The industry is beginning to see a risk-based culture, defined by even greater levels of risk awareness and responsiveness, emerging in organisations across the globe. A risk-based culture implies neither risk aversion nor unwise risk-taking. Rather, it means a balanced approach that strives for an integrated understanding of risk and approach to risk management. It cultivates risk responsiveness at all organisational levels, values and demands transparency, and evokes behaviour aligned with sound business growth. Treasury practitioners who are participating in this cultural shift could be labeled the ‘R-generation’, representing a business and financial manager who embraces a more balanced approach to managing risk.
To balance risk, the R-generation manager:
- Develops a risk-literate culture that institutionalises vigilance.
- Maintains a dedicated risk management group that helps with a governance framework and focuses holistically on risk identification, response and remediation.
- Assigns ownership for risk to the lines of business (LOBs), yet fosters accountability across the entire enterprise.
- Uses cross-functional forums, led by senior business and functional managers, to review and address risks, discuss and debate issues, and develop consensus-based decisions.
- Aligns risk responses with risk appetite.
- Prioritises organisational focus on material risks.
- Establishes standards to make it easier to identify what is not standard.
- Creates approval protocols to identify additional/increased risks inherent in nonstandard procedures.
- Automates controls where feasible to reduce errors.
- Integrates issues escalation into business-as-usual (BAU) processes, developing escalation methods that enable rapid response.
- Investigates and remediates the root causes of risk-related events.
- Actively manages against complacency.
Deliberate and rational risk-taking is necessary to the business growth that fuels financial performance. But any risk is, well, risky and can thus produce a number of unpredictable outcomes. The dilemma in managing risk is really this: how can we effectively manage the unknown?
An Integrated Approach: Bridging Tangible and Intangible Risks
Organisations often categorise risks to distinguish among threats. Common risk types include, but are not limited to, operational, business continuity, market, country, legal/regulatory, counterparty and reputational. Regardless of category, all risks are either tangible (i.e. concrete and discernable) or intangible. Usually, the better an organisation manages tangible risks, the more prepared it is to respond to intangible risks.
An integrated approach to risk management builds disciplines to identify and assess tangible risks and choose a course of action – or risk responses – aligned with risk appetite. For intangible risks – unknown and unpredictable – there is a system of rapid response to take corrective action and limit exposure. Integrated risk management is an introspective and iterative process that blends the quantitative and qualitative with a cross-functional cultural discipline.
The result is an institutionalised vigilance, or heightened organisational risk awareness, that supports responsiveness to unexpected risk events. A nuanced difference exists between reactivity and responsiveness. Reactivity implies lack of forethought and planning, while responsiveness is the ability to act strategically to unfolding events. R-generation managers have moved their organisations from a reactive, firefighting stance to an institutionalised, strategic position aligned with business growth and other objectives.
Integrated Risk Management: Foundational Elements
Foundational elements of an integrated risk management discipline can include:
- A strong risk governance structure.
- Risk identification through self-assessment and reporting.
- Risk response through controls and rapid escalation of issues and threats.
- Risk remediation (i.e. self-correction) through an iterative inspection process.
Governance structure is essential to building a risk-literate culture and enterprise-wide approach to risk management. The right structure facilitates transparency, LOB ownership of risk, individual accountability at all organisational levels and an effective, efficient response to the unexpected. Senior management commitment is the foundation of a successful governance structure.
Self-assessment is key to risk identification and a comprehensive view of risk. The process facilitates transparency and helps prioritise issues with potential material impact. It involves regular review of relationships, products, processes, procedures and controls. By leveraging an enterprise-wide self-assessment tool, each business can rate the effectiveness of – and compliance with – controls, determine whether risks are reasonable to assume and evaluate the need for action plans to address issues and control gaps. Risk self assessment includes:
- Identify your top three to five risks (for each LOB).
- Quantify risk exposures to the extent possible.
- Review current responses – including controls – for each risk.
- Assess whether risk controls are adequately matched to exposure.
- Present findings and recommendations to risk committees and have committees decide by consensus whether to:
- Accept risk as a necessary part of BAU or divest.
- Maintain current controls or require additional ones.
- Assign accountability for action items.
- Report regularly to risk committees on new issues.
Controls combined with escalation methods enable rapid response to risk events.
Introspection is a proactive, iterative process of reducing risk exposures by learning from past events. The process enables continual refinement of risk policies, procedures and controls based on post-event investigation and root-cause analysis.
Risk Management Developments in Treasury Management
The recent financial crisis and continued market volatility have tested treasury management risk policies, procedures and controls. Beyond remediation related to individual risk events, organisations should step back to think strategically about how to increase their adaptability and better manage risk in a dynamic financial environment. The question is how to shift from a firefighting mode to a strategic review of risk management disciplines and programmes.
Working capital optimisation increasingly includes risk management, since risk is inherent in the business activities that generate cash conversion. Organisations are extending risk management to the key relationships that drive working capital (e.g. payables, receivables, inventory) and, therefore, pose financial risk. As part of a diversification strategy to manage risk, some organisations are moving towards a correspondent banking model for buying working capital solutions (e.g. cash and liquidity management services).
To respond to this change in corporate buying behaviour, some banks are adopting a corporate supply chain model for delivering working capital solutions. The formation of bilateral strategic bank partnerships is an important evolutionary step.
Convergence of Risk and Working Capital Disciplines
Related financial flows are the foundation of all business activities and relationships. Just as an asset conversion cycle encompasses the flow of a company’s physical assets at various stages of transformation, a cash conversion cycle includes a company’s liquid financial assets in support of asset conversion and other activities. Ultimately, all components of working capital (e.g. receivables, payables, inventory, cash and marketable securities, and short-term debt) are representations of cash at various stages of conversion.
Risk-weighted assets traditionally refer to a bank’s assets weighted by credit (i.e. default) risk. Now corporate treasurers, in safeguarding cash, must be able to measure and manage the risk weighting of financial assets in strengthening financial performance.
Counterparty risk remains a major concern. A holistic approach extends risk assessment and response to key relationships that drive working capital, which include trading partners. The same rigorous due diligence process that companies use to establish banking relationships must apply to clients, vendors and other counterparties.
Diversification is one way to address counterparty risk. The use of correspondent bank networks – supported by SWIFT as a bank-neutral telecommunications network – has enabled banks to diversify their payment flows in any given currency. The emergence of SWIFT as a standard interface for corporate connectivity to banks, combined with the new global XML-based financial messaging standard brings interoperability between corporations and their banks within reach.
Interoperability will drive a different buying behaviour by enabling companies to easily switch between banks and pave the way for turning to these banks for local currency payments and other operating services. Early corporate adopters of SWIFT are beginning to establish banking networks for making payments. This builds flexibility into a company’s technology and operations structures in support of diversification.
Hedging strategies – for foreign exchange (FX), commodities, securities trading and other activities – remains a key concern. A strategic stance must consider ways to decrease the impact of continued volatility on earnings stability and to give a company time to change its prices and/or cost base in response to market fluctuations.
A Call to Action
Uncertain times call for tangible steps to strengthen risk management as a discipline. Companies and financial institutions are sifting through recent events to discern and apply lessons learned.
A new level of risk awareness, led by the R-generation, is driving changes in how we manage risk. In the treasury management domain, it is impacting the way companies interact with their banking providers and the way financial institutions deliver operating services to their clients. One step back from a firefighting mode can support two steps forward in strategic risk management.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.