Making risk everyone’s business

The global financial crisis of 2008 has taught the financial services industry several lessons: the importance of managing liquidity; the need to strengthen and institutionalize appropriate risk culture; and to always be prepared for the unexpected.

Following the crisis, financial institutions were motivated to launch aggressive change programs. Risk governance is perhaps the most significant area of change, as financial institutions made marked enhancements to their risk management structure.

Still, much more can be done to fully embed more robust methodologies and processes. Defining risk appetite – a key foundation of the risk management process – remains a pertinent challenge for many financial institutions. Embedding that risk appetite to the business and linking it to day-to-day decisions is even harder to achieve.

There is now widespread recognition that creating and embedding an effective risk culture that is supported by a sustainable risk and control framework is a top agenda item for senior management.

The changes required to institutionalize a strong risk culture are fundamental and far-reaching. Particularly in economically challenged times, balancing profits and risk becomes even more imperative. Making risk everyone’s business is necessary, and it requires a shift in mindset, policies, procedures, systems as well as long-term commitment and investment.

Although many financial institutions have launched initiatives to instill an enterprise- wide risk culture throughout all levels, they face challenges in the execution lead time, as well as difficulty in quantifying the success.

Getting it right at the top
For risk culture to be truly embedded into an organization, the boards and senior management need to set the tone at the top. To that end, many financial institutions are strengthening the roles and skills of their boards and senior management. Many boards and senior management are becoming more actively engaged in risk matters.

According to Ernst & Young’s Making strides in financial services risk management report, survey respondents had highlighted an increase in board oversight of risk in their companies. Many financial institutions have also set up separate board risk committees and increased the amount of time devoted to risk issues.

At the same time, they have revisited board member constitutions to upgrade the level of skills and experience in risk management, focusing on key areas including risk appetite, liquidity, culture and compensation.

While board members may have become better informed on risk-related issues, they continue to be challenged with too much data and not enough information for decision-making, increasing expectations from regulators and evolving business models.

There is also a growing emphasis on the role of the Chief Risk Officer (CRO) in terms of seniority and organizational influence. A strong consensus exists among financial institutions that the CRO and risk teams need to be more aligned with the business, and actively participate in business strategy and planning. This means that the CRO must be involved beyond the traditional areas of credit and market risk to include new product development and strategy.

However, for the CRO to competently discharge his duties, he needs the stature and authority to challenge business heads on potential risk issues. The strategic nature of the CRO function thus warrants a direct reporting line to the CEO and the board risk committee.

Many financial institutions recognize this. More than half of the respondents from our global survey had indicated that their CROs report to the CEO, while a smaller segment of them have dual reporting to the CEO and the risk committee.

Even as financial institutions are reducing headcount to adjust to market pressure, many are aware that they cannot scale down on risk management, and continue to grow bench strength in their risk functions.

However, more checkers does not necessarily lead to more effective risk management. Thus, enhancing this bench strength must go hand-in-hand with robust risk management execution, monitoring and reporting.

Building more robust models
Virtually all the respondents in our report had agreed that financial services institutions need more sophisticated predictive tools that enable the management to challenge critical business and risk assumptions, analyze their potential impact on risks, and assess the implications of market events on and across the organization.

They are also making steady progress in updating their forecasting methodologies, models, systems and procedures to identify risks and particularly, measure risk concentration.

However, the irony is that the economic capital models that many of them are enhancing could be the same ones that have inadequately assessed the size of risk exposures previously.

To adequately measure risk exposure, the emphasis should be on business risks that are not covered in VaR (Value at Risk), combined with more conservative correlations and group-wide measurements. Models that more accurately measure liquidity and counterparty risks, and associated stress-testing all lend towards building more robust risk management models.

More financial institutions are seeing the value in enterprise stress-testing. And perhaps what is most significant is the shift in perspective that stress-testing is a strategic management tool that serves more than just compliance purposes.

Stress-testing has also been broadened beyond the risk team’s domain to include the board, senior management and heads of business units, who ultimately use the information in their strategic decision-making processes. More, however, can be done to make stress-testing a more flexible tool, in addition to addressing data aggregation and IT issues.

Everyone owns risk
It is clear that the financial services industry has made significant efforts since the days of the global financial meltdown to embed risk management into core business considerations, and at the highest level.

Notwithstanding the positive progress made, there is room to ensure that risk management truly permeates the organization across all functions and levels. Because more often than not, the greatest risk of all is the misconception that risk is not everyone’s business.


**This article summarizes complex issues and is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither the author nor the global Ernst & Young organization or any of its member firms can accept any responsibility for loss related to any person acting on the information in this article.**