What's Your Appetite for Risk in Banking and Capital Markets?
The global financial crisis exposed a sizable gap between the level of risk that banks perceived they were taking and the level of risk they were actually taking. Since then, regulators have focused on ensuring that banks understand risk affecting their business and adopt effective risk management frameworks (for instance, governance, risk and compliance [GRC] frameworks) that more accurately reflect the risk they are willing to accept.
Although common ground has been found for the concepts, scope and features of effective GRC frameworks, there remains no consensus on what “good” looks like. It is unlikely that regulators will define this, as it largely depends on each institution’s business model and strategic aims, and yet scrutiny continues to mount. In recent years, for example, the Financial Stability Board issued Principles for an Effective Risk Appetite Framework after finding that best practices “had not yet been widely adopted.” The Basel Committee on Banking Standards has since followed up with its own Principles on Risk Data Aggregation to provide stability and assurance in the market.
What is clear is that simply adopting and setting limits, buffers and controls is not enough. In the same way that a business strategy both identifies target returns and establishes how to achieve them, an effective GRC framework must define boundaries while outlining how these will be maintained. In effect, the framework needs to show that it has established a firm-wide approach to monitoring and preventing breaches. To achieve this, banks need principles, governance structures, systems and review mechanisms that underpin their risk management strategy and culture while aligning with their broader business strategy.
Drawing on our experience working with regulators and a range of top tier global banks, we believe financial institutions should consider the following five steps while developing their GRC framework.
1. SET A CLEAR, MEASURABLE AND ACTIONABLE RISK STRATEGY
First, determine your risk profile (i.e., the risks you face as a result of your business activities) before setting your risk objectives and appetite (e.g., tolerances, buffers and limits). Typically, your risk profile needs to be sufficiently detailed and categorized by type of risk to enable aggregation across business lines or legal entities.
It is essential that you also determine meaningful quantitative and qualitative metrics, all of which need to be properly reflected in your risk appetite statement in a simple and clear way. All those definitions will only be of use if they can be measured accurately, monitored constantly and communicated periodically to the relevant stakeholders. You should be able to compare against those predefined parameters to provide assurance, promote understanding of your risk priorities and determine any remediation activity.
In short, your risk strategy should be defined by the overall business strategy, as well as being clear, tangible, accurate, measurable, reportable and, most importantly, actionable.
2. INTEGRATE AND REFLECT RISK PLANNING IN MI ARCHITECTURE AND IT INFRASTRUCTURE PROGRAMS
Through our regulatory work, we recognize that it’s increasingly important not only to eliminate data management silos, but also to direct efforts to manage these programs in an integrated manner as part of a single management information (MI) and IT change program. For GRC frameworks, it’s no different. Data quality, consistency and integrity are imperative, as are tailored reporting templates.
In addition, IT capability needs to enable risk aggregation, assessment of correlations, identification of risk concentrations and plans for the future. This needs to happen quickly and accurately, at the group level, across business lines, between legal entities and by type of risk. Because this data will feed into determining the risk profile, it must be reliable, available in a timely manner and provided in all combinations, from the most granular to the most aggregated.
3. DATA AGGREGATION
Ideally, a bank should maintain and enhance a strong risk data aggregation approach to ensure the accuracy, completeness and timeliness of its risk management reports.
However, by implementing rules aimed solely at compliance, banks often make it extremely difficult for employees to do their day-to-day jobs. Inevitably, this leads employees to work around the system to do their jobs effectively — an action that can lead to a major compliance risk in its own right.
To avoid this situation, a bank needs to consider risk data aggregation as an enabler rather than as a hindrance. In other words, from a compliance standpoint, banks need to take into account how people work, not just the by-product of that work when considering the principles to aggregate data governance and accountability.
4. EMBED YOUR GRC FRAMEWORKS WITHIN NORMAL DECISION-MAKING PROCESSES
GRC frameworks cannot be planned in isolation. Just as the business strategy depends on being adopted and executed by people in the firm, the risk strategy needs to play a role in every part of the business. To achieve this, risk appetite must not only be communicated throughout the firm, it must, more importantly, support an environment where spotting and mitigating risks is fostered and encouraged by reward schemes at every managerial level.
The idea is that risk- and reward-based decision making needs to be embedded when defining processes, activities and controls — a concept that should be welcomed and recognized throughout the business.
5. IMPLEMENT DYNAMIC, FORWARDLOOKING RISK MANAGEMENT
The whole idea of risk management is to be proactive rather than reactive. By anticipating and mitigating risk (for example, using a “regulatory radar” or “horizon scanning”) before it becomes real, a bank can enhance its ability to fulfill business objectives. As evidence suggests, this can help a bank consistently outperform its peers. The link is twofold: On the one hand, banks can minimize losses both now and in the future; on the other, they can identify areas where additional controlled risks can be taken. This enables better optimization of the risk/reward relationship by rebalancing the business mix.
HOW CSC WILL HELP YOU
Today, the demands of regulatory compliance require banks to create new frameworks for systems and data. Banks that make these changes can not only attain regulatory compliance, but also enjoy new efficiencies. At the same time, these changes will enable banks to create the potential for innovative services that generate new revenues while keeping customers satisfied.
Because of its deep industry experience and technology agnostic approach to delivering solutions, CSC can help banks get the maximum benefit from their risk management and regulatory compliance challenges and initiatives.