Rethinking Risk Management
Leveraging ERM as Part of an Effective Integrated Framework
Nicolas Kunghehian [Moody's Analytics]18.05.2015, 08:30
This article compares the similar concepts of enterprise risk management and integrated risk management, and considers what risk practitioners can learn from an analysis of the best practices of each in order to strengthen their businesses. Integrated risk management is a topic that many quantitative analysts sought to cover decades ago. To many, it was obvious that some risks were correlated and should be monitored using an integrated framework.
After conducting research and improving their methodologies, many financial institutions started to take into account the interconnection of different risks, but this effort was not completed before the subprime crisis occurred. The crisis highlighted two different risks – credit and liquidity – that had a dramatic combined impact, which served as a catalyst for the senior management of banks to begin evaluating their risk management frameworks to adopt an enterprise risk management (ERM) approach.
Although the two concepts are similar, enterprise risk management focuses more on the framework than the methodology, helping monitor risks and anticipate what can go wrong. In that sense, it is beneficial to integrated risk management. There is one risk, however, that banks continue to overlook – the risk of focusing on the framework rather than the risk itself.
Enterprise risk management as a new set of tools
Building a technical framework is one of the first steps when starting a successful enterprise risk management project. Ideally, IT systems should be accessible by all and provide consistent levels of information. Although banks do not need all the available analytical dimensions to analyze each type of risk, it is important they consider new methodologies or reports that may require other dimensions. For example, the Basel framework or European Banking Authority (EBA) reports will require more and more dimensions for their new templates. Some banks discovered too late that the way they aggregated data in their systems was not granular enough to produce consistent regulatory reports, forcing them to correct and manually manipulate the data. The number of regulations will certainly increase over the next few years, leading to more regulatory reports – and will only boost the return on investment of a good framework.
"Given the central role of effective, firm-wide risk management in maintaining strong financial institutions, it is clear that supervisors must redouble their efforts to help organizations improve their risk management practices… We are also considering the need for additional or revised supervisory guidance regarding various aspects of risk management, including further emphasis on the need for an enterprise-wide perspective when assessing risk."1
After the recent crisis, no CEO wanted to be in charge unless they had a clear view of their institution’s situation. This requirement necessitated an automated solution in which people could collaborate on providing the most accurate view of their bank. Moreover, the Bank for International Settlements (BIS) committee added rules (i.e., BCBS 239) that forced banks to generate more granular data to better assess their risks, heightening the pressure already coming from their senior management and supervisors. According to BIS, the final objective should then be to have an integrated risk management framework where many risks can be jointly simulated by different levels of granularity (i.e., using both top-down and bottom-up approaches).
Transcend information silos
One benefit of an enterprise risk management framework is that it gives people access to information that was previously only readily available to other teams. For instance, ALM teams will gain ready access to probability of default (PD) and loss given default (LGD) data or risk-weighted assets (RWAs) data from risk departments. This information is necessary for many purposes, including liquidity reporting. Similarly, risk departments will have ready access to the P&L for each transaction and will be able to analyze not only the risk, but also the return on each portfolio in real-time, better informing pricing and new business decisions. Furthermore, when teams have the opportunity to learn more about the models and outputs of other teams, it enables a new mindset – one that, for example, encourages analysis of related information that leads to the building of more relevant reports.
"The financial crisis has underscored how insufficient attention to fundamental corporate governance concepts can have devastating effects on an institution and its continued viability. It is clear that many banks did not fully implement these fundamental concepts. The obvious lesson is that banks need to improve their corporate governance practices and supervisors must ensure that sound corporate governance principles are thoroughly and consistently implemented."2
The quote by Danièle Nouy highlights that a technical framework is simply not enough – governance is key. Banks must remove silos between departments for a proper enterprise risk management framework to work. Unfortunately, many banks think that a standardized database is sufficient, as they often forget that a cultural change needs to be made, too.
The risk of too much information
"Risk comes from not knowing what you’re doing."
