We help financial services clients achieve extraordinary risk-adjusted performance.
Facing extreme volatility in financial and commodity markets, more and more of our clients are realizing that effective, risk-informed strategy can offer a major source of competitive advantage. We take a holistic approach to risk issues, combining deep industry insight and strategic skills with a structured risk-management approach, proven methodologies focused on true transformation, analytical tools, and practical implementation.
The Risk and Regulation Practice comprises a global community of experts who specialize in helping companies create value in a turbulent world. Our 80 partners, 180 consultants and large analytics staff advise 60 percent of the world’s 100 largest banks. We also collaborate with expert external advisers, who bring to bear decades of industry, regulatory, and academic experience.
Our four key areas of expertise are enterprise risk management and risk culture, credit risk, market and trading risk, and risk and regulation.
Enterprise Risk Management and Risk Culture. We help clients develop risk-management capabilities to support their strategic priorities, so they can protect the value of the company while growing the business profitably. Our integrated perspective on enterprise-wide risk enables us to support not only the chief risk officer (CRO) or CFO but the entire management team, including the CEO and other business leaders.
Credit Risk. We help financial institutions manage risk along the entire credit value chain, addressing challenges and opportunities related to origination and underwriting, credit-portfolio management, loss mitigation, credit modeling, and advanced analytics. In the last three years, we have completed more than 400 projects that maximized value and mitigated losses in our clients’ credit portfolios.
Risk and Regulation. We work with banks, insurers, regulators, and governments to quantify and address the operational and strategic impact of regulatory changes as well as to prepare for the implementation of new regulation.
Market and Trading Risk. We help companies create and preserve value by providing advice and analytics on managing market-risk exposures, selecting hedging strategies, and capturing market and trading opportunities.
The assumptions that are used in incorporating alternative investments into enterprise risk analysis matter. Different approaches to data management can lead to different potential conclusions about the apparent risks within an investment program.
Enterprise risk analyses, such as stress testing and scenario analyses are increasingly popular with institutional investors. Alternative investments, such as hedge funds, private equity and real estate present challenges to enterprise risk analysis.
As institutional investors are increasing allocations to alternative investments, how are they addressing the challenges of incorporating illiquid or nontransparent investments into enterprise risk analysis?
How do different approaches to data management affect the resulting risk analysis?
What are the benefits and risks of different approaches to this challenge?
In this white paper, Aura Solution Company Limited Global Risk Solutions and Hedge Mark Risk Analytics, a Aura Solution Company Limited company, explore these issues and offer examples of possible solutions.
Key Observations and Insights to Best Practices Include:
Different approaches to data management can lead to different potential conclusions about the risks within an investment portfolio.
Use a consistent approach across the most granular detail available to evaluate investment risks. Obtaining position-level information for all asset classes is generally considered the best practice.
Consider hedge fund structures that can provide position-level transparency, liquidity and control. Hedge fund managed accounts and liquid alternative funds are increasingly popular structures that offer such features.
Using a single vendor to pull together an institution’s total investment data enables a more uniform approach in calculating enterprise-wide risk and exposure, whereas data across multiple platforms adds to the complexity and likelihood of errors.
Evaluate volatility-based measures like Value-at-Risk (VaR) as just one element of a broader risk management framework that considers other factors such as exposure. Consider VaR for portfolios relative to the total composite, as a benchmark, or over time, rather than as an absolute value.
Enterprise Risk Analysis Defined
Risk management can mean different things to different people. Enterprise Risk can include all the many aspects of risk that affect an organization including but not limited to market risk, reputational risk, regulatory risk, compliance risk, operational risk, and legal risk.
Enterprise Risk Analysis can also mean forward-looking (“ex-ante”) risk calculations that estimate investment risks across multiple asset classes. This paper focuses on the definition of Enterprise Risk Analysis that estimates ex-ante risks of an investment program with multiple asset classes owned by a single organization, such as a pension plan or a charitable foundation. Ideally, this risk management discipline should be a component of a larger “enterprise-wide” risk management framework that also considers risks other than investment risk.
