Financial Risk Management Governance
Introduction
By now it should be clear that proper financial risk management can add significant value to an organization. However, like most things of great usefulness, it needs proper governance or oversight. When financial risk management first became prevalent in the early 1990’s, the proper level of governance was often lacking. As a result, there were several prominent risk management debacles. In large part, the debacles were caused by derivatives. However, derivatives are simply tools for financial risk management; whether that risk management is for speculative purposes or for supporting the objectives of a nonfinancial firm. The problem was not derivatives, but governance. The financial crisis of 2008 was also in large part brought about through the lack of governance, but this time the lack of governance was on a systemic scale. The lack of governance in the use of derivatives led famed investor Warren Buffett to famously remark that derivatives are “weapons of financial mass destruction.”
Case Study
Procter and Gamble
Procter and Gamble is a large company known to most, but even for those not familiar with the company name, virtually everyone will be familiar with many of the consumer products they sell around the world: Crest toothpaste, Bounty paper towel, and Gillette razors to name just a few. Clearly P&G are masters of consumer products, but what became equally clear in 1994 was that their interest rate risk management was not at the same level. In April 1994, P&G disclosed that they had lost $157 million on interest rate derivatives. Although relatively small when compared with some other hedging- and derivatives-related disasters, this episode is highly instructive on a number of fronts. The losses arose from two swap contracts they had entered with Bankers Trust. One contract saw P&G pay a fixed rate and receive a floating rate that would vary inversely to U.S. interest rates. The other contract was similar, but tied to German interest rates instead of U.S. rates. Simply put, P&G would benefit if interest rates stayed flat or fell and would lose if interest rates rose. The complex formula in these contracts effectively created substantial leverage, which would see P&G’s payment rise much faster than general interest rates. Unfortunately for P&G, as you have probably already guessed, interest rates began to rise, and P&G’s borrowing rates reportedly soared to an incredible 14.12 percent above the general commercial paper rates.1
P&G sued Bankers Trust and reached a settlement which was that Bankers Trust forgo most of the money owed to them by P&G, but how did they end up in that situation to begin with? Although interest rate derivatives to convert fixed rate payments to variable rates can be part of a normal corporate hedging program, these transactions and their asymmetric risk profiles did not appear to be effective hedges for P&G. These transactions were not really hedges at all, but speculation on the direction of interest rates with the objective of profit generation to lower total borrowing costs. In its 1994 10-K filing, P&G referred to these contracts as “out of policy” and that “At June 30, 1994, no such instruments were in our portfolio and it is the Company’s intent not to enter such leveraged contracts in the future.”2 This demonstrates the importance of having a well-structured policy with appropriate governance and controls to ensure that the policy is being followed. P&G also believed that they were taken advantage of by Bankers Trust, and given the settlement, this may not be untrue. It should also be noted that Bankers Trust was accused by a number of other companies of similar unscrupulous sales tactics, reaching settlements with other companies and the SEC. However, ensuring that employees who are responsible for entering these transactions have the knowledge and experience to understand the products being offered is a common-sense approach to mitigating the risk. A simple rule of thumb is that if you don’t understand the product being offered and the risks that it entails, it shouldn’t be purchased!
We do not take such a dim view of financial risk management, nor the use of the derivatives. Properly governed, financial risk management and the use of derivatives are not only safe and practical, but also necessary if a firm wants to be competitive. In fact, we believe that not harnessing the usefulness of financial risk management, and implementing the full range of risk management strategies, including derivatives, is imprudent and indeed reckless. However, implementing financial risk management without proper governance is equally imprudent and reckless.
In this chapter, we will go through the basic governance guidelines for effective financial risk management. Included is a special section intended for those in positions of leadership such as senior managers and the Board. The steps for good governance are not complicated, and for the most part are straightforward common sense. The main problem seems to be that few companies, and few managers, and in particular few Board members are willing to take the time to learn a few basic principles of risk management—a problem that this book was written to correct.
Risk management is now often incorrectly assumed to be too complex and too specialized for the generalist to understand. This leads to risk management being left to the experts and this is the beginning of virtually all of the problems that we encounter in financial risk management. Compounding the issue is that the assumption that risk management is best left to the experts means that those whose role is governance—namely senior managers and Board members—are reluctant to ask the necessary questions when they should for fear of being exposed as unknowledgeable, or even worse stupid and ill-suited for their position. This is fundamentally an issue of organizational self-esteem and in our opinion is the ultimate cancer for effective financial risk management and risk management governance. We will discuss this point at more length later in this chapter.
