06 May To Define our Company Strategy we Must First Understand Risk Management and Risk Governance
The members of the board of directors are accountable to the company’s shareholders for their actions in carrying out their stewardship function. Therefore, a mechanism is needed to ensure that companies are run in the best long-term interests of their shareholders.
Within an organisation there are both tactical and strategic risk-takers. The strategic risk-takers – chief executive officer (CEO), directors and senior managers – formulate a strategy for the firm that requires certain risks to be taken, and others expressly to be avoided. They communicate the strategy to the traders, asset managers and research analysts, whose job it is to manage the tactical risks involved in implementing it. For this communication process to function properly, and to enable the strategic risk-takers to monitor the subsequent progress in the strategy’s implementation, there needs to be a set of robust processes for:
- ensuring that the firm is properly governed to formulate and implement the strategy
- implementing a coherent firm-wide risk framework to enable oversight of the strategic and tactical risks that will enable the anticipated returns to be generated and unnecessary losses or impairment of the company’s value to be minimised.
Having gained an understanding of the broad spectrum of risks to which financial services firms are potentially exposed, and the underlying drivers of each type, a firm needs to address the various ways in which the actual risks it faces can be managed.
A ‘risk register’ of risk types (eg, operational) and specific risks (eg, failure of the customer relationship management system) is compiled and used by firms so that the risks and the associated mitigating actions and controls can be understood, owned and monitored.
The firm then needs to decide how much risk it is willing to take, a concept known as risk appetite, and make sure that this appetite is not exceeded, through the use of formal controls and high-quality risk reporting.
In addition to controls and risk reporting, the so-called risk culture of the firm also plays a key role in enabling the risk appetite set by the board to be understood and adhered to at all levels of the organisation.
The board’s risk responsibilities typically cover the following areas:
- Determining the company’s approach to risk, including setting or approving its risk appetite;
- Setting and instilling the right risk culture throughout the organisation;
- Monitoring the company’s exposure to risk and the key risks that could undermine its strategy, reputation or long-term viability;
- Identifying the risks inherent in the company’s business model and strategy;
- Overseeing the effectiveness of management’s mitigation processes and controls, and;
- Ensuring the company has effective crisis management processes.
At most banks and financial services firms, the board delegates the management of risk to a risk committee. This is obligatory for larger firms, but smaller firms have also chosen to do the same. The risk committee would be responsible for the following:
- Ratifying the key policies and associated procedures of the firm’s risk management activities;
- Monitoring the effectiveness of these key policies; and
- Translating the approved risk appetite of the firm into a set of limits that flow down through the firm’s executive officers, business divisions and subcommittees.
Compliance and risk management are not the same. Compliance focuses primarily on ensuring that all laws, regulations and internal rules are followed. Risk management focuses on ensuring that risks are understood, and that proactive decisions are made about which risks to take, and which to manage or avoid.
To assure a strategic focus on risk management at a high level, firms should assign specific senior responsibility for all risk management across the entire organisation. In most cases this would be to “a head of risk” or “chief risk officer”. This person should be independent of line management and have sufficient influence to have a meaningful impact on decisions.
Risk managers enable strategic risk-takers to communicate ‘downwards’ through appropriate policies, procedures and risk limits. Risk managers also enable tactical risk-takers to communicate ‘upwards’ by preparing risk reports that describe the risks they are taking. A risk manager needs to measure and report risk within a robust risk governance structure. It is the job of the traders, fund managers and other front-office staff to decide what sort of risks to take.
However, there are various organisational challenges to implementing a risk governance structure with the ‘right’ policies and procedures:
- establishing and maintaining the appropriate authority and autonomy of risk managers
- keeping a clear segregation of duties between risk-taking staff and risk managers
- relationship of risk managers to the business.
Internal and External Audit
Internal audit plays an important role in the risk control framework. It provides an independent, internal assessment of the effectiveness of the firm’s processes, controls and procedures. It also independently assesses the effectiveness of the risk management process. Internal audit assesses whether the firm’s processes and procedures are adequately controlled, up-to-date and performed in accordance with manuals and documentation. Internal audit also acts as a ‘dry run’ for external audits and regulatory examiners.
External auditors are required to audit the annual accounts and report to the members of the company whether, in their opinion, the annual accounts: Have been prepared in accordance with the Companies Act and Give a ‘true and fair view’. External auditors produce specialised reports for the board and external clients, which give assurance that the firm’s control environment works as designed.
Risk Governance Implementation
Setting up the risk governance structure is not a one-off exercise. Corporate changes, whether planned or unplanned, must take the current governance structure into account, and also (in the case of planned changes) any upgrading that might be required as a result of the change. Such planned changes could include acquiring a firm and merging it with the existing business. Careful thought needs to be given to how its existing governance structure will be merged with the acquiring firm’s governance structure – and how any gaps or overlaps will be managed. To be prepared for unplanned changes, such as senior managers leaving the firm, succession plans must exist for each member of the firm’s key committees. A succession plan might reveal that in fact certain roles have no obvious successor. This will give the firm an opportunity to nominate and prepare a member of staff to be the successor or, in the case of NEDs, to develop relationships with future potential candidates