Risk management needs to be the way that a firm does business. A successful business both takes risk and receives the appropriate reward for the risks that it is taking. You would expect this to be a key concern of the Board, yet in many firms the boards are not really actively engaged in the process.
Risk management looks both at the present and the future. The Board, in considering the strategy and goals of the firm, should do so in the context of risk and reward. They should then build a risk management framework that seeks to minimize the likelihood that the goals and missions will not be met.
This needs the Board to be conversant with the principles and objectives of risk management and for them to be able to synthesize the information provided to them, leading to both challenge and action. This would suggest that there should be non-executive directors with risk expertise to supplement and challenge the skills of the in-house team. However, few boards currently include an independent risk specialist to achieve this.
Ever board meeting should have risk management on its agenda and this should be included in the terms of reference of the Board. All Board members should receive the level of training on risk that is commensurate with their role and enable them to understand the data provided to them. This issue regarding Board training must not be understated. We do see a disconnect between the risk functions in some firms and their Boards. The risk functions assume a level of knowledge and understanding of their Board members, which is quite simply not there. The consequence is that you have the ill-informed preaching to the diverted. Basically, it does not work.
The Board needs to be conversant with the terms and techniques used by the risk function. They do not need to be experts, but they do need to be in a position such that they could ask intelligent questions.
The next issue is the reporting lines within the firm. If you look at a typical business reporting structure, it will have a Board and a remuneration (or nominating) committee together with an audit committee. There is rarely an obligation for a risk committee within the local rules and regulations although it is probably recommended for firms commensurate with their size and level of complexity. In the financial services industry, for example, this is generally a requirement. However, when you look at the structures, you may start to see the problem.
This simple structure clearly leaves out many other potential committees, including human resources and strategy, for example. However, even looking at this simple structure, issues start to be identified and this relates to the scope of each committee as set out in their terms of reference or charter.
Each committee will seek to look at issues that fall within their area of specific responsibility as set out in the terms of reference or charter of the committee. The treasury committee will be looking at the future funding requirements of the firm as well as the day-to-day risk mitigation and cash placement activities that are always required to be undertaken. Two key risks that then influence their work are market risk and liquidity risk. Market risk will result from the positions that the firm is taking in both its investment and its capital portfolios. Any asset that needs to be marked to either market or model can reduce in value, and movements in markets clearly impact this. If this is being discussed at the treasury committee, then the discussion needs to be consistent with the discussions that will take place at the risk committee.
This logically leads into the discussion regarding liquidity risk. Liquidity risk looks at the funding needs of the business now and in the future and seeks to ensure that sufficient liquid assets and facilities are available to meet those obligations. To really understand this, the treasury committee needs to receive reliable behavioral data that properly identified what actually happens within a business, as opposed to what is contractually expected to occur. Contractually, every customer pays on time whereas experience shows that this is rarely the case. Behavioral finance shows what is expected to be the true position in a range of potential scenarios.
Again, if this is being discussed at the treasury committee, how will this feed into the deliberations at the risk committee. Another similar area is what we call counterparty credit risk, which is the risk posed to the firm by other financial institutions. This risk again frequently is discussed within treasury, whereas it is certainly an issue for risk management.
As we mentioned earlier, risk management seeks to look at all the risks that a firm faces to consider risk mitigation strategies that are optimal for the firm as a whole. Separating this between committees can result in actions being taken that might be considered as optimal in the context of the individual committee, but not in the context of the firm as a whole.
The operations committee can also overlap with the risk committee in that operations losses will normally be reported to and investigated by the operations committee. So long as the information is provided in summary form to the risk committee, then this is unlikely to be a significant issue; however, the risk committee is intended to be independent of the daily operations and is therefore better placed to consider the full implication of an issue as opposed to the purely operational issue.
This leads to some form of matrix management structure being applied, perhaps as follows:
In this structure, there is a matrix reporting line between the treasury committee and the risk committee and also between the operations committee and the risk committee. This has the advantage of enabling each committee to meet the demands of its terms of reference and to report appropriately to the Board, while at the same time providing the risk committee with the information that they need to do their work effectively.
Matrix reporting lines are quite common in business generally and is present in an area such as risk management which, by its nature, is across everything that the firm does.
The next issue to consider is the structure of the risk management function itself. Following on from the risk register creation, the firm will know the risks that it is facing. The question is “What is the best approach to ensure that these are reviewed and managed appropriately at the risk committee?” Of course, there can be no single right answer since the approach adopted will depend on the nature, size and complexity of the firm.
If we consider a major bank, for example, then the following risk categories will probably be suitable:
- Credit Risk
- Market Risk
- Liquidity Risk
- Operational Risk
- Strategic Risk
- Reputational Risk
The question is how these risks would be dealt with and would there be a team within risk management looking at each of these issues. In many firms, there is not a separate strategic risk or reputational risk function within risk management and the market and liquidity risk functions are often merged.
If we look at the following structure:
This means that the other risks (strategic and reputational) will only be dealt with at the Chief Risk Officer (or CRO) level. But there are two main other areas that need to be considered: risk models and enterprise risk management. The structure needs to be sufficiently detailed such that it is clear how these risks are dealt with effectively. If there is a separate enterprise risk management function, then it will essentially need to receive reports from all of the parts of risk management. The model risk team will take responsibility for looking at models for every area of risk management and will also have an obligation to ensure that they are consistent. This leads to the following structure:
So, a variant of this structure will tend to work well with the Head of Enterprise Risk Management bringing together all of the disparate risk strands together with strategic and reputational risk. Notice that no operational business units have been included within responsibilities of the function. Generally, documentational and administrative business units do not fit well into a risk management function since they essentially drag the CRO into the day-to-day of the business when the role is intended to be forward-looking. Further, at the risk committee meetings, the documentational and administrative units tend to not really feel that they belong. What this often means in practice is that this type of business unit is really badly managed within risk management and is much better placed within the operations area, reporting to the Chief Operating Officer (COO) or the equivalent role.
Of course, this only deals with the structure of the department and how it should report. The problem to consider is how do issues raised within the business get reported quickly and effectively to the risk management function, leading to action. This requires embedding risk management in the business.
Too often, when you start to discuss risk management with the head of a business unit, you receive a response that it is done by the risk management function. The risk management department does not actually do anything since all decisions are really taken by the business itself. This goes to the heart of the three lines of defense model.