Effectively managing the unimaginable

Especially since the recent financial turmoil, firms active in the capital markets are increasingly focused on risk management. Some will bolster their efforts through elaborate change programmes with catchy acronyms like GRC (governance risk compliance) or ERM (enterprise risk management).

Others will seek to retain or strengthen risk management practices by eliminating activities that do not add exceptional value nor produce a meaningful impact on the company’s bottom line.

While both approaches are pragmatic, there is the danger that some risk managers will add precisely what others are looking to reduce, ie extra layers to the risk management framework that bring minimal value. Conversely, cutting internal controls and reporting elements from a firm’s risk management framework must be done carefully.

As a starting point, capital market firms would do well to step back and take stock of the fundamentals concerning risk management. Operating in today’s cost-containment environment, company boards and executive management are looking for reassurance that all risks have been identified and that the controls to mitigate these risks are effective. Simply put, there is no room for surprises and tolerance is near zero for losses in areas that are supposed to be well controlled.

In parallel, line managers are seeking expert guidance through the web of existing and new regulatory requirements to which their internal controls and risk management practices must comply. Although the needs of upper and line management are different, both benefit from clear and well-articulated risk management goals, strategies and practices.

Control objectives

Effective risk management starts with an open and honest dialogue with the board on the risks that the enterprise faces, ideally logged within a risk register. This register lists the known inherent risks that result from the company’s specific activities. Best practice includes defining the importance of all risks, not only market or credit risks, but also operational and business risks.

The board approves a strategy to deal with these risks and issues control objectives in the form of policies with clearly defined business owners. Control objectives help executive and line management focus on managing what needs to work well instead of what could potentially go wrong.

Not only do business-owned control objectives increase management responsibility for the design of the control mechanisms, they should lead to better overall quality, because those designing the controls are also those having the process expertise and in-depth knowledge.

Business-owned control objectives also increase accountability where line management is part of the regular business-assurance process, through a yearly self-assessment process followed by official management sign-off. By empowering line management to assess and report on the effectiveness of the different internal and external control environments, executive management is able to gain a holistic view of the company’s entire business-control set-up.

This works well particularly in firms that are undergoing business process transformation programmes. This is a window of opportunity for risk management to embed its control framework and to instill risk management consciousness within the normal day-to-day responsibilities of line management. Business areas that are being transformed are required, as part of the programme, to assess control effectiveness against board-approved objectives during the (re)design phase. Key performance indicators are often used during this process.

Best practice dictates that the role of risk management be limited to the design phase of a self-assessment framework. It should facilitate the detection of inherent risks and assist in assessing the control objectives across the organisation to ensure consistency. Control needs to be a management process. Line managers need to feel that they own and can manage the control objectives in order for these objectives to be successful.

Where the control process covers the identified risks, firms should attempt to spot the up-until-now unknown risks. Currently, organisations tend to over-focus on controlling the known risks while potential hitherto unknown risks are ignored or disregarded. A classic loss distribution curve shows that control covers mainly the known risks and expected losses. But how do firms ensure that the important unknown risks are also identified, and that incident-specific risks do not transform unexpectedly to a business or strategic risk?

Most companies rely on a risk self-assessment methodology in which line managers and staff brainstorm around the potential pitfalls linked to the activity of the firm in order to detect new or unknown risks. As a bottom-up exercise, this can be very useful for line managers as control gaps and new risks for the business unit are identified pro-actively.

Subsequently, action plans will be initiated to mitigate the risks and eventually create or improve the controls.

Top-down self-assessments are sometimes used as a complement. However, in most cases, the benefit of top-down self-assessments is limited as it is “too process oriented” and seldom leads to a good view on the impact of threats the company or service is facing or the possible transformation of risks.

A further trend is one towards risk specialisation. But this has not necessarily helped to get a better view of the transversal risks. It has led risk managers to segment the risk universe into easily understandable parts that all have their idiosyncrasies. This has resulted in a better understanding of these risks, improved reporting, improved models (albeit more complex) and better risk managers.

Conversely, this has also led to a ‘silo’ risk approach and created a false sense of security because where risks were monitored only from a silo perspective, they often seem manageable.

Taking a holistic view

Risk management is uniquely placed within an organisation to create a comprehensive picture of the company’s risks at pre-determined intervals. To do this, a firm needs to glean valuable data from credit, market, liquidity and strategic sources.

For example, a firm active in the capital markets will protect against specific country risk or political risk by installing formalised monitoring and rapid-response units. But, do firms sufficiently account for the potential spillover of events, like country defaults, generating incidents in other areas of the firm, ie pressures to skip standard procedures, breach of contracts, unwanted press attention etc?

The financial world has changed dramatically with the aftermath of the global financial crisis. Risk management has moved on too. It can no longer be seen as a necessary evil within an organisation. It has an inherently pivotal role in setting the standards of day-to-day controls which can have an impact on the longer-term viability and direction of a firm.

Yet, risk management need not mean elaborate and expensive control programmes, particularly where line managers are actually better suited to do the job.

Before entering into an expensive change management programme, be sure to meet three risk management basics. First, obtain buy-in from both upper management and the Board for a detailed risk register, complete with defined control objectives and business owners. Second, line management must agree to regularly assess the known risks and the control framework for accuracy and effectiveness, making the necessary revisions to improve the framework. And finally, risk management should be a facilitator in the control process, intervening only when a consolidated cross-business risk assessment and mitigation approach needs to be taken.

As a result, internal stakeholders, as well as regulators, will better appreciate the firm’s system of internal controls and risk management.

Carl Hanssens is director of risk management at Euroclear