Predicting when and how "Black Swan" events will unfold is futile, but businesses can prepare for the potential risks that accompany them and how they will survive them. Millions of people and thousands of financial institutions around the world are still recovering from the recent subprime mortgage implosion and resulting financial crisis. And financial institutions have reached a pivotal moment because of it. They are trying to navigate a changing economic environment and continuously changing regulatory environment, while simultaneously trying to expand their businesses.
Some are headed down the road of simply meeting the regulatory requirements and avoiding risk whenever possible. Of course, such actions will lead to business decisions that will continue to stall growth and impede economic recovery. The riskier and ultimately more productive course is to understand their risks better than they ever have before to make smarter, better-informed decisions. Doing so will help the industry ensure that the catastrophic failures of the last few years never happen again and that financial institutions can grow their business in a healthy way that ensures long-term success.
By managing risk at the enterprise level, financial institutions can achieve a complete and timely view of all threats and opportunities. This allows them to get more and better products and services to market faster; invest staff and resources in those business areas where they have the most opportunities; and position themselves to compete more strongly against their competitors.
So how do you achieve that complete and timely view of all risks — good and bad? There are five elements of effective risk management. They start — and end — at the top, with your executives and the board of directors.
First, your leaders need to clearly define your institution's risk appetite. An effective risk appetite will serve as the glue that joins your institution's risk management framework to its business goals. It directs risk management efforts to the overall benefit of the firm, provides a lens through which strategic decisions can be considered and ultimately leads management to a more consistent and consolidated view of risks and how important they are in the overall scheme. Last but not least, it can help keep the regulators happy, since they'll know you have a clear mission statement used to actively manage risk.
Second, your leaders need to establish a strong culture of risk management. To accomplish this, you must communicate your risk appetite clearly and ensure all employees understand it. It needs to be woven into daily business operations and ingrained in operational policies, procedures, processes and technologies. You must create incentives for living up to, but not beyond, your risk appetite so that your culture will permeate all departments, business lines and operating entities across all geographies. If you succeed in doing so, then operational managers will readily embed your institution's risk appetite into their roles. It will be at the forefront of any business decision they make.
This brings us to the third point. You must operationalize risk management, instilling responsibility and accountability into the front lines so that your employees live and breathe it. To do this, you must ensure risk management becomes part of your business workflow.
Technology can play a valuable role in helping you operationalize risk management. While not a silver bullet, technology can help illuminate risks and illustrate how they could help or harm your institution. Executives and the board of directors can use technology to see the institution's current risk situation whenever they need. Technology allows your compliance, risk, IT and internal auditing departments to work together to manage risk — all with the common objective of achieving your strategic goals. And each department within your institution can use technology to address risks important to them but still within the common framework that spans it.
That leads us to the fourth element of good risk management — knowledge and expertise. Technology is great, but you can't effectively manage risk with technology alone. The difficultly in planning for Black Swan events lies in accurately discerning between noise and meaningful potential scenarios. To accomplish this, you need the input of experts in each risk area and business unit. And this extends to vendors and other third parties you work with. Select those that know your business and understand the challenges you face.
Finally, the fifth element is to control and measure. It's not enough to establish a risk management program. You must put the proper controls in place to help make sure you are complying with regulatory requirements and acting in accordance with your firm's risk appetite. For example, you may have a sound risk management program in place at your headquarters, but what about your branches or retail operations? Are the decision-makers at these locations managing in accordance with it? The controls, and the degree to which employees are following them, also provide you with a tangible way to measure the impact of your risk management program. And they can help you prove to regulators that you are proactively managing and measuring risk.
If you do these five things, you will not simply be managing risk. You will be managing your business through a sharp lens to understand risk in a comprehensive way, allowing you to make smart business decisions much faster than competitors who view risk as something to run from.
