What’s your appetite for risk in financial services?
Since then, regulators have focused on ensuring that banks understand risk affecting their business and adopt effective risk management frameworks that more accurately reflect the risk they are willing to accept. Although common ground has been found for the concepts, scope and features of effective Governance, Risk and Compliance (GRC) frameworks, there remains no consensus on what “good” looks like. Regulators will provide guiding principles, but are unlikely to define this in detail, as it largely depends on each institution’s business model and strategic aims, and yet scrutiny continues to mount. In recent years, for example, the Financial Stability Board issued Principles for an Effective Risk Appetite Framework after finding that best practices “had not yet been widely adopted.” The Basel Committee on Banking Standards has since followed up with its own Principles on Risk Data Aggregation to provide stability and assurance in the market.
What is clear is that simply adopting and setting limits, buffers and controls is not enough.
In the same way that a business strategy both identifies target returns and establishes how to achieve them, an effective GRC framework must define boundaries while outlining how these will be maintained. In effect, the framework needs to show that it has established a firm-wide approach to monitoring and preventing breaches.
Banks need principles, governance structures, systems and review mechanisms that underpin their risk management strategy and culture while aligning with their broader business strategy.
Drawing on our experience working with regulators and a range of top tier global banks, we believe financial institutions should consider the following six steps while developing their GRC framework:
Set a clear, measurable and actionable risk strategy
First, determine your risk profile (i.e., the risks you face as a result of your business activities) before setting your risk objectives and appetite (e.g., tolerances, buffers and limits). Typically, your risk profile needs to be sufficiently detailed and categorised by type of risk to enable aggregation across business lines or legal entities.
It is essential that you also determine meaningful quantitative and qualitative metrics, all of which need to be properly reflected in your risk appetite statement in a simple and clear way. All those definitions will only be of use if they can be measured accurately, monitored constantly and communicated periodically to the relevant stakeholders. You should be able to compare against those predefined parameters to provide assurance, promote understanding of your risk priorities and determine any remediation activity.
In short, your risk strategy should be defined by the overall business strategy, as well as being clear, tangible, accurate, measurable, reportable and, most importantly, actionable.
Embed your GRC frameworks within normal decision-making processes
GRC frameworks cannot be planned in isolation. Just as the business strategy depends on being adopted and executed by people in the firm, the risk strategy needs to play a role in every part of the business.
To achieve this, risk appetite must not only be communicated throughout the firm, it must, more importantly, support an environment where spotting and mitigating risks is fostered and encouraged by reward schemes at every managerial level. The idea is that ‘risk and reward’ based decision making needs to be embedded when defining processes, activities and controls — a concept that should be welcomed and recognized throughout the business.
Adopt a common business language that the market understands
Obviously, people within a firm need to share a collective understanding of the risks facing the business, but only if there’s consistency using a common language. Moreover, even if there’s a mutual understanding around ‘risk vs reward’, is this shared by your clients, investors and the market?
A key opportunity is for both Risk and Finance departments to adopt a common language and approach to improve perceptions of the bank’s market value, growth and control.
Implement dynamic, forwardlooking risk management
The whole idea of risk management is to be proactive rather than reactive. By anticipating and mitigating risk for example, using a “regulatory radar” or “horizon scanning” before it becomes real, a bank can enhance its ability to fulfil business objectives.
As evidence suggests, this can help a bank consistently outperform its peers. The link is twofold: On the one hand, banks can minimize losses both now and in the future; on the other, they can identify areas where additional controlled risks can be taken. This enables better optimization of the risk/reward relationship by rebalancing the business mix.
Integrate and reflect risk planning in MI architecture and IT infrastructure programs
Through our regulatory work, we recognise that it’s increasingly important not only to eliminate data management silos, but also to direct efforts to manage these programs in an integrated manner as part of a single management information (MI) and IT change program. For GRC frameworks, it’s no different. Data quality, consistency and integrity are imperative, as are tailored reporting templates.
In addition, IT capability needs to enable risk aggregation, assessment of correlations, identification of risk concentrations and plans for the future. This needs to happen quickly and accurately, at the group level, across business lines, between legal entities and by type of risk. Because this data will feed into determining the risk profile, it must be reliable, available in a timely manner and provided in all combinations, from the most granular to the most aggregated.
Ideally, a bank should maintain and enhance a strong risk data aggregation approach to ensure the accuracy, completeness and timeliness of its risk management reports.
However, by implementing rules aimed solely at compliance, banks often make it extremely difficult for employees to do their day-to-day jobs. Inevitably, this leads employees to work around the system to do their jobs effectively — an action that can lead to a major compliance risk in its own right.
To avoid this situation, a bank needs to consider risk data aggregation as an enabler rather than as a hindrance. In other words, from a compliance standpoint, banks need to take into account how people work, not just the by-product of that work when considering the principles to aggregate data governance and accountability.