Improving risk management: process and culture.In its January proposal on enhancements to the Basel II framework, the Basel Committee clearly stated that bank boards of directors and managements must address the flaws in risk-management practices revealed by the financial crisis. Improving firm-wide governance will be necessary to satisfy regulatory supervision. The committee asked boards and managements to ensure that risk-management frameworks establish limits consistent with defined risk appetite. In other words, make sure the risk taken is equivalent to the risk intended. Boards and managements should now ask themselves a few questions: If change is truly required, what new steps must be taken to identify and implement improvements? How will we know we're getting a comprehensive enough look? Regardless of how a board sees the veracity of its existing approach, fundamental change in how risk is managed is necessary to restore the system to good working order. A helpful first step is to ask the broader questions: Why did banks underestimate their risk and how did regulators fail to see it? Inadequate Execution The short answer is: basic practices of identifying, understanding and accepting risk were inadequately executed. Corporate governance has been called the strategic response to risk, and the changes mandated by events are not simply tactical. Risk management practices must be assimilated into strategic objectives in new and better ways. Because a corporation is more than a collection of individual activities subject to the separate interests of its components, it's important to see risk management as a pursuit of cooperative spirit, and not as a series of isolated controls. Efficient processes that boost coordination and enable leverage across risk, finance, compliance, audit and lines of business are reasonable and consistent expectations. A thorough undertaking of risk identification begins with analyzing strategic objectives, cataloging the major processes set up in their pursuit and then asking what can go wrong with each of those processes. Control activities should be designed to recognize these mutually dependent functions, and detection of strategic shortcomings should come from the integral parts--say finance or operations--before they are cited by oversight roles, like compliance or internal audit. Beyond understanding risk, capital must be assigned to it. Did banks assign exclusive economic capital to each credit default swap to determine overall capital adequacy? Perhaps they simply underestimated it. Or was there a general sense that a lot of capital was available on the balance sheet to show counterparties the strength of the organization for any number of activities? In the absence of discretely counting capital risk by risk, the tendency is not to assess its full magnitude, as was certainly the case across the banking sector. Risk appetite must be matched with capital availability. Two fundamental components must be addressed to improve risk management outcomes: 1 Process. A method of visualizing the whole and its parts to serve equally management's need for line of business control and supervision as well as the board's need for perspective to perform oversight, make strategic decisions and measure institutional progress. 2. Culture. A collective mindset of risk awareness where employees understand and agree with intended outcomes and their individual and team roles in achieving them. The desired state is a blend of essential principles of enterprise risk management and inclusive practices of employee engagement. The objective exercise of managing risk can be sustained only with a corresponding development of the more subjective elements of culture. Regulations are largely built on prescriptive expectations that are easily tested, but which omit from scrutiny broader, macro organizational constructs of risk management. Accepting that regulators should not prescribe particular approaches to managing risk, they nevertheless could compel firms to demonstrate adherence to comprehensive enterprisewide procedures. One straightforward improvement would be to insist that risk management processes be more readily observable across the company. Through strategies of literacy and engagement, a shared vision of strong corporate governance can be built that places explicit accountability for execution and disclosure where risk is taken and for understanding and acceptance with the board. Regular, continuous senior management and board reports emerge from multiple aggregations of individual business unit evaluations, providing timely assurance of adherence to tolerance limits. Periodic opinions from internal audit add reassurance that such reports can be relied upon, and the same reliance extends to regulators, who respond favorably to transparent, comprehensive risk-management programs and a well-informed board. Peter Schild (pschild@carolina.rr.com) CPA, a member of FEI's Charlotte, N.C., Chapter, is a former chief audit executive of Wachovia Corp. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion