Especially since the recent financial turmoil, firms active in the capital markets are increasingly focused on risk management. Some will bolster their efforts through elaborate change programmes with catchy acronyms like GRC (governance risk compliance) or ERM (enterprise risk management).
Others will seek to retain or strengthen risk management practices by eliminating activities that do not add exceptional value nor produce a meaningful impact on the company’s bottom line.
While both approaches are pragmatic, there is the danger that some risk managers will add precisely what others are looking to reduce, ie extra layers to the risk management framework that bring minimal value. Conversely, cutting internal controls and reporting elements from a firm’s risk management framework must be done carefully.
As a starting point, capital market firms would do well to step back and take stock of the fundamentals concerning risk management. Operating in today’s cost-containment environment, company boards and executive management are looking for reassurance that all risks have been identified and that the controls to mitigate these risks are effective. Simply put, there is no room for surprises and tolerance is near zero for losses in areas that are supposed to be well controlled.
In parallel, line managers are seeking expert guidance through the web of existing and new regulatory requirements to which their internal controls and risk management practices must comply. Although the needs of upper and line management are different, both benefit from clear and well-articulated risk management goals, strategies and practices.
Control objectives
Effective risk management starts with an open and honest dialogue with the board on the risks that the enterprise faces, ideally logged within a risk register. This register lists the known inherent risks that result from the company’s specific activities. Best practice includes defining the importance of all risks, not only market or credit risks, but also operational and business risks.
The board approves a strategy to deal with these risks and issues control objectives in the form of policies with clearly defined business owners. Control objectives help executive and line management focus on managing what needs to work well instead of what could potentially go wrong.
Not only do business-owned control objectives increase management responsibility for the design of the control mechanisms, they should lead to better overall quality, because those designing the controls are also those having the process expertise and in-depth knowledge.
Business-owned control objectives also increase accountability where line management is part of the regular business-assurance process, through a yearly self-assessment process followed by official management sign-off. By empowering line management to assess and report on the effectiveness of the different internal and external control environments, executive management is able to gain a holistic view of the company’s entire business-control set-up.
This works well particularly in firms that are undergoing business process transformation programmes. This is a window of opportunity for risk management to embed its control framework and to instill risk management consciousness within the normal day-to-day responsibilities of line management. Business areas that are being transformed are required, as part of the programme, to assess control effectiveness against board-approved objectives during the (re)design phase. Key performance indicators are often used during this process.
Best practice dictates that the role of risk management be limited to the design phase of a self-assessment framework. It should facilitate the detection of inherent risks and assist in assessing the control objectives across the organisation to ensure consistency. Control needs to be a management process. Line managers need to feel that they own and can manage the control objectives in order for these objectives to be successful.
Where the control process covers the identified risks, firms should attempt to spot the up-until-now unknown risks. Currently, organisations tend to over-focus on controlling the known risks while potential hitherto unknown risks are ignored or disregarded. A classic loss distribution curve shows that control covers mainly the known risks and expected losses. But how do firms ensure that the important unknown risks are also identified, and that incident-specific risks do not transform unexpectedly to a business or strategic risk?
Most companies rely on a risk self-assessment methodology in which line managers and staff brainstorm around the potential pitfalls linked to the activity of the firm in order to detect new or unknown risks. As a bottom-up exercise, this can be very useful for line managers as control gaps and new risks for the business unit are identified pro-actively.
Subsequently, action plans will be initiated to mitigate the risks and eventually create or improve the controls.
Top-down self-assessments are sometimes used as a complement. However, in most cases, the benefit of top-down self-assessments is limited as it is “too process oriented” and seldom leads to a good view on the impact of threats the company or service is facing or the possible transformation of risks.