Basic Necessities for Risk Management Governance
There are four basic necessities for effective risk management governance. They are: (i) develop and communicate the financial risk management philosophy, (ii) have measureable financial risk management objectives, (iii) have a data management system that ensures that the risk management objectives are being met, and (iv) clear lines of control, accountability, and limits.
Develop and Communicate the Financial Risk Management Philosophy
The first necessity for risk management governance and for effective risk management is to have a sound philosophy guiding the risk management practices of the firm. This seems to be so obvious as to not merit mention, yet in our experience few companies have a financial risk management philosophy.
Organizations exist to accomplish tasks, and to accomplish tasks involve risk. Those risks may be good risks or they may be negative risks. They may be financial risks or they may be strategic or operational risks. The risk management philosophy is a basic statement of what risks the organization exists for and what magnitude of those risks it is willing to take. Business organizations exist to take business risks of developing and marketing products and services. Not-for-profit organizations exist to develop a necessary product or service or to promote a cause. Public sector entities exist to provide services to their constituents. Each of these activities involves a portfolio of risks and thus all types of organizations exist to manage risk in some shape or form.
The financial risk management philosophy may or may not be separate from the firm’s overall risk management philosophy—particularly if the organization has embraced enterprise risk management. The risk management philosophy basically states what risks the organization is in business to take, or to manage. Secondly, it states how much risk the organization is willing to take to achieve its goals. Finally, and perhaps implicitly, it states the risks that are not central to the firm’s existence. A firm, for example, may decide to eliminate interest rate risk, mitigate currency risk, and embrace commodity risk. The issue is whether the choice of risks and the degree of acceptable risk are consciously taken, consistently stated, and properly managed, understood, and communicated to all relevant stakeholders.
As an example of the importance of choosing a risk philosophy, consider the simple example of gold mining companies. See, for example, the case study of Barrick Gold in Chapter 9. Gold mining companies tend to fall into two very distinct types. There are those gold mining companies who do not hedge gold prices. These are companies that essentially state that their risk philosophy is that they are a gold-risk-loving company. These companies are essentially in business to capture gold price risk. By contrast, there are other gold mining companies that hedge most, if not all, of their anticipated gold production against fluctuating gold prices. These gold companies are not in business to take on gold price risk. It is a very sharp difference in financial risk management philosophy. Stakeholders, and in particular equity shareholders, can select which type of gold mining company they would want to invest in. A gold mining company that does not hedge production is a company that you would invest in if you want to have exposure to gold prices. A gold mining company that hedges gold price risk extensively is a mining company that you would invest in if you think they are going to be more efficient at mining than their peers.
A second illustration of the principle of risk philosophy is multinational companies that are U.S. based. Some of these companies hedge virtually all of their currency exposure while some make it a point to not hedge their currency exposure. Those companies that do not hedge their currency exposure are seen as useful diversification investments against a slumping U.S. economy, while those that hedge their currency exposures are viewed as pure plays on the products or services that they offer. In this context, we have heard Chief Financial Officers claim, “our shareholders want and expect us to hedge all financial risks that are not central to our operations,” and we have also heard different Chief Financial Officers claim, “our shareholders do not want or expect us to hedge.” It is not a case of one Chief Financial Officer being correct and the other being incorrect. What it does point out is that risk management starts with knowing what the risk management philosophy of the firm is and that there are a variety of forms that an organization’s risk philosophy can take.
After deciding which financial risks are key to the firm’s operations, and which are not, the next step of the financial risk philosophy is to determine the level of risk that is acceptable or desired. For some financial risks, the amount of tolerable risk may be very high, while for others the amount of tolerable risk will be very low. A general rule of thumb is that the greater the operational and strategic risk, then the lower the financial risk should be. This rule of course assumes that financial risk is not central to the operations of the organization, such as it would be for a gold mining company that consciously chooses to accept (embrace?) gold price risk.
