical processes; but they may be misdirected in terms of identifying potential issues. Charles held that there are some issues around possibly focusing on too few risks or too many risks. Organizations don’t want to have too many risks or too little risks; they need to have just the right number of risks that helps them in identifying issues to focus upon. And finally, there is a need to evolve risk management as the business environment changes.
How would you define an ERM/GRC strategy that is well formulated and also well executed across the business? What is your recommendation on an effective enterprise risk management strategy?
David put forth the concepts of network governance and stupendous governance. He said that network governance allows stakeholders to have quick information as well as quick feedback into the process across different parts of the organization. Stupendous governance tends to push the management of the risks out to the groups which are close to where the risk is being originated. Stupendous governance and network governance, together, can have the tremendous improvement in the resiliency of the organization, and that’s what ERM is all about.
Many non-financial institutions have also expressed increasing interests in establishing more structured ERM program. Where do you think they should start?
While answering this critical question, Jean said, “Many financial institutions have siloed approach, with risk management being done primarily for designated support functions. This approach, however, fails to provide sufficient transparency in cross business and external risks. The most important component of creating a structured ERM program is recognizing the need for a comprehensive approach and having top management’s support. An effective risk management framework should deploy a formal risk management policy, a formal risk assessment process, and a structured risk monitoring and reporting process. This should be accompanied by effective analytical tools and technology to evaluate the end reporting results. An effective risk management program should formally integrate the risk assessment processes and responses to key risks with their business planning and strategy settings. In addition, it should have enough people to carry out their objectives with sufficient stature in the organization in technical knowledge and experience to be effective. The tone at the top is critical to successful implementation of an ERM program.”
How will the governance processes change in the new global business environment when we all are connected and nobody is in charge and that also leads to another question which is how technology can enable and improve the effectiveness of GRC processes and what are the tools that company can deploy?
While answering the question, Charles cited an article that discussed about the great iceberg meltdown. He compared the article with the current events in global financial industry. He said, “The mortgage industry in the US caused banks and ice lands to enter the market for internet deposits. This caused British police forces to take their pension funds and put them into the ice melted banks. So when the liquidity crisis proceeded, banks and ice lands were not able to honor redemptions from British police force. So here is a scenario where a complex global economy is reacting and causing unexpected problems and consequences.” Foreseeing a more complex regulatory environment, he held that technology can really be the answer to lots of current issues of financial market. Centralized visibility, which comes through the right application of technology, enables organizations to get timely risk related warnings, identify upside opportunities that are appropriate with the risk tolerance, manage lost transactions, and provide early feedback on the effectiveness of the control in place. Putting in place the right kind of technology can really provide the transparent monitoring of an organization’s risk environment.
How to manage in formation risk better?
Bob opined that one of the major causes of current subprime crisis was inadequate risk information about the underlying mortgage loans. In addition, there was a big loss of confidence in the accuracy of the credit ratings from the rating agencies like S&Ps. However, managing information risk is about benchmarking the quality of risk information, in term of its integrity, timeliness, and accessibility of the data.
What is the best way to do the scenario planning and what it is?
Scenario planning is a critical factor in an ERM function, primarily because it provides transparency to the senior management on the issues that threat the resiliency of the organization. David said, “The value of the organization is the perception by the equity capital investors. In the perception, you would like to be in the safe list of the equity holders. As people are afraid of losses they put negative affection on losses, almost three times as great as they put positive affection on gains. Organizations doing scenario analysis or stress testing try to eliminate and reduce the possibility of large losses, and increase the perceived value of organization.”
How internal audit can coordinate with risk and compliance functions in an organization to increase effectiveness and reducing duplication of efforts and falseness?
The question was rolled over to Jean Hinrichs. She said, "Internal audits require high level of independence to provide objective assessment of risk and control to senior management and audit committee. So integrating certain activities and sharing information of risk management, compliance and control functions can really enhance the overall understanding of those exposures and ensure that there aren't any gaps in the coverage. One way of achieving the synergy is to collaborate on a single enterprise risk assessment, which is updated at least annually. This ensures that there is a common understanding of the risks across the organization. Another way is to coordinate the schedule of compliance testing and auditing with all the risk activities to avoid unnecessary overlap. Further, sharing results between internal audit functions and risk compliance fosters a focused work environment in highly volatile environment."