It is now widely agreed that the credit crisis and ensuing economic downturn that rocked the banking sector were caused in large measure by the fact that no one understood the scope and scale of the risks banks were taking and the disastrous consequences of these risks for the global economy.
Recent economic metrics suggest the downward the spiral has stopped. Banks that will thrive in the new economy are taking a hard look at how they run their businesses. At the top of their priority list is reviewing their risk management plans and processes to ensure that they have more transparency with the risks that they are undertaking as they execute their respective business plans. In a recent KPMG survey of senior executives in the banking and financial services industry nine out of 10 respondents said they were creating or modifying their risk management plans because of the economic crisis.
An overhaul of risk management will strengthen a bank's business portfolio and balance sheet and help it regain the trust of regulators, customers, investors and analysts.
Banks have even more incentive to invigorate their risk management plans considering the new regulations and laws under consideration. The SEC has proposed that companies disclose board members' background in the area of risk and reveal when there is a misalignment between incentive policies and the long-term well-being of the organization.
While it's too early to tell what form it will take, President Obama and Congress agree that a regulatory body or bodies should have oversight responsibilities of systemic risk. Regardless, banks need to anticipate a significant advancement in systemic-risk regulation.
Furthermore, the rating agencies are also requiring more information about a company's enterprise risk management program, which gets factored into a company's credit rating.
Three of the key leading practices for the development of a highly successful risk management program are described below.
Establish a risk culture. Banks should review the values and behaviors that shape their risk decisions.
A company's risk culture — advocated and reinforced consistently from leadership on down — must emphasize that employees "do the right thing" rather than "do whatever it takes." Risk culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits.
Organizations that successfully establish a risk culture also effectively communicate about ethics and risk and link employee compensation to "doing the right thing." They also formally consider risk during the hiring process and evaluate the risk cultures of their business partners.
Appoint a risk executive. Organizations are increasingly appreciating the need for a risk executive who can play a critical role in creating and sustaining ERM practices.
Though many financial institutions already have a risk executive or chief risk officer in place, management needs to take a good look at this person's role and responsibilities.
What has become clear is that before the credit crisis, the CRO's recommendations were not always incorporated in the bank's ultimate business decisions, being viewed as a potential hindrance to profitable growth.
Hindsight has clearly displayed this couldn't be further from the truth.
A risk executive should be empowered to establish a common approach toward risk management prioritization, quantification, analysis and reporting. The risk executive also can advance fundamental conversations with management and the board regarding effective risk management, which starts by seeking answers to several key questions:
- Does our existing risk profile accurately capture our risks, and is it regularly reviewed and updated so we can avoid surprises given the velocity of economic change and the business environment?
- Do we have the tools, techniques and processes to identify and manage our risk exposure?
- How well are our risk-monitoring (e.g., internal audit) functions working? Are they operating in tandem or in silos?
- Are we getting value out of our risk management and monitoring programs and if so, how are we measuring that value?
- Are our risk management processes being included in our daily business decisions?
If organizations want to elevate the risk management function, they need to install a risk executive who has the vision, authority and confidence of management and the board to keep risk management efforts improving and evolving.
Determine the appropriate risk appetite. In the new economic environment, banks are re-evaluating the amount of risk they are willing to take on in pursuit of their strategic objectives.
A well-defined and well-articulated risk appetite allows an organization to make business decisions linked to business strategy, encourage consistent behaviors, increase the capacity to take on risk, and develop sharper, more intelligent risk reporting.
When developing a risk appetite plan, role-model organizations consider the skills, resources and technology required to manage and monitor risk exposures and include tolerance for loss or negative events that can be reasonably quantified.
They also develop a formal risk appetite statement that is approved by the board.
Banks recognize now that the risks they take can have a profound impact on their own businesses and the broader economy. They are looking to make changes. Those that implement and adhere to leading practices such as these will help establish a stronger, more secure banking system.