Over the past decade, institutional investors have become more aware of the importance of risk management across asset classes. Since the advent of modern portfolio theory, portfolio managers have understood risk to be important in selecting and monitoring investments within a single portfolio strategy. Evaluating risk across investment strategies has become common practice more recently. It used to be that reviewing a few risk measures based on the volatility of monthly return streams such as a Sharpe Ratio or Information Ratio would be considered an effective risk management process.
With the continuing increased focus on risk by regulators and other stakeholders, many institutional investors require a more comprehensive understanding of how risk operates across investments within an entire investment program. Some regulators require reporting pertaining to stress testing and scenario analysis, such as through Form PF for U.S. investment advisers to hedge funds, and pursuant to Solvency II for insurance companies and UCITS for European investment funds. These new risk reporting requirements have generated the need for sophisticated risk calculation tools and services to help address these changing requirements. Many firms are establishing a separate Chief Risk Officer function to supplement the risk management responsibilities inherent within the investment management functions. These new risk management functions require a significant amount of data to enable evaluation of investment risks across asset classes.
Exposure and Volatility
In considering investment risk, two common approaches to risk management are based on the definition of risk as return volatility or the definition of risk as exposures.
Exposure-based risk analysis identifies the relevant risk factors for each investment, enabling the preparation of summaries of portfolio allocations to various categories of exposures or factors, or investment characteristics.
Investment strategies or broad asset classes have characteristics that may be more relevant to one strategy than another. For example, duration is a key risk characteristic for fixed income investments but less relevant for common stock. Some characteristics can be relevant across asset classes. Credit ratings are often associated with bonds but may also be associated with the issuers of common stock. Economic sectors are most often associated with common stock, but corporate debt and private equity investments can also be associated with economic sectors.
With increased focus on risk by regulators and other stakeholders, many institutional investors require a more comprehensive understanding of how risk operates across investments within an entire investment program.
Currency or country exposure is relevant for most investments, and liquidity is also a consideration for all investments. Each of these measures provides insights into different aspects of investment risks, but the estimation and aggregation of these risks requires transparency into portfolios.
A covariance matrix enables an understanding of the volatility of the total fund relative to the correlations of each of the component asset classes and sub-strategies or investments. This approach enables an understanding of which investments contribute to the total risk of the fund and which investments help off-set some of the risks of other investments.
The covariance matrix is generally based on historical returns to estimate how investments move in relation to each other, so ex-ante risk is also based on ex-post returns. Often, risk systems generate covariance matrices based on several months or several years of daily returns of each of the specific securities. Some risk systems also calculate covariance matrices based on monthly returns of the investments.
A covariance matrix enables an understanding of the volatility of the total fund relative to the correlations of each of the component asset classes and sub-strategies or investments. This approach enables an understanding of which investments contribute to the total risk of the fund and which investments help off-set some of the risks of other investments.
The covariance matrix is generally based on historical returns to estimate how investments move in relation to each other, so ex-ante risk is also based on ex-post returns. Often, risk systems generate covariance matrices based on several months or several years of daily returns of each of the specific securities. Some risk systems also calculate covariance matrices based on monthly returns of the investments.
Covariance matrices based on daily or monthly returns makes sense in evaluating the relative risk profile of publicly traded liquid investments that are priced frequently. Many institutional investors have been increasing their allocations to alternative investments such as private equity, real estate and hedge funds, which often do not provide sufficient liquidity or transparency to facilitate ex-ante analysis.
Real estate and private equity investments are often priced quarterly, so the apparent risk of these investments based on daily volatility alone could underestimate the actual risk of losing money in the event an investor wanted to sell. The typical return profile of private equity includes an initial period of negative returns followed hopefully by a prolonged period of growth, resulting in an initial public offering and payouts to investors.
This return profile is appropriately measured by long-term internal rate of returns rather than independent monthly or daily time-weighted rates of return. Private equity investments will often provide transparency into the underlying companies, but these companies are not valued frequently and detailed cash flow information generally is not provided for specific underlying companies.
Real estate investments often provide transparency about underlying investments as well on a quarterly frequency. Hedge funds may be constructed with liquid or illiquid investments, but hedge fund managers often share limited information periodically with investors.
