After the dust began to settle, the Risk and Insurance Management Society’s (RIMS) Enterprise Risk Management Committee studied the financial crisis and determined that risk management alone was not at fault. The Society’s research showed that the financial crisis resulted from a system-wide failure to embrace appropriate enterprise risk management (ERM) behaviours—or attributes—by other business areas within these distressed organisations.
Additionally, RIMS’ study found that employees at many financial institutions were rewarded immediately for high-risk activities without ever having to consider the long-term consequences – mitigation protocols for those activities did not even exist in many cases.
Finally, RIMS saw a failure to use ERM to inform management’s decision-making for both risk-taking and risk-avoiding decisions.
So, while the economic crisis might not have been the “beginning” of ERM, the losses, the damages and the demise of powerful institutions served as a wake-up call to board directors around the world that risk management was not just a department that should be part of the organisation’s structure, it is crucial to its existence. Moreover, risks across the enterprise should be considered before important decisions are made.
A re-discovered sense of urgency regarding risk management has led many organisations to enhance their risk programs by incorporating ERM practices. RIMS and Marsh’s Excellence in Risk Management IX Report revealed that 87 percent of the companies surveyed with annual revenues above $1 billion say expectations of the risk management department have increased. Fifty percent said they expect risk management to lead ERM activities.
The board or senior leadership expect more from their risk practitioners, and, as a result, the role of the risk professional has shifted from one that solely focused on insurance and protecting the organisation, to one that is asked to identify situations in which risk can become a competitive advantage.
Regulation has also affected leadership’s desire to enhance risk capabilities. The final version of the US Dodd-Frank Act enforces stricter regulations on financial institutions, requiring some to form risk committees, while Standard & Poor’s bases its financial ratings in part on the quality and effectiveness of a company’s ERM program.
Risk management and ERM are often used interchangeably, especially in the financial sector, but there is a distinct difference between the two. While risk management might have a business area focused on opportunities and exposures, the practice of ERM connects departments. With each business area having a better understanding of the risks that might impact other areas of the organisation, each department is able to make more informed and strategic decisions.
There are many different types of ERM standards, guidelines and frameworks. Although every organisations’ ERM program will differ, RIMS Risk Maturity Model (RMM) deconstructs a firm’s overall ERM maturity into seven key attributes:
- Adoption of an ERM-based approach – How supportive are the firm’s executives and do they promote a corporate culture that is conducive to risk management cooperation?
- ERM process management – Is there a model or a plan to integrate risk management practices throughout the organisation?
- Risk appetite management – How prepared are executives to assess and make decisions regarding risk-reward trade-offs?
- Root cause discipline – Is there structure or guidelines in place to help business leaders link outcomes to the source, regardless of whether those outcomes are negative or positive?
- Uncovering risks – How adept is the organisation at analysing and documenting risks and opportunities to uncover dependencies, including emerging and dynamic risks?
- Performance management – How well does the organisation execute on vision, mission and strategy and are risk metrics included in strategy and planning activities?
- Business resiliency and sustainability – Is the organisation prepared to recover quickly from setbacks or, without hesitation, leverage new opportunities?
For both organisations that have established programs and those that are in the beginning stages, the RMM provides a benchmark to reassure risk professionals that they are maintaining strong ERM practices or that they are on the right track to further build their programs.
Measuring these key attributes can help risk professionals maintain and continue to develop their risk program, but the governance of the organisation, in particular where risk management reports, will determine the fate or the influence of the ERM program.
Why Governance Matters
Looking back on the 2008 financial crisis, in many circumstances, risk management did present “warnings” that were either ignored or reported to the wrong business leader. This communication gap illustrated an ERM governance failure. The failed connection between the risk management function and the person responsible for monitoring the adherence to risk management principles, including risk tolerance limits, further proved governance’s critical importance to the effectiveness of risk management.
The individual or department responsible for overseeing risk management initiatives can influence the process. For example, if risk management reports to the chief financial officer (CFO) or the treasury department, there can be a heavy concentration on financial risks. If the department reports to the general counsel, then heavy emphasis could be placed on liability and regulatory issues. Considerable thought should be put into the reporting structure and process so that potential influencing factors are identified.
In the 2014 RIMS and Marsh Excellence in Risk Management XI report, 39% of C-Suite members surveyed agreed that the treasury department or the CFO should hold primary responsibility for executing the risk management approach and strategy. “Risk executive” came in second on the list.
Treasury in the Lead
There are many functions of a risk management program that align with the other capabilities and responsibilities generally held by the treasury, namely compliance matters and the allocation of funds. Treasury sits in a prime position to assure that the organisation’s financial dealings are transparent and that the organisation is adhering to government mandates, which is especially important given the regulatory impact of the 2008 economic crisis.
Additionally, with a fundamental component of ERM program being the organisation’s willingness to embrace a risk-aware culture, treasury has the ability to enforce risk management protocols when determining the allocation of funds for new resources and initiatives. In many organisations, treasury has the authority and opportunity to mandate certain measures in order for business area leaders to secure additional funding.
While the treasury department can, in itself, impact the daily operations of an organisation, the C-Suite must be focused on the long-term goals of the organisation. In this position as risk management leaders, CFOs and chief risk officers will play a critical role in communicating the findings of their risk committees to senior leadership. They will also be responsible for escalating risks that can either damage or benefit the future of the organisation through the appropriate channels.
Working with RIMS, Mark Farrell of Queen’s University Management School and Dr. Ronan Gallagher of University of Edinburgh Business School published an executive report titled “Testing Value Creation Through ERM Maturity” that looked at the value of investing in an ERM program. Based on their research, they were able to conclude that organisations exhibiting mature risk management practices realise an increased valuation premium of 25%.
Tangible cost-savings linked to ERM not only reinforces the important role treasury departments can play in the organisation’s risk management function, but, perhaps more importantly, the importance for organisations to invest and take the appropriate governance and operational measures to strengthen their ERM capabilities.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.