It is fair to say that not many gatekeepers came out of the financial crisis well. Banks would not put a brake on their risk-taking and shareholders lazily accepted flawed boardroom strategies and warped remuneration schemes. Credit rating agencies gave unacceptable blessings to investments they either knew were dangerous or simply misunderstood, while regulators worldwide were caught playing catch up trying to police financial products that were already being mis-sold. Governments have also shown themselves to be largely powerless to take repercussions or even a firmer hand three years after the crisis erupted.
And while the banking sector may be recovering from the crisis that it created with good summer news of regained multi-billion dollar profits, risk managers are still scratching their heads as to where it all went wrong for them, what their responsibilities to the board and stakeholders are, and how the profession needs to progress.
The process may take some time. According to a survey called The Convergence Challenge by accountants KPMG and the Economist Intelligence Unit, nearly half of companies are not clear about who in their organisations is in charge of governance, risk and compliance. Paul Taylor, director of risk assurance at manufacturing firm Morgan Crucible, says that there is a danger that the lines of responsibility between who is responsible for identifying risk and who is responsible for managing it become blurred.
“Despite the title, risk managers do not generally manage risk,” says Taylor. “The UK’s corporate governance code puts risk management firmly as the responsibility of the board. Many executives focus on strategic risk, and are less involved in operational and financial risk. That is a real mistake. The board has a responsibility for all corporate risk – not just parts of it.”
Other experts agree that boards seem reluctant to get involved in all aspects of risk management, believing that some risks do not need board level involvement. Furthermore, recent research also suggests that board members may not appreciate the levels of risk that their organisations face, or understand sufficiently how these risks may impact the business. Pascal Macioce, Ernst & Young’s assurance leader in Europe, Middle East, India and Africa, says that the latest research carried out by the firm shows that audit chairs greatly underestimate the breadth and intensity of regulatory and compliance risks facing European companies, particularly those operating across borders. Audit committees have been repeatedly criticised for failing to understand business risks, or challenging the board on their understanding of them.
Public servants
“Currently, audit chairs are being too narrow in determining the extent of the ‘regulatory risks’ facing their companies,” says Macioce. “Audit committees must think more broadly about the way that government interventions – both nationally and at G20 level – has significantly increased existing compliance risks. These risks will continue to increase until such time that new regulations bed down on both a national and global level.”
One industry sector has already reprioritised its risk registers – the financial services sector. Bankers are complaining that political interference is now the biggest risk facing the banking industry and that the “politicisation” of banks as a result of bailouts and takeovers now poses a “major threat” to their financial health, according to the annual Banking Banana Skins report from professional services firm PricewaterhouseCoopers (PwC) and the Centre for Financial Innovation. It is the first time in 15 years of the study that “political interference” has even featured as a significant risk, let alone coming top. The top risk is closely related to the third – “too much regulation” – and the concern that banks will be further damaged by an over-reaction to the crisis. Other dangers on the list include credit risk (at number two) and the economy (at number four). Poor risk-management quality also made the list of top-ten risks.
The fall-out from the current banking crisis has forced risk managers in general to re-assess how they evaluate, report and manage risk, and what skills they may need to buy in or develop to ensure that they can provide adequate assurance to the board. Phil Ellis, CEO of Willis’ structured risk solutions practice, says that the approach to risk in organisations will become a lot more scientific and there will be a much greater emphasis on ensuring value for money from the risk management function. “Over the next ten years we will see a heavy investment in catastrophe experts, actuaries and mathematicians as the C-suite demands greater assurance in more technical areas of operational, strategic and financial risk. We will also see the rise of the chief risk officer and he will have a seat in the C-suite,” he says.
But some risk managers fear that their duties, responsibilities and focus may be shaped by other factors that are beyond their control. Dieter Berger, head of insurance at Swiss-based power generating company Alpiq and president of the Swiss Association of Insurance and Risk Managers (SIRM), says that the future of risk management will be affected by increased regulation and standards on corporate governance, and – more worryingly – the increased desire to sue organisations and individuals for perceived wrongdoing.
“There is a real danger that risk management will be led backwards and become a ‘box-ticking’ compliance function rather than a value-adding part of the business because of over-prescriptive regulations,” says Berger.