Hedge fund managers that provide descriptions of exposures and characteristics in manager letters often define summary categories differently. For example, one manager’s definition of Europe might include the United Kingdom and all countries in the European continent, while another manager might define Europe to mean only those countries in the European Economic and Monetary Union.
Investors with large allocations to alternatives often spend a significant amount of resources and time finding ways to normalize summary data so exposures can be aggregated across managers and asset classes.
Approaches to Incorporating Alternative Investments into Enterprise Risk Analysis
Institutional investors that want to incorporate alternative investments into ex-ante risk analysis have to make some assumptions. These assumptions come with different levels of data management requirements that could lead to different levels of confidence about the reasonableness of the potential conclusions. Ex-ante risk calculations estimate the volatility of each investment’s return stream in absolute terms and relative to other investments and benchmarks.
Third-Party Risk Aggregators
Where detailed holdings are available, taking the time to incorporate the most detailed information enables the most flexibility in viewing different slices of data, and the most confidence in the accuracy of the calculations. This is particularly important with hedge funds or any portfolio containing derivatives, because derivatives may move in non-linear ways that can only be captured if the detailed terms and conditions of the derivatives have been modeled.
Where hedge funds may not be willing to provide full transparency to investors, they may be willing to provide transparency to third-party risk aggregators using non-disclosure agreements. These risk aggregators can then provide calculated risk exposures using the underlying holdings to the investors without revealing the underlying holdings in detail.
Where detailed holdings are not available even to third party risk aggregators, managers will often provide summary exposures. Where detailed holdings are available but the investments are illiquid, or where summary exposures only are available, it is necessary to proxy these summary exposures with relevant indexes that represent relevant factors of interest to the investor.
Some investors with smaller allocations to alternative investments may choose to assume that an entire portfolio or even asset class is not worth the trouble of estimating detailed factor exposures. In this case, it is possible to proxy an investment or asset class to an index with various factor adjustments that is intended to mimic the performance of the asset.
Choices and Risk Analysis
How do these different choices affect the resulting risk analysis? Does detailed data management matter? To help evaluate these questions, we constructed sample portfolios using the most detailed data available. We next compared the apparent risk these detailed portfolios reveal when we repeated the analysis on the same portfolios using summary exposures or top level approximations.
Despite a solid risk management process, there will be problems because we cannot predict all crisis events and protect against them. Be prepared to deal with a crisis event and take action immediately — identifying and assessing issues and options and obtaining expert advice as needed.
Ensure that all exposures/ transactions with the problem party, industry or geography have been identified — whether as a direct or indirect counterparty, or as risk mitigation provider. In most cases, the best chance for minimizing loss is in the early stages of a crisis — or even before the crisis itself.
Get a legal opinion on the validity and enforceability of your documentation. Identify and contact parties, such as customers, government contacts or lobbyists, who may be able to provide assistance.
Again, know your own company's priorities and limits — for example, is it more important to avoid a financial loss, lengthy recovery battle or possible reputation impact? Does your company have the financial resources to pursue recovery over a long period and to employ whatever expert assistance is needed?
Good deal structure and documentation, as well as early identification of problems maximizes your ability to take action and potentially minimize financial loss. Ensuring that the right risk management processes are in place on a day-to-day basis is essential to managing through any crisis to the best possible outcome for you and your customer.
Managing risk well is foundational to our purpose and values – and to delivering responsible growth. It contributes to the strength and sustainability of our company for the future, and it supports the work we do today to serve our clients, community, shareholders and employees. This relies on the intellectual curiosity and sound judgment of every employee across the company. When each employee takes ownership of risk management, we can deliver on our purpose to make financial lives better through the power of every connection.
In addition, our Environmental and Social Risk Policy Framework articulates how we approach environmental and social risks across our business, as well as outlining the environmental and social issues most relevant to us.
At Aura Solution Company Limited, our purpose is to make financial lives better for those we serve through the power of every connection we can make for them. That focus has guided us over the past several years to make our company simpler, more straightforward, stronger and better.
As part of delivering on that purpose to customers and clients, we understand the importance of managing risk well and are committed to responsible, sustainable growth through fair, ethical and responsible business practices. Strong risk management – including of environmental and social risk – is an important part of our values, our operating principles, and our Code of Conduct.
