Risk Management Responsibilities

Posted on Mon, 01/05/2009 - 08:32 in

Lessons from the credit crunch

The continuing upheaval in financial markets and the economic system in general provide many important lessons in the core components of financial risk management. The climate has highlighted the importance of effectively identifying and managing financial risks, the impact of when things go wrong and where the responsibility lies for the consequences.

The legal and regulatory framework for banks and companies state the principles of board responsibility for the affairs of an institution. These principles make clear reference to the responsibility of boards to review, approve and monitor the financial targets and risks within the company’s financial statements and business activities. In relation to financial risks, the question becomes – what should boards and their senior executives be doing to ensure that risks are effectively dealt with?

Regulatory Framework

The banking sector has perhaps the most specific focus on the management of financial risks. The guiding standard that is a key influence on central banks and banking regulations comes from the Swiss-based Bank for International Settlements (BIS), and particularly it’s Basel Committee on Banking Supervision. The update of the standards, known as Basel II, has been, or is in the process of being, applied by bank regulators across the world.

The Bank of Thailand (BoT) has been progressively updating its regulations for capital adequacy with the initial focus on the minimum requirements for credit, market and operational risk. In August 2008, it released an updated notification for board responsibilities of financial institutions outlining requirements in the areas of risk management and capital adequacy, establishing risk appetite, appropriate policies, procedures and controls. This is consistent with what is known as Pillar 2 of Basel II and it is expected that further notifications will be released related to Pillar 2 in the near term. This section is more qualitative and judgemental in terms of how to apply and comply with it.

In several countries where the regulators have implemented these Pillar 2 requirements, we have seen demonstrating evidence that compliance is very high on the regulators’ agenda. Some regulators may conduct closed sessions with bank boards to assess their knowledge of the bank’s risk exposures and framework. There may not be deferral to executive risk managers to answer questions as they may not be invited to the session!

While most major firms have extensive risk management frameworks and procedures, gaps in the design or implementation have clearly emerged. Firms will benefit from attention to strong standards in defining risk appetite, applying risk governance, understanding technical risk issues and comprehensive stress testing.

Risk Appetite

The risk management framework is expected to be developed and applied within an overarching statement of risk appetite. Risk appetite is set by the Board and reflects shareholder aspirations within the constraints of regulator requirements, creditor and legal obligations. It is an expression of willingness or capacity of an organisation to tolerate high or low levels of exposure to risk and volatility in order to achieve its strategic objectives.

Defining a pragmatic and quantitative risk appetite framework is the focus of significant investment for financial services firms in recent times. The primary driver for this investment is achieving competitive advantage through clarity of risk desirability. Regulatory change such as Basel II and Solvency II (for the insurance industry), coupled with increased focus from rating agencies on the robustness of enterprise risk management frameworks, is also driving activity in the development of risk appetite parameters.

Risk Governance

A strong risk culture is essential, starting with the ‘tone at the top’ with the Board clearly stating its risk management philosophy and commitment. Making sure that adequate risk management is in place is the responsibility of each institution’s senior executives, in particular the CEO, subject to the oversight of the Board.

Some suggestions for Boards to enhance their oversight of risk are mentioned below. These do not reduce or transfer the responsibility of management in the risk management process.

  • As per Basel II and legal requirements, Boards need to be educated on risk issues and to be given the means to understand risk appetite and the firm’s performance against it.
  • Some boards may see that it would be appropriate for them to have separate audit and risk committees, given the differing skills and adequate time to devote to review issues.
  • It is useful to have at least a portion of members of the risk committee of the Board with technical financial sophistication in risk disciplines. This gives a clear perspective on risk issues.

The Board should understand the risk appetite and assure itself that management has properly considered the firm’s risks. The business plan process now needs to involve the risk management function from the beginning, to test how targets sit within the firm’s risk appetite and to assess potential downsides. It is important that there is clear communication of the firm’s risk appetite and risk position to business units, and for these units to undertake detailed assessment of the risks they face within their respective divisions.

Risk management needs to be included in development of the firm’s strategy. CROs should also be risk strategists, have a strong presence within the senior executive and report directly to the CEO. The CRO should have a mandate to bring to the attention of both line and senior management or the Board any situation that could impact risk appetite parameters.

Risk Management

Risk managers need to manage and measure risks on the basis of the firm’s approved risk parameters, independently of regulatory requirements and categories. They should also be independent from ratings of transactions, which may not address the firm’s specific issues or be aligned to the firm’s standards and risk management goals. This has been most evident in the area of complex securities where many firms relied solely on ratings agency credit assessments with limited, or sometimes no further analysis by their risk management functions.

Close cooperation is required between functions, particularly Finance and Treasury, and the risk management department, to assure a robust overall assessment of risk. Many firms need to do more to integrate risk management systems and groups, breaking down silos that result in missed issues across credit, market, operational and liquidity risk areas, plus the potential impacts of mark-to-market and hedge accounting from the application of IAS39. These issues need to be closely monitored under the responsibility of executive risk management committees. Several firms have addressed this by reviewing and broadening the scope of the Asset Liability Management Committee (ALCO) or creating a new overarching Risk Management Committee (RMC) which sits over the established individual risk committees.

The Board and senior executives will benefit from a plain language description of how the firm’s risk appetite is being applied, how its risk profile is changing, what the implications of those changes are and what strategic recommendations the risk function would make.

Stress Testing

Many firms have conducted some form of stress testing as part of their risk management framework, but they do not always perform tests on a consistent, comprehensive basis and subject findings to close analysis. Banks need to work on improving their stress testing to support their own capital assessment and planning processes under Pillar 2 of the Basel Accord. Stress testing needs to be reviewed by senior management to develop the types of stresses, relevant scenarios and impact assessment. Scenarios should be plausible, but relatively severe, to test key risk drivers to provide deeper insight into the risk profile of business units and the interplay of risk across the bank’s total book. I recall an economist who was laughed at in an ALCO meeting in early 2001 suggesting that the bank’s exposure be tested should US rates drop to 3%. By the end of the year they were below 2% and stayed below this level before getting to 1% in mid-2003. How many companies would have assessed their position if oil prices hit USD 100 during the early years of this decade?

Be Prepared

Over the coming year, regulators may challenge senior management and boards more intensively, including a focus on issues including:

  • Do they fully understand the firm’s risk appetite and the extent of risks within their balance sheets?
  • Are there established policies, procedures and controls to systematically assess and limit these risks?
  • Do they receive adequate information regarding compliance with company policies, limits and regulatory requirements?
  • Does the risk management division have sufficient quality and quantity of resources and the authority to effectively perform its function?

Whilst it is not possible to claim 100% resilience to all risks, Boards and senior executive have a duty to ensure and demonstrate that they have established and actively involve themselves in the risk management framework that is relevant to their business environment.