There's a new malady in banking, and it's chronic. Some are calling it risk management fatigue.
Consider the equity division business unit manager who arrives at work bright and early to discover that a volume surge has caused her global company's trading platform to experience delays and periodic outages, resulting in scores of trade breaks, suspense items, and even broken trades.
She pours a cup of coffee, fires up her e-mail, and now she's really depressed. Her inbox has been barraged by a bevy of information requests from various departments. The internal audit department wants her to review its risk assessment of her business and agree to four audits over the next 12 months. The compliance department would like her eyes on its own - completely different - risk assessment, which indicates her department is "high-risk," so compliance would like to do its own review. The operational risk department would like her input for its own survey of her department.
Last, if not least, the information technology department has requested that she complete a 20-page business continuity survey.
This story has become much more commonplace over the last few years. The global financial services industry has seen an unprecedented volume of regulatory change, with authorities, rating agencies, and shareholders all demanding more and better information. As firms have been forced to focus more on creating a more transparent risk management culture, they have created countless - and often overlapping - risk- and control-related programs.
Many of the risk and compliance processes in place are not going to be able to do the job. They aren't scalable, the technology supporting them is insufficient, and they are not integrated into a common framework.
Firms are now moving toward "risk convergence" models that integrate risk and control processes, easing the burdens on the operating units and returning managers to the job of growing revenue. Convergence is an ambitious and worthwhile goal that can produce direct savings and could produce even greater indirect savings.
A truly successful risk convergence establishes integrated approaches across the institution and promotes the ability to coordinate risk and control activities and share best practices. It also allows for comprehensive reporting to the senior management and the board.
But most financial firms' risk governance structures were not designed to do this. Typically the various organizational control units (risk management, compliance, Finance/Sox, audit, etc.) have operated in silos. As regulations have promulgated and tolerance for "unexpected surprises" has diminished, the units often have increased and expanded their scope, resulting in ever-increasing overlap and redundancy.
As with any pervasive problem, the path to salvation starts with buy-in from senior managers (including directors). There are four key steps along the way.
Define the vision. How many well-intentioned projects fail due to the lack of a defined "endgame" at the onset? Defining what your firm wants and needs to do is critical, given the complexity this type of effort.
All aspects of the risk and control framework need to be considered. These include issue tracking, control testing, rationalization of reporting, data structures, technology, unit-level controls, Governance (with a capital "G"), training, legal-entity rationalization, and deployment.
The benefits and cost of change in these areas will be unique to each organization, but change should benefit risk management overall. Some key questions to ask: How long will change take to implement, and how will the payback be defined?
The responsibility matrix. Now that you know what you want to change and how, you need to draw the lines to the responsible parties. While the business units are the primary owners of the risks, the organization needs to clearly define the roles and responsibilities for each risk type. This is a key step in a risk convergence program, as it is likely to show the areas of greatest overlaps and gaps in the organization's governance model.
Increase the buy-in. Get buy-in from all corners. The toughest challenges, particularly in today's far-flung global institutions, come from people, not processes. Support from the chief executives is important, but the next layer of management will make or break the project. This is particularly important, because a risk convergence program will require compromise between the various stakeholders.
Tackle the tactical. The organization should engage in tactical projects designed to validate or refute assumed benefits. It is important to understand the depth of the issue to determine the expected benefits of fixing it. Since risk assessments are a frequent cause of organizational pain, a "deep dive" into the organization's approaches to risk and control assessment provides a good testing ground.
One bank that went through this exercise identified more than 40 risk assessments performed by different groups in myriad ways. The deep dive allowed the organization to understand the scope of the issue and mobilize the appropriate team to begin a remediation program.
Recognizing that risk convergence is not only desirable, but also probably inevitable, several forward-thinking institutions have launched convergence efforts, allocating budgets and resources. Their payoff will be a flexible, efficient, and sustainable risk management framework that can meet not only today's requirements, but also those of the future.