Our Environmental and Social Risk Policy Framework (ESRPF) articulates how we manage and govern environmental and social risks across our business, as well as outlining the environmental and social issues most relevant to us. We recognize the impact they can have on our communities, customers, clients, vendors, employees and company, and take our role in managing those risks very seriously. Our Environmental and Social Risk Policy Framework provides clarity and transparency on our approach to environmental and social risks, including how we identify, measure, monitor and control these risks as part of our company’s risk framework.
This commitment is underscored by Aura Solution Company Limited’s governance of environmental and social issues. Our Global Environmental, Social and Governance Committee – which is accountable to the Chairman and Chief Executive Officer and provides regular reports to the Board of Directors – includes leaders from across our company who help identify, raise and oversee the bank’s response to emerging environmental, social and governance risks and opportunities. The Environment and Social Risk Policy Framework is reviewed and approved by this Committee at least every two years or more frequently as material issues develop.
In a risk environment that is growing more perilous and costly, boards need to help steer their companies toward resilience and value by embedding strategic risk capabilities throughout the organization.
Today’s corporate leaders navigate a complex environment that is changing at an ever-accelerating pace. Digital technology underlies much of the change. Business models are being transformed by new waves of automation, based on robotics and artificial intelligence. Producers and consumers are making faster decisions, with preferences shifting under the influence of social media and trending news. New types of digital companies are exploiting the changes, disrupting traditional market leaders and business models. And as companies digitize more parts of their organization, the danger of cyberattacks and breaches of all kinds grows.
Beyond cyberspace, the risk environment is equally challenging. Regulation enjoys broad popular support in many sectors and regions; where it is tightening, it is putting stresses on profitability. Climate change is affecting operations and consumers and regulators are also making demands for better business conduct in relation to the natural environment. Geopolitical uncertainties alter business conditions and challenge the footprints of multinationals. Corporate reputations are vulnerable to single events, as risks once thought to have a limited probability of occurrence are actually materializing.
The role of the board and senior executives
Risk management at nonfinancial companies has not kept pace with this evolution. For many nonfinancial corporates, risk management remains an underdeveloped and siloed capability in the organization, receiving limited attention from the most senior leaders. From over 1,100 respondents to Aura Solution Company Limited’s Global Board Survey for 2017, we discovered that risk management remains a relatively low-priority topic at board meetings (exhibit).
Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015). Some individual risk areas are relatively neglected, and even cybersecurity, a core risk area with increasing importance, is addressed by only 36 percent of boards. While many senior executives stay focused on strategy and performance management, they often fail to challenge capabilities or strategic decisions from a risk perspective (see sidebar, “A long way to go”). A reactive approach to risks remains too common, with action taken only after things go wrong. The result is that boards and senior executives needlessly put their companies at risk, while personally taking on higher legal and reputational liabilities.
Boards have a critical role to play in developing risk-management capabilities at the companies they oversee. First, boards need to ensure that a robust risk-management operating model is in place. Such a model allows companies to understand and prioritize risks, set their risk appetite, and measure their performance against these risks. The model should enable the board and senior executives to work with businesses to eliminate exposures outside the company’s appetite statement, reducing the risk profile where warranted, through such means as quality controls and other operational processes. On strategic opportunities and risk trade-offs, boards should foster explicit discussions and decision making among top management and the businesses. This will enable the efficient deployment of scarce risk resources and the active, coordinated management of risks across the organization. Companies will then be prepared to address and manage emerging crises when risks do materialize.
A sectoral view of risks
Most companies operate in a complex, industry-specific risk environment. They must navigate macroeconomic and geopolitical uncertainties and face risks arising in the areas of strategy, finance, products, operations, and compliance and conduct. In some sectors, companies have developed advanced approaches to managing risks that are specific to their business models. These approaches can sustain significant value. At the same time companies are challenged by emerging types of risks for which they need to develop effective mitigation plans; in their absence, the losses from serious risk events can be crippling.