“The front end of every organisation wants to create strategic opportunities for the business and the last thing they want is for somebody to come up and continuously say that these things can’t be done. Risk managers are going to be very unpopular if they are always perceived to undermine business plans. The function needs to be value-adding, but there is a real possibility that it could be seen as stamping on business plans if compliance issues take too much priority.”
Given the furore in some quarters about how risk has been poorly recognised, understood, mitigated and controlled, it is perhaps unsurprising that in a recession, senior management may want to shift its focus towards business survival rather than considering “low-level” risks or compliance issues and so prompt employees to take more responsibility for their own actions and take a greater role in decision-making.
Eye on the prize
But therein lies a problem. Employees may recognise some risks, but it does not necessarily follow that they know how to mitigate, control, or leverage them. Added to that, it is unlikely – especially without any training or instruction – that they will share the same view of “risk” and “risk appetite” as senior management or the board. This could mean that staff take more risks than the board would like, or – on the other hand – they view “risk” negatively, try to avoid it altogether or try pushing it on to someone else to manage. As a result, effective risk management may be in danger as senior management tries to delegate greater risk control to people who do not share the same view of risk, or even understand the concept.
The term “risk appetite” has its home in the financial services industry where it has been interpreted to mean the financial quantification of acceptable risk exposure. But a number of international bodies have also tried to define it so that it is applicable to non-financial services organisations. The enterprise risk management (ERM) framework of the Committee of the Sponsoring Organisations of the Treadway Commission (COSO), set up in 1985 to help counter fraudulent financial reporting, describes “risk appetite” as an overall limit stated in broad terms, and “risk tolerances” as specific limits placed on key measures of performance.
“Risk appetite” is also referred to in the British Standards Institute’s BS 31100:2008 Risk management – Code of practice. It states in section 4.5.5 that the process of a risk review “should be repeated until the level of residual risk is within the risk appetite and pursuing further control changes does not seem worthwhile”.
But critics complain that such wording is unclear and unhelpful. Deciding what is “worthwhile”, they say, requires further consideration of risk. Just as budgets limit spending without ensuring that money is well spent, so risk limits place an upper boundary on risk-taking without ensuring that good risks are selected.
Last year, the Institute of Chartered Accountants of England and Wales (ICAEW) published a report into risk governance of non-financial companies called Getting it Right. It found that while companies recognise the phrase “risk appetite”, they tend not to use it internally. It also said that the terms “risk governance” and “risk appetite” were unclear and created scope for confusion, adding that “risk attitude” is “a better descriptor of what most corporates understand to be useful, and in most corporates it is communicated to management implicitly, by inference from the board’s decisions”.
The UK’s corporate governance regulator, the Financial Reporting Council (FRC), has removed the phrase “risk appetite” from the newly updated Corporate Governance Code released in June following complaints from respondents during its consultation phase. Instead, the new text says that “the board is responsible for determining the nature and extent (italics added) of the significant risks it is willing to take in achieving its strategic objectives.”
But just because the term has been dropped from the code, it does not mean that its use will suddenly disappear overnight. Nor is it likely that in the current economic climate senior managers will defer from encouraging staff to take on more risk management responsibilities.
Dr Sarah Blackburn, managing director of internal audit consultancy The Wayside Network, says that “people often do not know what the risk appetite of their organisation is and this comes down to two reasons: they are not the ones setting the risk agenda because that’s the job of the board, and more simply, they do not understand what ‘risk appetite’ actually means.”
The risk fence
Dr Blackburn also says that people tend to be unaware of how much risk they actually take on board with their work or what impact their attitude to risk has on the organisation as a whole. “It is tremendously common that employees have no real idea how risky or risk averse their approach to work is. If you ask people whether they are risk takers or if they are risk averse, whatever they say may be at variance with what they do in practice,” she says.
Even what appear to be the most mundane – and obvious – courses of action for an organisation can present enormous risks and challenges to the organisation, warns Dr Blackburn. “For example, in a downturn, there is a general move to cut costs and squeeze efficiencies, and this can result in poor service provision, increased incidents of error, and safety problems. But how many people regard ‘sensible’ cost-cutting as a risky strategy in a recession?”
