Before the bottom fell out of the markets last year, most asset management firms thought they had robust risk management processes in place. Now they're not so sure.
Experts say firms that are rethinking risk should focus on developing a flexible program.
The main problem with risk management systems and Monte Carlo simulations, experts say, is that they don't take into account extreme, tail-end events, also known as "black swans" — unpredictable events.
Though businesses won't be able to plan for everything, there are opportunities to strengthen risk management, said Edward Hida, a partner at Deloitte and a global leader of the firm's risk and capital management division.
Threats to the global financial system "have demonstrated the need for enhanced risk management capabilities and reiterated a basic principle: Risk and return are generally correlated and should be evaluated together," Hida wrote in his report "Risk Management in the Spotlight."
"Many institutions still may need to implement enterprise risk management programs to gain a more comprehensive view of the risks they face," Hida wrote. "More sophisticated methodologies will likely be adopted by many institutions to manage the risks in today's more complex environment, such as 'tail risks' from unlikely events and the risks from a lack of liquidity."
A risk management system must have three lines of defense, Hida said. First, the company's board of directors or board-level risk committee must play an important role in providing guidance. Next, firms should create or enhance the role of a chief risk officer to establish and lead the risk effort. Third, firms should do an internal audit to make sure the first two lines of defense are functioning.
Risk management should start at the board level, Hida said.
Hida said executive management must provide leadership to help make the risk strategy, risk appetite and risk management framework more transparent. It is natural for companies to take on more risk during bull markets, but it is the duty of the board to keep this risk in check. "The board of directors should approve a statement of the institution's risk appetite," Hida wrote. "A formal statement of risk appetite can provide strategic direction for business decision-making by making explicit the amount of risk that an institution is willing to make."
In addition to the board, a chief risk officer plays a vital role in defining risk appetite, guiding business decisions and assessing the aggregate level of risk across the institution, he said.
"Creating a risk-aware culture may require organizations to go beyond the chief risk officer and senior executives, and to infuse risk considerations into the fabric of the organization," Hida wrote. "Successful enterprisewide risk management efforts should include a significant communication component such that the key principles and goals of risk management are understood by all employees."
This component should include clear support of the chief risk officer from the board, the CEO and other members of the senior executive team, Hida said.
A Deloitte survey of financial firms found 73% had developed a chief risk officer position or its equivalent. At nearly three-quarters of the institutions surveyed, the chief risk officer reported to the board of directors and/or the CEO.
Only 36% of institutions said they had an enterprise risk management program, though 23% said they were creating one.
Among those companies with an enterprise risk management program, 85% said they found that its value outweighed its cost.
"To gain a comprehensive view of all the risks they face, their linkages, and how they are being managed, more institutions may need to consider implementing enterprise risk management programs," Hida said. "While financial institutions have a long history of managing the more traditional areas of market and credit risk, many firms may need to improve their ability to manage emerging risk types, such as reputation risk and liquidity risk."
Most of the companies surveyed indicated relatively low levels of satisfaction with their current risk management systems, and 71% said they expect to increase spending on risk management technology over the next three years, in some cases substantially, Hida wrote. Although spending is tight, firms that invest now to upgrade risk technology systems could reap benefits from better-informed risk decisions in the future, he said.