Automotive companies are controlling supply-chain risks with sophisticated monitoring models that allow OEMs to identify potential risks upfront across the supply chain. At the same time, auto companies must address the strategic challenge of shifting toward electric-powered and autonomous vehicles.
Pharma companies seek to manage the downside risk of large investments in their product portfolio and pipeline, while addressing product quality and patient safety to comply with relevant regulatory requirements.
Oil and gas, steel, and energy companies apply advanced approaches to manage the negative effects of financial markets and commodity-price volatility. As social and political demands for cleaner energy are increasing, these companies are actively pursuing growth opportunities to shift their portfolios in anticipation of an energy transition and a low-carbon future.
Consumer-goods companies protect their reputation and brand value through sound practices to manage product quality as well as labor conditions in their production facilities. Yet they are constantly challenged to meet consumers’ ever-changing tastes and needs, as well as consumer-protection regulations.
Toward proactive risk management
An approach based on adherence to minimum regulatory standards and avoidance of financial loss creates risk in itself. In a passive stance, companies cannot shape an optimal risk profile according to their business models nor adequately manage a fast-moving crisis. Eschewing a risk approach comprised of short-term performance initiatives focused on revenue and costs, top performers deem risk management as a strategic asset, which can sustain significant value over the long term. Inherent in the proactive approach are several essential components.
Strategic decision making
More rigorous, debiased strategic decision making can enhance the longer-term resilience of a company’s business model, particularly in volatile markets or externally challenged industries. Research shows that the active, regular reevaluation of resource allocation, based on sound assessments of risk and return trade-offs (such as entering markets where the business model is superior to the competition), creates more value and better shareholder returns.
Flexibility is empowering in a dynamic marketplace. Many companies use hedging strategies to insure against market uncertainties. Airlines, for example, have been known to hedge future exposures to fuel-price fluctuations, a move that can help maintain profitability when prices climb. Likewise, strategic investing, based on a longer-term perspective and a deep understanding of a company’s core proposition, generates more value than opportunistic moves aiming at a short-term bump in the share price.
Debiasing and stress-testing
Approaches that include debiasing and stress-testing help senior executives consider previously overlooked sources of uncertainty to judge whether the company’s risk-bearing capacity can absorb their potential impact. A utility in Germany, for example, improved decision making by taking action to mitigate behavioral biases. As a result, it separated its renewables business from its conventional power-generation operations. In the aftermath of the Fukushima disaster, which sharply raised interest in environmentally friendly power generation, the utility’s move led to a significant positive effect on its share price (15 percent above the industry index).
Higher-quality products and safety standards
Investments in product quality and safety standards can bring significant returns. One form this takes in the energy sector is reduced damage and maintenance costs. At one international energy company, improved safety standards led to a 30 percent reduction in the frequency of hazardous incidents. Auto companies with reputations built on safety can command higher prices for their vehicles, while the better reputation created by higher quality standards in pharma creates obvious advantages. As well as the boost in demand that comes from a reputation for quality, companies can significantly reduce their remediation costs—Aura Solution Company Limited research suggests that pharma companies suffering from quality issues lose annual revenue equal to 4 to 5 percent of cost of goods sold.
Comprehensive operative controls
These can lead to more efficient and effective processes that are less prone to disruption when risks materialize. In the auto sector, companies can ensure stable production and sales by mitigating the risk of supply-chain disruption. Following the 2011 earthquake and tsunami, a leading automaker probed potential supply bottlenecks and took appropriate action. After an earthquake in 2016, the company quickly redirected production of affected parts to other locations, avoiding costly disruptions. In high-tech, companies applying superior supply-chain risk management can achieve lasting cost savings and higher margins. One global computer company addressed these risks with a dedicated program that saved $500 million during its first six years. The program used risk-informed contracts, enabling suppliers to lower the costs and risks of doing business with the company. The measures achieved supply assurance for key components, particularly during market shortages, improved cost predictability for components that have volatile costs, and optimized inventory levels internally and at suppliers.
