In a series of questions and answers, Marina Theodotou discusses key concepts in risk management for the busy bank executive.
What is risk management?
No longer a defensive, window-dressing function buried within the Internal Audit department, risk management is at the forefront of business strategy in banking, driving impactfully-higher profitability and increased shareholder value while lowering costs across the organization. Today, risk management, by focusing on identifying, understanding, and monitoring all the key risks affecting the operations and strategy of an organization, lies at the foundation of sustainable growth and a source of competitive advantage for this organization.
Why should risk management be high on your list?
In the ever-evolving local and international financial market today, several key drivers increase the need for risk management, including: profitability, losses, competition, market scrutiny, regulation, and technology. As a result of these drivers, banking strategy and implementation become more complex, with a greater need for better governance, stronger transparency, and more detailed regulation (including the Basel II Revised International Capital Framework). Therefore, today, running a robust and profitable bank requires agile and smart navigating in a sea of risk, which can be summarized in three broad categories: Market, Credit and Operational. Let's look at a quick definition of each risk:
- Market Risk: the risk of loss occurring due to changes in market prices or specific variables within the operating environment.
- Credit Risk: the risk of a loss occurring as a result of customer default to repay.
- Operational Risk: this risk broadly includes all other risks, and per the Basel II accord definition it is: "the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events."
While credit risk may be considered the largest risk for many banks, sophisticated credit risk measurement models have been developed during the past decade helping banks estimate two key metrics: the Probability of Default (PD) and the Loss Given Default (LGD). Most banks developed these credit scoring models internally by sourcing historical data from "old loan files", gleaning the common information threads of the loan's performance and incorporating this data in the predictive models. Such modeling has served banks well, even in new businesses where data may be considered neither robust nor readily available.
Market risk typically results from changes in market prices or variables locally or globally, including changes to exchange rates, interest rates, equity prices, option implied volatilities (for derivatives), credit spreads, and commodity prices. This risk mainly impacts the balance sheet, the trading of market risk itself, as well as foreign exchange translation in offshore operations.
Operational risk is becoming increasingly important for banks and more and more complex as it hinges on several interdependent key drivers such as: globalization; economic, political, and cultural shifts; business strategy; statutory, regulatory, and contractual obligations; rapidly changing and sophisticated technology; diversification, and concentration in business operations.
Risk management within an organization means better management and information regarding all of these three risks (market, credit, and operational) based on the depth and breadth of the organization. Such information becomes a key driver in business strategy ranging from which business to engage in, who to lend to, how much to lend, and for how long. Robust data on these four key decisions means better business decision-making and implementation, less losses, and higher profitability for the bank which would translate to happier shareholders, more empowered and accountable employees, and better-suited products for customers.
How do you strengthen risk management in your organization?
Odds are if you are operating today, you are already in the business of managing some type of risk. The key is to go for breakthrough, which requires a methodical approach to strengthening risk management in your organization, perhaps including the following steps: clarifying at the senior management level the importance and need for better risk management; setting up a risk management team of trained professionals to identify, understand, measure, and monitor the major risks present in your organization; setting up the proper controls to mitigate each one of the key risks; training the rest of your staff; empowering them and holding them accountable for owning the controls to the key risks; communicating continuously the importance of managing these risks to the whole organization; setting specific, measurable, attainable, and timely goals to gauge and monitor your progress; building a meaningful reporting process and sustaining it; empowering your internal audit to review and evaluate risk management policy and processes periodically; and reporting to the board the success of your efforts. Once all these steps are followed and implemented, you will probably see a risk management culture grow within your organization and risks will be understood and managed more effectively and efficiently.
When should you start managing your risk?
The quick answer is now! However, beginning the robust risk management journey requires senior management and board level commitment, funding, a capable internal or hired team of experts, a specific plan and timeline for project implementation, and follow-through to completion of the setup process.
Who should drive risk management?
Successful risk management begins at the top with the board, the chairman, the CEO, and the GM, and is communicated across the organization. Once the process is in place, as discussed earlier, risk management implies continuous monitoring of the key risks and controls by a dedicated team within the organization, headed by a chief risk officer who reports directly to the CEO. An executive risk committee is formed with representation from all business units and chaired by the chief risk officer to address, review, and monitor the main risks facing the organization, as well as evaluate the risks proposed to be undertaken with new business deals. If an organization is small and risk expertise scarce, it may make sense to implement a centralized organization where all risk decisions are made within the risk management team. This team then becomes the center of excellence on risk for the organization, fostering efficiency by avoiding duplication. On the other hand, in an organization with several unique risks, it may make better sense to embed risk managers within the business unit itself in order to strengthen the unit's ownership and accountability, and even allow the business unit to control the cost (as opposed to being billed from the center for risk management services rendered).
Caveats and cautions
Not managing your risks and not establishing appropriate controls to mitigate them is a risk in itself. It exposes your organization to many, if not all, of the key risks discussed earlier and blind sights your decision making ability, be it strategic, day-to-day, long term, or short term. Lack of risk management is equivalent to sending your team off for a journey, let's say in the desert, alone and on foot, without any or enough water, without any or enough food, without a compass, without a plan, without a goal, without camels, supplies, assigned roles and responsibilities, ammunition, the appropriate clothing, and most of all the right morale. In one word, unprepared.
At the same time, building a robust risk management function within your organization requires time, commitment, funding, and serious investment in the right resources (people, processes, and technology) to get the job done.
The bottom line
In the omnipresent business dilemma of risk versus reward and the ever-evolving and complex financial markets, prudently and systematically managing your risks sooner or later will translate to higher sustainable profitability and increased competitiveness locally and abroad.
The writer is the Country Director of Financial Services Volunteer Corps (FSVC), a Middle East Partnership Initiative (MEPI) funded program providing technical assistance to Jordan's financial sector. Key risk management concepts discussed here were examined in depth during a September '05 seminar sponsored by the Central Bank of Jordan and FSVC for bank risk managers and regulators in Jordan by Dr. Mark Lawrence of Melbourne, Australia. For additional information please contact FSVC through this publication.
© Jordan Business Monthly 2005