Other experts complain that the terminology surrounding “risk” is not clear and often relies on a personal view of what constitutes “risk”, rather than what might be in the best interests of the organisation. Matthew Leitch, who runs internal audit consultancy Matthew Leitch Associates, says that a sense of familiarity with phrases like “risk appetite” and “risk tolerance” is not the same as a true understanding.
Leitch says that while most definitions of risk appetite refer to a single limit placed on assessed risk, in practice organisations have used a wider variety of definitions to try to explain what they mean by risk appetite and how it affects and benefits the organisation. According to Leitch, these include using statements in words as well as numbers, which may give the impression that there is more than one “acceptable” value or limit on risk, and highlighting certain activities as having a particular risk limit.
“For example, many organisations use terms such as ‘high risk’, ‘medium risk’ and ‘low risk’ or rate risks on a scale of one to ten, but both are seriously flawed. They are too vague and encourage people to follow a particular course of action based on a personal view of what is acceptable risk, rather than what is in the best interests of the organisation.”
Leitch adds that putting maximum limits on risk can also be detrimental: it encourages people to aim for the maximum level allowed, even though logic might dictate taking a different view. For example, a bank might have a written policy that only a maximum of five percent of all loans should be made to NINJAs – people with no income, no job, and no assets. Does that mean that sales people have to hit a target of five percent, or should it be less, and if so, by how much? Furthermore, if that policy has been approved by senior management and the board, should employees challenge it?
“It is very easy to misinterpret risk appetite and acceptable levels of risk. It happens in projects all the time,” says Leitch. “When senior management signs off a project, those in charge of implementing the work sometimes ignore the threat of certain risks, believing that they have been accepted by management as part of the project. But this is not the case: management has approved the plan based on perceived benefits: it still wants these risks to be controlled and minimised – not ignored.”
Because of the potential confusion surrounding what constitutes “risk appetite” and how it should be managed, Leitch believes that “it’s just better to avoid the phrase altogether”.
“Many people regard the term as implying a psychological construct. It is seen as something personal, like a facet of a person’s personality or mood, rather than what is best for the organisation. Consequently, some people are inclined to see ‘risk appetite’ as something that cannot be objectively wrong. The whole area is a potential minefield,” he says.
While some regulators around the world have accepted these criticisms – the UK being one – the phrase “risk appetite” is likely to remain in use if leading markets, such as the US and Canada, retain the term. Perhaps the constant revision of financial methodology in itself is unhelpful – just as executives get their heads around one set of jargon, they have to learn another. Hopefully, though, it will not take another financial crisis and global recession before boards understand what risks their businesses face, who is responsible for dealing with them, and what a “risk” actually is.
Time for a rethink?
The financial crisis has highlighted the need to improve risk management in the financial services industry, but should banks be looking at how Chilean salmon farmers deal with viral diseases, or how firemen combat forest fires, to re-evaluate their approach to understanding and managing risk? Apparently so, says the World Economic Forum (WEF).
In its latest report, Rethinking Risk Management in Financial Services: Practices from Other Domains, produced by a cross-disciplinary team including Swiss Re, the WEF postulates that practices in other complex, high-risk domains such as aviation, fisheries and pharmaceuticals can also be valuable for the financial services industry. The report brings forward proposals on how the industry can prevent another crisis and how it can manage better if one does strike, including proposals related to governance and culture and the search for early warning signals.
For example, consider the airlines’ approach to risk management and disaster planning. Pilots train extensively on flight simulators to prepare for multiple emergency scenarios, including severe (yet infrequent) events.
Furthermore, most commercial pilots are required to log a minimum number of simulator hours every year to stay up-to-date on procedures. In some countries, pilots must be re-evaluated and re-trained on simulators every six months in order to keep their licenses.
Telecommunications providers also make detailed contingency plans for emergency situations. These plans are tailored to specific regions since the probability of various threats – especially those related to weather – differ by geography. There are also generic contingency plans that providers put in place. For example, if the central control room shuts down, mobile trucks with operating equipment can be used to avoid network failure.
