Companies today are exposed to risks and threats that were virtually unknown 10 or 15 years ago. Although the traditional risks, such as credit risk and market risk, remain key considerations, companies are also recognizing human capital risk, regulatory risk, information technology risk and tail risks such as terrorism and climate change as major threats. From Supply Chains and Electronic Commerce to Outsourcing and Information Technology, risk management is a necessary condition for doing business. Of course, companies are spending billions of dollars modeling and remodeling their risk management techniques.
However, most risk models are based on the past risk experiences, the magnitude of which has changed profoundly. Because they focus largely on loss prevention, rather than adding value, they do not provide the framework most companies need to redefine the risk management value proposition in this rapidly changing world.
In hindsight, businesses have concluded that widespread institutional reliance on risk models was a terrible mistake. But it wasn’t only for risk models; the corporate governance procedures equally shared the burden; information about exposures in a number of cases did not reach the board or even to the senior levels of management.
Whose job is it?
In other words, they did not have an enterprise risk management (ERM) strategy - an integrated approach that aligns strategy, processes, people, knowledge and IT so that risk is better understood and controlled throughout the enterprise. To make matters worse, many firms did not make it clear who had overall responsibility for overseeing the risk management activities. Was it the chief risk officer, the risk management committee, the chief executive officer, the chief financial officer, the audit committee, heads of business units - or a combination of some or all of the above?
Most organizations view risk as operational and financial. The operational risk manager’s chief concerns are legal liabilities, worker safety, crime prevention, fire prevention, environmental contamination and many other important duties while the financial risk manager takes care of portfolio risk, credit and currency risk, market risk and other similar fields. But major shocks and problems don’t fall neatly into these buckets.
Even if risk management systems, in the technical sense, function and take care of the above risks, it will not impact the company in times of a real danger unless the transmission of information is through effective channels, a clear corporate governance issue.
Finding the solution
An IIF report stresses that a solid risk culture throughout the firm is essential but that there appears to be a need to re-emphasis the respective roles of the CEO and the board in the risk management process in many firms. The report goes on to make suggestions for strengthening board oversight of risk issues; the boards need to be educated on risk issues and to be given the means to understand risk appetite and the firm’s performance against it. It also emphasizes that a number of members of the risk committee (or equivalent) should be individuals with technical financial sophistication in risk disciplines, or with solid business experience giving clear perspectives on risk issues.
It has been often argued that remuneration and incentive systems have played a key role in influencing not only the sensitivity of financial institutions to the macroeconomic shock occasioned by the downturn of the real estate market, but also in causing the development of unsustainable balance sheet positions in the first place. The board should ensure that their risk management and remuneration system are compatible with their objectives and risk appetite. The remuneration systems lower down the management chain plays an even more important role. Extending to senior managers, employees at all levels - the board should ensure that compensation policies and practices are consistent with the company’s corporate culture, long term objectives and strategy, and control environment.
Clearly risk management is not what a mathematical equation tells. Rather it is what chief risk officer, the risk management committee, the chief executive officer, the chief financial officer, the audit committee, heads of business units, and even a staffer on the desk view, understand and interpret. A deeper understanding of the risks with a Board oversight will not only help employees perform their jobs better but also create an environment where everyone is a risk manager. An incentive and remuneration program will help administer a holistic risk culture in the company and motivate every employee to be part of the system.
- “Re-thinking Risk Management: Why the Mindset Matters More Than the Model,” Knowledge@Wharton, April 5, 2009.
- Institute of International Finance (2008a), Interim Report of the IIF Committee on Market Best Practices, Washington, D.C.
- Grant Kirkpatrick "The Corporate Governance Lessons from the Financial Crisis,” OECD (2009), Paris,www.oecd.org/daf/corporateaffairs
- Vincent H. O'Neil, “Rebuilding Financial Risk Management,” Risk Management Magazine, June, 2009.