Setting the financial risk management philosophy is a key function of the Board. Ultimately, the risk philosophy should be set by the shareholders of the firm (although other stakeholders will certainly have an opinion), and thus the Board is the proper place for the financial risk philosophy to be set. Governance in its most basic form sees to it that the philosophy is set, communicated, and followed. The following Florida Electric Utilities Case Study shows the confusion that can follow from a poorly communicated risk management philosophy.
Case Study
Florida Electric Utilities
In the summer of 2015, media reports began circulating about losses of over $6 billion incurred by Florida’s electric utilities resulting from natural gas hedges from 2002 to 2015. Natural gas prices in Florida tend to track Henry Hub, which allows the liquid futures and options market at this hub to be effective hedge for consumers in Florida. Natural gas prices reached peaks in 2005 and 2008 as supply disruptions from hurricanes and other factors pushed prices to between $10 and $15/MMBtu, but then as the shale boom occurred and U.S. natural gas production grew too fast for demand to keep up, prices trended lower, falling under $2/MMBtu on several occasions. At the time, Florida’s utilities were shifting their generation away from coal and oil toward natural gas. To hedge exposure to natural gas pricing, these utilities purchased futures contracts or entered into fixed price contracts for their natural gas supply. If prices had risen, these contracts would have benefited customers, but as prices fell they instead created losses. These losses meant that utilities, and their customers, did not fully benefit from the cheaper natural gas available in the open market; in this case, customers would have been better off by more than $6 billion had these utilities not hedged their natural gas during this period. The four main investor-owned electric utilities in Florida proposed in early 2016 to reduce their hedging by 25 percent; however, in November 2016, they filed with the regulator for a complete moratorium on new hedges through the end of 2017.
This saga raises several important issues that much be addressed in designing and implementing any hedging strategy. Firstly, what is the objective of the program? Is it to reduce or eliminate as much volatility as possible, to protect against significant movements in only one direction, something else more specific to a company’s underlying financial performance, or a combination of several objectives? Secondly, what are the key risks related to the program and what are the implications if something doesn’t go as planned? Lastly, are all relevant stakeholders sufficiently informed about hedging in general, and about the specific objectives and risks of the hedging plan being implemented? In this case, the utilities working together with customer representatives and the regulator to reach consensus on an appropriate approach to hedging that is well understood and meets the needs of all stakeholders could help to avoid future situations like this. It must be noted that hedging programs will often look worst at times when it is best to hedge, in this case after significant declines in prices, perhaps there is now limited downside left and risk is skewed to the upside. Markets tend to be cyclical, and evaluation of the success of a hedging program must be done for at least a full market cycle, and ideally over several complete cycles.
Have Measureable Financial Risk Management Objectives
A closely related step to the risk philosophy is the risk management objective. The objective is simply the answer to the question “what is the risk management function supposed to do?” Is it to eliminate risk? Is it to keep risk within certain bounds? Is it to increase the value of the firm through prudent risk management?
One method for setting the objective is to develop a listing of the various financial risk exposures that the organization has, or potentially could have, and a guideline to the level of acceptance that it has for each of the risks. You will recall from Chapter 2 that there are a range of responses that a firm may take to risk. The range we suggested was: eliminate, avoid, mitigate, ignore, embellish, and embrace. The key is to develop the list and then have clearly defined responses to each of the risks. The definitions of the range of responses should, if possible, be defined in terms of quantitative exposures, and preferably in monetary values of the risk exposure that were listed in Chapter 4. One of the advantages of financial risk management (as opposed to, for example, strategic or operational risk) is that financial risks are almost always capable of being quantitatively assessed. In setting the financial risk management objective, this ability to quantify risk exposures should be exploited.
The setting of the financial risk management objective should allow the organization to produce clear answers to the following questions: is the organization’s financial risk management effective, and is the risk management function achieving the objectives set out for it? It is surprising considering the number of companies that cannot answer these very basic questions, yet still keep expanding their financial risk management operations without being able to answer the basic question of whether or not the risk management function is doing a decent job.
We believe that the ideal is to be able to quantify the amount of value that the risk management function is adding to the firm. Conceptually this is ideal, but it also has some possible unintended consequences. In the past, many firms interpreted this to be making the Treasury function a profit center through the use of aggressive financing strategies using derivative tactics that they were not sophisticated enough to fully understand and monitor. This was the case with the well-known debacle of Procter and Gamble, which used sophisticated interest rate swaps as part of their financing strategy.
