The Road to Positive Risk Management
If the financial crisis has taught us one thing, it is that an unknown risk is an unmanaged risk. And far too many risks were simply off organizations’ radar. Regulatory focus is also increasingly on operational risk and enterprise risk. Many supervisors say these are the biggest risk category firms in general are now facing, and for regulated businesses, frameworks such as Solvency II and Basel III are heightening the importance of a structured approach.
Boards and the C-suite are realising the value that operational risk measurement and management, as well as enterprise risk management, offers as they seek to fulfil their businesses’ strategic goals.
To support this intelligent system support is needed enabling organizations to establish a framework for operational risk or enterprise risk based on their actual risk appetite which does not only include the known knowns. Risk managers need to be enabled to analyse any captured risk related information, thus the corporate risk intelligence, through the lenses of their organization’s various structures and reporting lines, so that both the cause and effect of ‘a risk’ can be fully understood. Reporting – whether it is on-screen, ad-hoc, or in a formal format – helps risk executives communicate their organization’s risk position to the business, senior management and the board. Such a pro-active risk management approach will empower executives to actively manage risks across the business, track the tasks others are expected to perform and report status to key stakeholders. The information contained within a central risk intelligence database can be linked to key deliverables in an organization’s risk appetite framework, enabling a holistic approach to measuring and managing risk.
All this should be driven by the philosophy and conviction that any risk, whether a known known, a known unknown or even an unknown unknown should be identified and dealt with before it materializes. Given early recognition, specific management actions, tasks, controls can be defined to mitigate, reduce or eliminate risk while it enables corporations to profitably utilise any opportunity normally accompanied by these risks. This pro-active yet positive risk management approach will fundamentally change the management process.
This illustrates the importance of an enterprise wide surveillance and early-warning for any type of the identified key risks of the corporation. Internal subject matter experts can define the needed measures that would indicate the effectiveness of the controls addressing these risks. Management must act when these parameters are exceeded. The purpose of determining which key risks are monitored is to:
- provide the basis for establishing an early warning system that would enable management to respond to adverse conditions
- assess if key risks identified in the process are being contained in relation to predetermined limits/thresholds.
Since risks exist in various forms in different areas of an organization and because the information related to risk is often subjective, incomplete, incorrect or simply not reliable, intelligent soft computing methodologies like fuzzy logic have proven to be best suited to cope with such input values.
By utilizing soft computing methodologies (e.g. like fuzzy logic, rule based aggregation, linear aggregation, etc.) It is possible to create a logical aggregation of all indicators available for identified risks independent whether they are quantitative yet precisely measureable or qualitative. The visualization of this aggregated time series analysis allows a constant monitoring / surveillance of the pre-identified potential risks expressed in one easy to understand rating value.
As the soft computing methodology based aggregation logic is completely transparent, a seamless drill-up and down reporting allows the complete analysis investigation from the final rating value down to the actual cause/source of an identified change in the rating value.
While the definition of potential indicators is rather easy to handle, as practical experience shows subject matter experts know them quite well when asked about the potential risk identified, the identification of potential and yet emerging risk remains challenging. To identify the “known unknown” and the “unknown unknown” requires the utilization of creative methods for Identifying and Assessing Corporate Risks. Risk capturing or collection methods are only useful to identify and Asses existing or obvious Risks thus the known and known unknown risks. These methods include:
- Risk-Identifications-Matrix (RIM)
Typical methods for analytical methods are:
|Assessment questionnaires||Morphological methods, for exploring all the possible solutions/outcomes to a multi-dimensional, non-quantified complex environment||Default / Impact Analysis||Tree Analysis|
Typical creativity methods are:
- Delphi-Method, is a structured communication technique, used by a group of experts focusing on the identification of forecasts (e.g. to identify potential risks for a corporation due to its defined strategy)
- Synectics, to approach creativity and problem-solving in a rational way
- System Dynamics etc.
Which of the above is the most suitable and fruitful each company has to decide individually. Normally a combination of several methods within this gimmickry leads to the best results.
When taking this road it is important to not only focus on the potential risks a corporation might face due to its strategy and corporate activity. Risk management should always be seen in combination with its linked opportunities as the graph below illustrates.
As the philosophy behind this core concept is quite simple it is remarkable that corporations tend to see risk management as a rather unpleasant activity. When knowing all risks linked to business opportunities the corporate strategy focuses on, a suitable and automated control and mitigation process is enabled allowing to pursuit these opportunities with rapt attention.
This fact actually highlights the dilemma of the Operational Risk practice and the existing regulation practice in general. The Basel II definition for operational risk for example reads as follows:
“Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”
This definition illustrates quite strikingly while any regulation around Operational Risk must fail to support any practical and pro-active risk management thus to avoid crises like the 2008 financial crises or others. By explicitly excluding strategic and reputational risks the main drivers behind emerging risks for corporations are excluded from the focus. The graph below is based on a research by Mercer Management Consulting utilising the Compustat database a division of S&P to identify the core drivers behind corporate risks causing significant losses. As the research indicated strategic risks are clearly the main drivers of corporate risks leading to significant losses for the corporations. As the research also exemplified, that over two thirds of the encountered losses could have been avoided or their impact actually reduced, if corporations would have had a respective monitoring, control and mitigation framework for emerging risks in place.
The existing regulation culture did lead to the quite common behaviour within regulated markets of check box ticking risk management. Which itself cannot provide or build a risk culture needed for pro-active risk management. When following such a narrowed risk management view often accompanied by a siloed risk strategy, a pro-active, firm wide and forward looking risk management is completely prohibited. By the end of 2008 it was already clear to everyone that this historic approach to regulatory design had failed to provide any early warning of an oncoming liquidity crisis. This failure was the result of a conceptual failure in regulatory design, which tended to rate efficacy with reference to retrospective financial accounting or check box ticking. The old regulatory regime did not address the factor which many now regard as critical: aggressive risk-taking behaviour, as evidenced by the routine overselling of complex products to naive customers.
“Five years after the UK’s most prized industry brought the economy to its knees and ushered in a decade of public austerity and squeezed living standards, a parliamentary commission has reported on the sorry state of the standards and culture that prevailed in British banks.”
(Financial Times, London, June 19th 2013)
The enormous loss of trust in banks yet the complete financial service industry is on a historic scale, as confirmed in the statement above. The dramatic fall in public confidence has already been used as political justification for creating a new UK national regulator, the FCA (Financial Conduct Authority), which opened on 1st April 2013. The Australian Securities and Investments Commission (ASIC) and the U.S. Securities and Exchange Commission (SEC) have made it their mission to put public trust and consumer / investor protection as the foundation of their work; i.e. characterized by transparency and integrity. The heart of all these initiative is to drive a balance between promoting a culture of “doing the right thing for the customer” and at the same time “maintaining the integrity of the markets” in which firms operate. We’re going back to the basics of morality!
As the CEO of the FCA Martin Wheatley pointed out in the FCA Risk Outlook 2013:
“People need a financial industry they can trust – success for the FCA (Financial Conduct Authority) will be when both consumers and firms rebuild that bond of trust”