As data is available to everyone, many believe that all monitored risks are consistent. In reality, people work with different assumptions and backgrounds, and consequently, different methodologies. Each team could perform integrated risk management with a robust methodology without owning a single technical platform. This platform is nice to have but is not mandatory for comprehensive integrated risk management. As models can be accessed by anyone, risk managers often think that it is better to use advanced methodologies or complex simulations. They forget, however, why they are performing these calculations, which increases the risk instead of mitigating it.
Figure 1 Enterprise risk management: different levels of granularity [Source: Moody's Analytics]
Moreover, even if ERM seems to be powerful, robust risk management can be performed on a small sub-portfolio within the bank and may sometimes be more efficient than only looking at the global picture. ERM is not only about the global picture, but also about breaking down the risks at each level of the organization. For example, in a group consisting of a small investment bank and a large retail bank, the risks taken by the investment bank can be considered less substantial within the group. The retail subsidiary will work extensively with the investment bank, transferring positive income into it and decreasing the investment bank’s relative risk. This transfer does not make the small subsidiary (i.e., the investment bank in our example) less risky, but is merely seen as a relatively small risk for the group. The reality is that this investment bank could be unprofitable without anyone noticing it until a big crisis revealed the truth. Good practices would require a dedicated risk management team for this small entity – and not only for a large ERM platform.
Enterprise risk management must not be seen as the final objective, at least not if banks consider it an IT project only. ERM also involves people and processes, especially if banks want to achieve effective integrated risk management. They need to keep in mind that new types of risks will arise. A rigid framework could prevent risk managers from focusing on the main risks and instead lead them to perform the same analysis on risks that are no longer relevant.
"It is not the strongest or the most intelligent who will survive, but those who can best manage change."
A cultural transformation to improve the chances of success
It is clear now that ERM is a process that can be applied by everyone at every level of a bank to set its strategy. It is designed to identify the potential risks in different subsidiaries and teams across a global company. One primary objective is to set a risk appetite where all the risks are correlated because, as recently witnessed, risk management has failed when done in silos.
Figure 2 Example of integrated risk management for a single portfolio [Source: Moody's Analytics]
The recent crisis could be seen as an excellent opportunity to implement an ERM platform, which is now required by most of the regulators and senior managers in banks. The fact that each crisis came from a different risk driver will force risk managers to keep changing their methodologies and metrics. However, banks must keep in mind that a cultural change is needed if they want to leverage ERM as part of an effective integrated risk management framework.
Nicolas Kunghehian, Director, Business Development, Moody's Analytics. Nicolas provides insight on ALM, liquidity, and market risks to help financial institutions define a sound risk management framework.
1 Ben S. Bernanke, Risk Management in Financial Institutions, Federal Reserve Bank of Chicago's Annual Conference on Bank Structure and Competition, May 2008.
2 Danièle Nouy, Chair of the Corporate Governance Task Force and Secretary General of the French banking commission, commenting on The Basel Committee on Banking Supervision’s Principles for enhancing corporate governance, March 2010.
[Source: Published in Moody's Analytics Risk Perspectives: Integrated Risk Management - Volume IV | November 2014, www.moodysanalytics.com]
Kommentare zu diesem Beitrag
Quo vadis Big Data?
Redaktion RiskNET22.09.2017, 12:52
Big Data ist en vogue. Vor allem die Wirtschaft trommelt seit Jahren für einen stärkeren Einsatz neuer Analysemethoden. Der Glaube: alles zu jeder Zeit im Blick haben und vorausschauend bestimmen zu...
Von Darknet bis Trojaner
Jenna Eatough18.08.2017, 08:42
Das heutige digitale Informationszeitalter wird von den schier unendlichen Möglichkeiten des World Wide Webs geprägt – vom Online-Shopping über Social Networking, bis hin zur Finanzverwaltung. Der...
Redaktion RiskNET13.08.2017, 14:00
Viel wurde in den letzten Monaten über das Thema des Datenschutzmanagements geschrieben. Denn seit geraumer Zeit ticken die Uhren bis zum großen Stichtag, dem 25. Mai 2018. Spätestens dann muss die...