The recent spate of scandals affecting the banks yet again calls into question the effectiveness of risk functions. In recent years, a whole new risk infrastructure has been established to demonstrate that firms have a better handle on risk. Why so? – “because the regulator says so” is the meek response.
The sceptics (often in the front office) will chant – “Recruiting expensive teams of so-called risk professionals has been a waste of money – it’s just added to the cost base simply to tick a box.”
This is not another banker – bashing serenade but more a plea for back to basic risk management to make the risk function more effective. How can the banks recapture public confidence that they really do know about the risk they run?
The purpose of a “Chief Risk Officer” (CRO) seems to have drifted from its original intent. The Chief Credit Officer usually has the power of veto on credit decisions. Arguably, the CRO for a fund manager has the same authority mainly for investments. The CRO is supposed to have the same powers for all risks. Instead the position is often marginalised from the key decisions and left to worry about “dashboards”, “risk appetite” and other concepts that Boards often struggle with or may not have time to consider properly.
The reality is that the risk function is often only left to sweep up after the horse has bolted, by holding a steward’s enquiry when something goes wrong. Their involvement is often incidental in the early stages before the deal is booked.
How do you make the Risk function more effective?
The basis structure is right where all roads lead to the CRO in managing risk. But the way Risk operates needs reshaping. For instance, the effectiveness of these departments has been hampered by the attention they have to give to implementing changes to regulation. The Compliance Director used to be the focal point for implementing and monitoring regulation. Now, this tends to be limited to financial crime and fraud prevention, leaving the implementation of capital adequacy rules to be split between the CRO and the CFO. The Compliance function often plays a bit part by handling the statutory reporting without much input to the content.
Now these may seem like sweeping generalisations and damning to some, but many will nod their heads in agreement, fearful of voting for turkeys at Christmas.
Many risk officers would agree that the “ex-ante” prevention of risk should be the priority, not simply the” ex-post” monitoring and reporting of statistics. For this to happen, the risk team has to have experienced professionals in each of the key risk with a track record as practitioners in the areas they assess. Thus, a credit risk officer should have first hand experience of lending or trading; an operational risk chief should have run a middle or back office and a market risk manager should have worked in some responsible capacity in a treasury and capital markets arena. And ideally, the CRO should be a master in the key risk affecting the firm.
Only by using past “poachers” can one often spot where the weaknesses lie as a “game- keeper”.
Firms need to take a critical look at the empires that have been built within the organisations to decide whether they have the correct expertise going forward. For this to happen, it is essential that the CRO has a hotline to the CEO to highlight not only areas of general concern but also have unrestricted access into the Non Executive Directors and Audit Committee so that the position is not compromised.
For further details please contact Manuel Boger at firstname.lastname@example.org
We would love to hear your views – leave us a comment below or start a discussion!