During the course of the recent financial crisis, a series of financial institutions faced bankruptcy. But the WEF points out that “in each case the response of regulators and the government differed: some were bailed out while others were propelled into shotgun marriages”. In September 2008 it was Lehman Brothers’ turn. The Federal Reserve Bank of New York called in prominent financial CEOs to figure out a plan. However, the government declined to rescue the firm, and potential suitors backed away. Lehman Brothers had to declare bankruptcy, the largest in US history.
When the markets opened the following Monday, trust had disappeared and trading froze. This took market participants and regulators by surprise and almost led to the collapse of the global financial system. Reflecting on this “near miss”, the WEF says that the financial services industry could benefit from better preparation for severe events and systemic crises, using detailed contingency plans based on associated simulations. The WEF also says that it is important that institutions and regulators across jurisdictions co-ordinate efforts.
Naturally, the WEF’s suggestions are merely recommendations and have no binding force, so it remains to be seen how many – if any – financial institutions take note. But the point of learning from other industry sectors – rather than focussing exclusively on your own – may just prove to be a useful way forward.
Changes to corporate governance and risk worldwide
The global financial crisis is forcing all countries to review how boards view and determine what risks are acceptable, and what further disclosures should be made to inform regulators and shareholders.
Though the financial crisis may have been caused by the collapse of the sub-prime mortgage market in the US, regulators all over the world are now forcing directors to take a keener interest in risk management – especially when boards are legally liable for corporate failings.
In May Canada’s financial regulator warned that board directors at Canada’s financial services companies need to get a better grip on risk management. “The old excuses—the risk is too complicated, I don’t want to second guess, I don’t have enough time—just aren’t good enough anymore,” said Ted Price, an Assistant Superintendent at the Office of the Superintendent of Financial Institutions (OSFI). “Boards need to be risk literate. Directors need a clearer understanding of the types of risks facing the institution, and the techniques used to measure and manage those risks,” he added.
The OSFI has launched a corporate governance review, which Price said would look at risk governance practices across the country’s largest banks and life insurance companies. He added: “A major area of focus will be risk appetite—how it is defined, measured, monitored, controlled, and reported. How does risk appetite link into an institution’s strategic and capital planning processes?”
Price said financial companies should consider the risk-related skills they need at board director level. He also encouraged them to create standalone risk committees that include “independent members who have extensive experience in the financial business and risk management.”
India has attempted to improve investor sentiment by beefing up its corporate governance regime. Indian companies will have to raise their boardroom practices to comply with a new corporate governance code aimed at reforming corporate India after the Satyam scandal, a massive fraud involving one of the country’s largest IT companies. The new voluntary code, produced by the Ministry of Corporate Affairs last December, tells listed companies to separate the role of chairman and CEO, change their external auditor every five years, and conduct an annual review of internal control effectiveness. The code also cuts the number of directorships one person can hold from 15 to 7.
At the end of February Japan’s financial services regulator, the Financial Services Agency (FSA), announced that listed companies will have to disclose more information about their corporate governance practices and how much they pay directors. The new disclosures, which came into effect at the end of March, require companies to reveal the names of any directors earning more than Y100 million ($1m) and give a breakdown showing salary, bonus, stock options, and pension payments. Companies will also have to disclose the roles of their independent directors, whether they have any financial or accounting expertise, and the details of their relationship with the company’s internal audit function.
Meanwhile, the Saudi Capital Market Authority (CMA) has cracked down on insider trading, non-disclosure and other violations. The Saudi authorities say they are eager to promote “best practice” funds in the market. In April the National Investor, an Abu Dhabi-based investment company, launched a fund that it says is the first European Union-compliant vehicle to focus on the Middle East and North Africa region. Registered in Dublin, the fund is the first in the region to obtain a “Ucits” licence (which stands for “undertakings for collective investments in transferable securities”) and is a Europe-wide initiative designed to guarantee the quality of a fund’s governance. Such a licence will allow the fund to be marketed to institutional and retail clients in the EU, a market inaccessible to most offshore funds. However, investors are still wary of weak corporate governance and the speculative trading of retail investors, particularly as the Saudi market is 90 percent dominated by individuals.