A second issue of quantifying the use of financial risk management is that a risk avoided generally never gets considered or factored into the analysis, when in reality the risk avoided may be the most important analysis of all. For instance, if the risk management function actions prevent a loss in foreign sales due to adverse currency moves, then it may be the case that it is assumed that it was the marketing function that did a great job, rather than the risk function whose actions prevented necessary price increases to keep profit margins at the same level. Note that the risk function may add value through avoiding a negative risk as in the previous example or it may destroy value through preventing the organization from seizing an opportunity due to positive risk. For instance, without any hedging, the currency rate could have moved in the organization’s favor allowing them to increase market share or increase profits. These negative actions should also be counted when assessing whether or not the risk management function is adding value. In considering this, the reader may want to think back to the discussion about using option versus forward type strategies that were discussed in Chapter 4. It is quite possible for risk management actions to destroy value beyond the explicit cost of risk management through its effect on operations or strategy.
One method to calculate the value of the risk management function is to do a Monte Carlo type analysis of the actions for the firm both with and without risk management actions. By examining the two distributions produced, it should be clear of the value that the risk management function is producing. Obviously building a Monte Carlo analysis for the firm is a difficult task. However, doing so strikes at the heart of understanding what the factors are that are driving the success of the firm, as well as how well managers understand them.
If it is not possible to build an overall Monte Carlo model for the firm, then at a minimum the firm ought to be able to build a rudimentary model for each division. While a divisional model will overlook the synergies and correlations of the actions across the firm, it will at least capture the main points. The goal here is not perfection in the model, but developing an idea of what risk management tactics are likely to be more effective. Even a very simple Monte Carlo model will generate valuable discussions about not only the risk management function, but also the overall management of the firm.
Have a Data Management System to Ensure the Above Issues Are Being Satisfied
In order to accomplish the task of assessing whether the risk management function is doing an adequate job, it is necessary to have data systems in place to capture and disseminate the appropriate metrics. Does the organization have accurate and readily available (and understandable) reports that allow senior managers and Directors to answer the questions of if the financial risk management function is being effective and if the lines of control and accountability are being respected and within preset limits.
The goal here is not to measure everything, nor is it to measure everything to a high degree of accuracy. Neither is it to have perfect forecasting. It is our belief that too much emphasis has been placed on the quantitative analysis without enough consideration of what should be analyzed. An old adage of risk management is that it is far better to be approximately right than to be precisely wrong.
A key element of the data management system is that it be timely, and that it be accessible. It is of little to no use to have data that is highly accurate, yet out of date by the time it is available for use by the managers who can take action based on what the data is telling them. Likewise, data analysis that is only understandable to a select few is also of little to no use. Thus, a key element of a data management system is to develop a risk dashboard that is timely, focused on the key elements or risks that the firm must manage, and in an easily readable and understandable form.
The risk dashboard should be just like the risk dashboard on your car. It should be easy to read, providing timely data feedback, have only the key variables that you need to read, and have warning lights, such as your check engine light, that activate when unusual activity requiring action or further investigation is necessary. In addition, the risk dashboard should tie directly back to the objectives of the risk management function.
Many organizations, particularly financial institutions, issue what is commonly known as a 4:15 report. This report is issued daily and generally has as its key feature the Value at Risk for the day of the firm. It is issued at such a time so that action, if necessary, may be taken by senior managers before it is too late in the day. It is a brief report, and in ideal circumstances can be read, and understood, in an instant.
The mere exercise of developing an effective risk dashboard is useful in and of itself. By developing a risk dashboard, the organization is forced to think about what is really important and critical about its risk management functions. It is likely that the initial development will produce changes in setting the risk philosophy, the financial risk management objectives, and in how the data is collected and processed.
Have Clear Lines of Control, Accountability, and Limits
With the risk philosophy, the risk management objectives, and the data systems in place, it is necessary to implement and put the risk management strategy into action. To do so, there need to be clear lines of control, accountability, and limits.
The first issue is to have lines of control, with checks and counterchecks. Many of the risk debacles are caused by an initial mistake being made by a risk manager or a trader charged with implementing a risk management strategy. Since in most of these cases there is no clear line of control or countercheck, the manager naturally tries to first cover up the mistake and then secondly to attempt to fix the mistake. The issue becomes that the cover-up and the attempt to fix (still without admitting that there is an issue) cause more complicated and complex issues than the initial error.
