Just as risk management is the hot topic in financial services today, integrated risk management is the hot topic among risk managers.
By now you've probably read about The Office of the Comptroller of the Currency's "Supervision by Risk" program as well as similar initiatives by the other bank regulatory agencies. And, while financial services entities continue to strengthen risk management practices in specific areas (e.g., market risk), the real focus at banks around the country is on how to pull it all together and develop an enterprise risk profile.
What exactly is integrated risk management? Think of it as a comprehensive view of risk - how all risks are identified, measured, controlled and reported, across all lines of business and staff functions. But the real key is integration.
While you may have all the pieces to the puzzle, you can't see the total picture until you put the pieces together.
Many banks have well-developed risk management processes for individual risks such as credit and interest rate. But there are often important differences as to how those processes are executed, managed, measured, and reported.
For example, interest rate risk might be managed centrally in treasury, whereas operational risk - associated with activities like securities processing and mortgage loan servicing - may be managed on a decentralized basis.
And while interest rate risk may be formally measured each month as a function of dollars at risk, no such quantification may occur with operational risk.
We have found that business managers themselves can assess the risks inherent in the activities they are responsible for. Creating a separate enterprise risk management process will only add another layer of administrative burden and in all likelihood will not be embraced by the business managers.
To implement an individual responsibility approach, a bank must empower the business managers with methodologies and tools to better manage risk.
A well-designed framework should guide the business managers with common definitions of risk as well as approaches to assess the risks in new initiatives and existing activities.
In addition, such a framework should provide tools such as risk assessment matrices. A corporate framework assures consistency in application.
One of the first issues bankers must deal with is that risk has different meanings to different people. It's often difficult to discuss risk issues unless everyone is speaking the same language about what risk is and what types of risk are present in banking.
Fortunately, the regulators have given the industry some models to work from.
One of the critical steps in developing and implementing an integrated risk management framework is agreeing on the risk categories for your institution and defining each risk.
Many models and definitions are present and evolving in the industry. There is no one "best" answer. Therefore, the key is to pick a model early in the framework-development process.
Another issue facing bank executives is determining which form of organizational structure best supports an integrated risk management framework.
Some banks have anointed "risk czars" to whom the various functional risk managers (e.g., manager of credit policy) report.
Other institutions have gone the committee route, with each of the functional risk managers represented on the committee. Line-of-business executives may also sit on the committee.
The Board's role in integrated risk management must also be defined, and committee structures must be aligned with the corporate framework.
The approach that works best for your institution depends on the overall organizational structure and culture. The key is providing a forum for the functional risk managers to get together and talk about risk.
Many factors affect a bank's risk profile. These factors may be external to the institution, such as changes in the marketplace or the economy, or they may be internal factors such as new products or organizational changes.
Your institution may have a rigorous new product review process. However, is this same degree of rigor applied to factors that might affect either existing levels of risk or risk management processes?
For example, assume that a strategic alliance is formed to add a new distribution channel. Is a formal review of the existing infrastructure carried out to insure it can support, not only the new volume, but also the way in which the products will be delivered?
This may seem like motherhood and apple pie, but is there a corporate standard that requires such analyses?
Many banks are developing aggressive sales cultures and executing new revenue-growth strategies such as doing business on the Internet.
Bank executives must focus on aligning infrastructures of people, business processes, and enabling technologies with stakeholder needs and key business strategies.
An effective, integrated risk management framework enables senior management to identify infrastructure gaps, which, if not closed, could lead to disastrous consequences.
Another critical element of the risk management framework is the ability to monitor the progress of initiatives needed to fill the cracks in the infrastructure foundation.
If one looks at the various types of risk - whether they are defined under the OCC model, the Fed model, or an institution's own model - certain risks lend themselves quite easily to quantification, whereas others do not.
For example, market risks can often be quantified without too much difficulty, while compliance risks generally can't be.
So how does one aggregate the various risk levels into a single measurement? A better question might be whether such a measurement number makes sense.
If one of your employees told you the aggregate risk rating of the institution was 8.60 today, versus 8.55 yesterday (on a hypothetical scale of 1 to 10), would this be of any value to you?
What might make more sense is a "risk scorecard" that highlights the key performance indicators for each of the risk management processes. This would give bank executives a snapshot of how well their risk management processes are holding up.
Some indicators would be stated in dollars at risk or some equivalent measure, while others might reflect the quality of a business process. (For example, number of reconciling items outstanding more than 90 days in a transaction-processing operation.) Scorecards could be completed at different levels of the organization, with the ultimate scorecard representing measures of success in managing risk at the strategic level.
But even these "risk scorecards" really don't go far enough.
If one is going to reap the benefits of risk-adjusted performance measures and assign capital based on risks taken, then all risks need to be measured in terms of dollars.
A robust, integrated risk management framework can facilitate such measurements by providing standard methodologies that promote consistency throughout the organization.
Mr. Stoll is a Pittsburgh-based partner and director of the bank risk management assurance services practice of the Ernst & Young consulting firm.
