Banks face many types of risks every day, including credit, interest rate, price, liquidity, currency, operational, legal, regulatory, fraud and reputation risks. At different times, one or more of these risks can take on greater significance. During the sovereign debt crises of the 1980s, we saw the banking industry’s attention focused on currency risk. In the late 1980s and early 1990s, interest rate risk and credit risk were significant concerns, as banking organisations in the US failed in record numbers. And, as we approached the beginning of the 21st century, banks’ focused their attention keenly on technology risks.
More recently, managing regulatory risk has been the priority issue as banks cope with a host of new or evolving regulations, including, but certainly not limited to, corporate governance, Basel II and anti-money laundering requirements. Concurrently, spurred in part by innovations in technology, banks have also been facing increased information security and fraud risks that can threaten brand value. In fact, most banking organisations today would certainly rank managing compliance risk and managing reputation risk – which are often intertwined – among their main challenges.
Importance of Risk Management
Mismanaging risk can be very costly. Avoiding all risk is not an option. Besides, with no risk, there is no reward. The only solution, therefore, is effective risk management.
“The essence of risk management lies in maximising the areas where we have some control over the outcome, while minimising the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us.”
The foundation of an effective risk management programme is a thorough understanding of the risks – the uncertainties – that face a business, where and how they arise, and in some instances, how they can be exploited to a company’s advantage. This is seen in the illustration below.
Environment risks are uncertainties arising externally that affect the viability of the enterprise’s business model. These external forces include the actions of competitors and regulators, shifts in market prices, technological innovation, changes in industry fundamentals, and the availability of capital or other factors outside the company’s direct ability to control.
Process risks are uncertainties affecting the execution of the business model, and therefore often arise internally within the organisation’s business processes. Process risks arise when internal processes do not realise the objectives they were designed to achieve in supporting the entity’s business model. For example, characteristics of poorly performing processes, or process risks, include inadequate alignment with business objectives and strategies, dissatisfied customers and inefficient operations. They also include diluting (instead of creating or preserving) enterprise value, and failing to protect significant financial, physical, customer, employee/supplier, knowledge and information assets from unacceptable losses, risk taking, misappropriation or misuse.
Information for decision-making risks are uncertainties affecting the relevance and reliability of information supporting management’s decisions to protect and enhance enterprise value. These risks arise when information used to support business decisions is incomplete, out-of-date, inaccurate, late or simply irrelevant to the decision-making process.
This framework of three broad, interrelated categories of risk can, and should, be customised to address specific industry risks. Models can prove very helpful in operational risk management and, as an example, I will refer to the Protiviti risk model for the banking industry, which can be seen below. This model categorises the typical risks faced by banking organizations into the three broad groupings. Each of the risks included in the model is defined to promote consistent interpretation across the organization to provide a common risk language.
Implementing ERM
This risk model is designed to help bank management move beyond traditional risk to enterprise risk management (ERM). Traditional risk management focuses on managing uncertainties around physical and financial assets. With ERM, risk may also be viewed as a positive. The objective of a risk management program is not only to protect, but also to create enterprise value. Risk management is embedded in the company’s strategy and is managed at the top of the organisation.
The banking industry is among the more advanced in implementing ERM concepts. Yet, very few companies have implemented a truly enterprise wide approach across all of their operations. One benefit of ERM is that it provides the means for rationalising the multiple risk management processes and systems that exist in many banks, thereby eliminating duplicative efforts and also helping to identify any continuing gaps.
Adopting a common risk language is key to implementing and sustaining ERM, but it is just the first step. Other important steps include:
- Articulating the risk management vision, goals and objectives, along with a persuasive value proposition for an ERM programme.
- Establishing an oversight and risk management structure.
- Conducting an enterprise risk assessment to identify and prioritise the company’s critical risks.
- Performing a gap analysis of the current and desired capabilities around managing the critical risks.
- Developing actionable plans for moving toward desired capabilities.
- Designing and implementing risk response plans for managing specific risks.
- Continuously assessing and improving capabilities.
The level of effort required to implement ERM is not insignificant, nor are any two ERM solutions alike. Companies have different objectives, strategies, structures, cultures, risk appetites and financial wherewithal. The specific approaches, processes, methodologies, systems and metrics that define the solution will differ from company to company. For most companies, ERM will require a cultural change.
Point of View on ERM
Companies often cannot get beyond the theory and concepts of ERM to an understanding of how to implement it tactically. I believe that the tenets of effective ERM implementation are:
- Set realistic goals.
- Leverage what the company has already.
- Integrate with what the company does.
- Keep ERM implementation simple.
1Bernstein, Peter, L., Against the Gods: The Remarkable Story of Risk, 1996, published by John Wiley & Sons, Inc., New York, p. 197.