Depending on the level of sophistication of the risk management strategies employed, it is likely that the person implementing the risk strategy will not be the one deciding on what the risk strategy should be. The key issue is that there need to be methods to ensure that the risk management strategy is being properly implemented. This is a communication issue. Managers of the staff doing the implementation have to be knowledgeable enough to be able to check that the strategy is properly implemented. Secondly, they need to allow for questions to go both ways so that there are no misunderstandings in terms of the intentions of the risk plan. Thirdly, the data systems need to be robust so that unintended actions cannot be taken, and if such actions are taken that they are flagged. Again, too often, the data management system is controlled by those doing the implementation. This leads to potential for them to adjust the data feeds going to management in such a way as to paint an overly optimistic and misleading picture. The data management system is a key communication tool in making sure that the right data is getting to, and being understood by the right managers.
The third broad element needed is a proper set of limits. There should be limits, coupled with well-defined policies, on who can do what in terms of risk management, how much of it they can do, and in the case of derivatives where, and with whom they can conduct trades with. The time to do due diligence on trading activities is before activities are undertaken; not after a risk debacle has occurred.
Most companies with a sophisticated risk management function delineate implementing the risk management strategy into three separate functions or offices. The “front office” is where the risk management strategies are actually implemented. The front office is where the derivative trades are done, and where the specific tactics are chosen. The “middle office” does the calculation of the exposures, both the risk exposures of the firm, as well as the exposures of the risk management strategies. The middle office will keep track of the size of the risk manager’s positions, and also keeps track of related data such as the level of counterparty exposure to each of the firm’s counterparties. Finally, the middle office is generally responsible for ensuring that limits are respected and for escalating to senior managers in case of risk management activities beyond preset boundaries. The third leg, the “back office” takes care of the nitty-gritty operational details such as making sure that the proper cash flows are being received and sent for any contracts entered into. The back office also checks that the contracts and paperwork are properly executed, recorded, and in line with the risk strategy. This three-pronged separation of duties creates a robust set of checks and balances and allows for issues to quickly come to light.
Case Study
Barings Bank
Barings Bank was founded in 1762 and operated for nearly 250 years before unauthorized trading losses of more than $1 billion saw the bank collapse and be purchased by Dutch bank ING for £1. This debacle, which has been made into a movie, Rogue Trader, highlights key operational and governance risks and the devastating impact that can result if these risks are not properly managed.
Nick Leeson, a 28-year-old Brit, was working as a trader in Baring’s Singapore office, where he executed trades on behalf of the Bank’s clients, and looked to capitalize on arbitrage opportunities in Asian financial markets. Leeson had been very successful for several years, generating profits of £10 million in 1993, 10 percent of the bank’s total earnings. A trading error resulted in losses for the firm, but Leeson didn’t want to admit the error to head office, and felt that he would be able to earn the money back before it was detected. Things did not go according to plan and the losses compounded. In an attempt to make up the larger shortfall, Leeson kept increasing the size of his bets, risking more and more of Barings’ capital. He was also able to open a new account, the now infamous “88888” account in which he buried the losses, helping avoid detection from head office. At one point, Leeson had wagered $29 billion in equities, currencies, and interest rates, and losses ended up exceeding $1 billion.3 Eventually these losses were discovered, and Leeson was arrested in Germany after fleeing Singapore. He ended up being sentenced to 6½ years in prison.4
What were the key risk management failings that led to this debacle? Leeson was effectively running the front office (trading) side, the middle office (risk exposure measurement) side, and the back office (settlements and accounting) side of the Singapore office. This structure allowed him to create the 88888 account and falsify reports and documentation. The three-tiered control structure of a front, middle, and back office was not present. Lesson was responsible for both making trades, as well as verifying the exposure and limits on those trades. Additionally, he was responsible for maintaining the paperwork for his activities. Thus, Lesson was a single person controlling both trade execution and trade settlement, which allowed him to hide losses until they got out of control. In addition, the overall governance structure at Barings was deficient. The fact that a 20-something-year-old trader in a remote location thousands of miles from head office was able to enter these trades without full knowledge of senior leadership at the bank, and that he was able to continue receiving additional funding to support these trades shows that oversight was severely lacking. It appears that few senior managers had enough experience, knowledge, or self-esteem to ask what was going on. The Board and senior managers appeared willing to turn a blind eye until it was simply no longer possible for them to do so; but by then it was too late for Barings.
