Bank CEOs are much more likely than their peers in other industries to be putting more emphasis on risk management, particularly in the areas of allocating resources to risk-related information gathering and analysis, reassessing risk tolerance and preparing for systemic risk and low-probability, high-impact events.
Increasing regulatory pressure and the aftermath of the global financial crisis have not made the load any lesser. Despite this increased effort, PwC survey of industry CEOs in the region and globally show that many bank CEOs feel that they are not using the full suite of risk information available for strategic business decision making.
They also feel that there is more scope to reengineer their organisations’ strategies, systems, and processes to take advantage of the information available to the organization, for risk management purposes.
Effective risk management should focus on re-evaluation and change of risk management capabilities to make risk an explicit contributor to business decisions. Broadly, an organisation’s risk management framework should address four key areas, namely governance and strategy, risk management processes, infrastructure put in place to support these processes and the organisation’s system of values and incentives available to staff.
In this article, we will consider the governance and strategy component. Under this component, a bank would be concerned with alignment of risk management to the business model, risk management in the context of risk appetite and strategy and the balance of the relationship between risk managers and the business.
Alignment of risk management to the business model follows from the fact that risk management is pointless unless it is closely tied to an organisation’s strategic objectives. Business decisions are made with an aim of capturing certain rewards.
In turn, capturing these rewards involves some exposure to risk. Risk should therefore be managed in the context of the business strategy and hence the risk appetite.
This can be achieved through an appropriately tailored approach that addresses the unique attributes of each institution’s business model. Risk events have the potential to create deviations from planned strategies and outcomes.
However, risk managers too often have limited, or belated, input into the strategy setting process of their institutions. Risk managers can and should play a crucial role in challenging their institution’s business model and by highlighting areas where the business model needs to change. This includes, but goes beyond, the consideration of risk in new products approval process.
The second consideration under governance and strategy is the balance in the relationship between risk managers and the business. The risk management function often does not have formal oversight over some risk taking business units within the company, such as the treasury function. While this oversight does not guarantee against excessive risk taking, it allows the business to move ahead in a more controlled manner.
Executive management and the board should therefore reassert that risk managers have companywide risk oversight mandates and responsibilities. In turn, Risk Managers should define and communicate the separate and complementary roles and responsibilities of the risk management function and business unit managers.
The need for the risk management function to be independent frequently creates distance between the function and the business. This relegates the risk manager to the role of scorekeeper, which is detrimental to effective risk management. This should not be the case.
Risk managers who are structurally independent and have the right incentive and evaluation structures can be more hands-on and proactive, yet retain objectivity. To be successful, the function cannot be seen as an extension of internal audit.
We will look at the other components of an effective risk management framework in the next few weeks.
The author is a Manager with PwC Rwanda