Other Elements of Effective Governance
Risk management is implemented by people, and thus ultimately the quality of risk management in an organization is the quality of the personnel implementing risk management. Hiring talent is an art, and for risk management in particular. The focus on risk management certifications has led to a number of individuals becoming very knowledgeable about risk, but we believe that being a competent risk manager goes well beyond knowledge. Risk management requires not only knowledge but also creativity and intuition—both skills that are very difficult to learn through a book or a course. Risk management is a skill that is developed by being curious, by being willing to think, by developing creative stories about possibilities for the future, and by learning through experience.
Historically, risk managers were experienced managers who had “been there and done that.” However, with the increase in sophisticated techniques, the trend has been for those with education over experience. The sweet spot though is likely in the middle; having a proper combination of experience and training. Given that, training is a key component of risk management, and not solely for those who will be risk managers themselves. While financial risk management, as opposed to the more generalized enterprise risk management, is admittedly more of a discipline for a specialist, the reality is that risk management should be a part of everyone’s responsibility. For instance, frontline managers can often sense a chance in market conditions, well before sophisticated traders in front of their data screens can. It is this institutional participation in risk thinking from varied parts of the organization that is so valuable to harvest.
Given that, training thus becomes a key component of having best-in-class risk management. Training helps to increase awareness of risk management issues, and illustrates the importance of risk management for competitive advantage. Training also creates a common language and set of assumptions around risk management, which significantly improves implementation of the risk management strategy. With training, the entire organization has the potential to become the eyes and ears of the organization in terms of risk; a better data set cannot be purchased. Perhaps most importantly, training increases acceptance of the risk management objectives. When employees understand risk practices, and when they are given the understanding and rationale for such practices, they will be much more accepting and compliant. They will also become much more willing to proactively integrate the risk management department in designing new corporate initiatives.
Risk training is also essential for senior managers and Directors. Senior managers and Directors need the risk training so that they can ask quality questions about the risk management plan and implementation and respond appropriately to the answers provided. They are not necessarily going to become risk managers themselves, but good corporate governance and good risk governance demand that they be able to carry on the necessary discussions surrounding risk management issues with those who are responsible for implementing the risk management plan. Virtually all risk management debacles are caused in part when the risk management team knows that they can act with impunity due to ignorance of those who are supposed to be supervising them.
Ultimately, the responsibility for risk management belongs with the Board. If the Board cannot carry out that responsibility effectively, then the corporation will be exposed. Risk management training is essential to ensure this is not the case.
Another component of good risk management is that appropriate and ongoing investment be made in the risk management function and implementation. Often, risk management is seen as a burdensome cost center. Seeing risk management as a center in which sufficient investment should be made yields significant dividends. As implied throughout this book, risk management is not a nice to have, but instead is a must have. Admittedly, there will be different needs and different scopes of necessary risk management operations needed for different firms based on their activities. However, it is difficult to conceive of an organization that cannot benefit from a suitable investment in risk management. The issue is that risk management is often considered as an afterthought, not as a central factor in success. That is a mistake in our opinion.
Part of the necessary investment in risk management is an ongoing review of policies and practices. Risk is an evolving field, both in its practice, and because of the new risks that are constantly arising in the global marketplace. Good risk management governance implies that the organization will respond to the evolving risk landscape with continual updating and renewal and training. Financial risk management is not a one-time implementation. It needs to be constantly reset and refreshed to be effective. The risk philosophy, the objectives of the financial risk management function, the controls and limits, the risk metrics, and the lines of accountability all need to be reexamined on a regular basis.
Of course, as stated earlier, the effectiveness of the risk management function needs to be continually examined as well. The organization needs to check on what lessons it is learning from its experience with risk management. Risk is a learning activity and the firm should not only be tracking its risk management results to determine its effectiveness, but also for the lessons it can be learning.
A final component to effective risk governance is to create a positive culture around risk management. A positive culture around risk management has several components. It is part of a function of training, so the organization’s staff understands what they should be doing in terms of risk management and why they are doing it.
A second component to a healthy risk culture is to have an appropriate emphasis on risk management so as to ensure the risk function, policies, and procedures are appropriate to the activities of the firm and not choking off normal activity. Risk management should be enabling the business rather than being seen as a bureaucratic burden halting progress. Risk management should be seen as a friend or helpful ally to the business lines. Risk should never be seen as “The Department of No!”
A third component to creating a positive risk culture is counterintuitive; namely, to allow mistakes. If staff are allowed to make mistakes, then not only will they be encouraged to learn from their mistakes, but they will be more willing to bring mistakes forward so they can be acted upon, rather than hidden as in the Nick Leeson experience at Barings Bank. Risk management is not effective if it operates in a culture of fear. Risk management explicitly recognizes that bad and good things can happen and will happen. Risk is not a fool-proof science. Mistakes will happen, but overly severe consequences for mistakes only create a host of unintended negative consequences.
A positive risk culture is ultimately the sign of healthy risk governance. It implies that the firm has risk appropriately embedded into the culture and the daily activities of the firm, and that risk is seen as helpful to the cause of accomplishing the strategic objectives.
Guidelines for Senior Managers and Directors
Risk management ultimately is the responsibility of senior managers and the Board. In particular, the Board sets the tone and owns responsibility for risk governance. While it is not their responsibility to dwell on the specifics, the Board needs to be responsible for having robust discussions surrounding the setting of the financial risk philosophy and the objective of the financial risk management objectives. In particular, the Board needs to agree with and approve management’s recommendations for the responses to each of the financial risks.
To adequately fulfill their obligations, Board members need to stay abreast of risk management developments, both within and beyond the boundaries of the organization. They need to ensure that they get the proper education so they can properly assess the risk strategy.
The specifics of the Board in fulfilling their obligations is in asking the appropriate questions and just as importantly being able to understand and critically examine the answers that are forthcoming. As mentioned in the previous section, risk management troubles tend to start when the risk management function believes that those responsible for oversight, namely, the senior management team and the Board, do not have the will to gain the necessary knowledge and understanding they need to provide adequate oversight. To provide good risk governance, the Board needs to question risk assumptions, question risk tactics, and question risk results.
In Chapter 3, we put forward some essential risk questions, namely, what can happen, when can it happen, and how much of an effect can it have? These questions are an excellent starting point for the Board to begin its risk management discussions at a meeting.
The final component for Board members to remember is that risk is forward looking. Most experienced Board members are naturally very good at this; that is how they got to be Board members in the first place. Much risk analysis and Board reports that we have seen are focused on what has happened, not what might happen. What has happened is interesting for the lessons that can be learned, but beyond that the past is not a good way to plan for the future. Risk evolves, and the organization’s risk practices need to evolve as well to meet the future, not to be great for a past that is likely never to reoccur.
Ultimately, Board members got to be Board members because of their business intuition. In our view, business intuition is also risk intuition. Although risk management is a somewhat specialized branch of financial management, competent Board members will rely on their intuition, and that by itself will make them competent for good risk governance. The issue is when they meekly defer to the financial risk experts, who may have the risk knowledge, but not the experience that is so important. Poor Board members accept uncritically the reports they are given; great Board members keep asking questions until they are satisfied.
Concluding Thoughts
An organization can have world-class risk management ideas and systems; however, without proper risk governance, it will all be for naught. A great risk strategy and great implementation will almost always underperform a more modest risk management program that has proper governance. It is our belief that risk governance is the central role of the senior management team and the Board. Financial risk management is a key part of the overall risk governance.
________________
1S. Hansell. October, 1994. “P.& G. Sues Bankers Trust Over Swap Deal.” http://www.nytimes.com/1994/10/28/business/p-g-sues-bankers-trust-over-swap-deal.html
2U.S. Securities and Exchange Commission. https://www.sec.gov/Archives/edgar/data/80424/0000080424-94-000021.txt
3R.W. Stevenson. February, 1995. “The Collapse of Barings: The Overview; Young Trader’s $29 Billion Bet Brings Down a Venerable Firm.” http://www.nytimes.com/1995/02/28/us/collapse-barings-overview-young-trader-s-29-billion-bet-brings-down-venerable.html?pagewanted=all
4J. Rodrigues. February, 2015. “Barings Collapse at 20: How Rogue Trader Nick Leeson Broke the Bank” https://www.theguardian.com/business/from-the-archive-blog/2015/feb/24/nick-leeson-barings-bank-1995-20-archive