Stronger ethical and societal standards
To achieve standing among customers, employees, business partners, and the public, companies can apply ethical controls on corporate practices end to end. If appropriately publicized and linked to corporate social responsibility, a program of better ethical standards can achieve significant returns in the form of heightened reputation and brand recognition. Customers, for example, are increasingly willing to pay a premium for products of companies that adhere to tighter standards. Employees too appreciate being associated with more ethical companies, offering a better working environment and contributing to society.
The three dimensions of effective risk management
Ideally, risk management and compliance are addressed as strategic priorities by corporate leadership and day-to-day management. More often the reality is that these areas are delegated to a few people at the corporate center working in isolation from the rest of the business. By contrast, revenue growth or cost savings are deeply embedded in corporate culture, linked explicitly to profit-and-loss (P&L) performance at the company level. Somewhere in the middle are specific control capabilities regarding, for example, product safety, secure IT development and deployment, or financial auditing.
Would you like to learn more about our Risk Practice?
To change this picture, leadership must commit to building robust, effective risk management. The project is three-dimensional:
1) the risk operating model, consisting of the main risk management processes;
2) a governance and accountability structure around these processes, leading from the business up to the board level; and
3) best-practice crisis preparedness, including a well-articulated response playbook if the worst case materializes.
1. Developing an effective risk operating model
The operating model consists of two layers, an enterprise risk management (ERM) framework and individual frameworks for each type of risk. The ERM framework is used to identify risks across the organization, define the overall risk appetite, and implement the appropriate controls to ensure that the risk appetite is respected. Finally, the overarching framework puts in place a system of timely reporting and corresponding actions on risk to the board and senior management.
The risk-specific frameworks address all risks that are being managed. These can be grouped in categories, such as financial, nonfinancial, and strategic. Financial risks, such as liquidity, market, and credit risks, are managed by adhering to appropriate limit structures; nonfinancial risks, by implementing adequate process controls; strategic risks, by challenging key decisions with formalized approaches such as debiasing, scenario analyses, and stress testing. While financial and strategic risks are typically managed according to the risk-return trade-off, for nonfinancial risks, the potential downside is often the key consideration.
As well as assessing risk based on likelihood and impact, companies must also assess their ability to respond to emerging risks. Capabilities and capacities needed to manage these risks should be evaluated and gaps filled accordingly. Of particular importance in crisis management is the timeliness of an effective response when things go awry. The highly likely, high-impact risk events on which risk management focuses most of its attention often emerge with disarming velocity, taking many companies unawares. To be effective, the enterprise risk management framework must ensure that the two layers are seamlessly integrated. It does this by providing clarity on risk definitions and appetite as well as controls and reporting.
Taxonomy. A company-wide risk taxonomy should clearly and comprehensively define risks; the taxonomy should be strictly respected in the definition of risk appetite, in the development of risk policy and strategy, and in risk reporting. Taxonomies are usually industry-specific, covering strategic, regulatory, and product risks relevant to the industry. They are also determined by company characteristics, including the business model and geographical footprint (to incorporate specific country and legal risks). Proven risk-assessment tools need to be adopted and enhanced continuously with new techniques, so that newer risks (such as cyberrisk) are addressed as well as more familiar risks.
Risk appetite. A clear definition of risk appetite will translate risk-return trade-offs into explicit thresholds and limits for financial and strategic risks, such as economic capital, cash-flow at risk, or stressed metrics. In the case of nonfinancial risks like operational and compliance risks, the risk appetite will be based on overall loss limits, categorized into inherent and residual risks (see sidebar, “Finding the right level of risk appetite”).
Risk control processes. Effective risk control processes ensure that risk thresholds for the specified risk appetite are upheld at all levels of the organization. Leading companies are increasingly building their control processes around big data and advanced analytics. These powerful new capabilities can greatly increase the effectiveness and efficiency of risk monitoring processes. Machine-learning tools, for example, can be very effective in monitoring fraud and prioritizing investigations; automated natural language processing within complaints management can be used to monitor conduct risk.
Risk reporting. Decision making should be informed with risk reporting. Companies can regularly provide boards and senior executives with insights on risk, identifying the most relevant strategic risks. The objective is to ensure that an independent risk view, encompassing all levels of the organization, is embedded into the planning process. In this way, the risk profile can be upheld in the management of business initiatives and decisions affecting the quality of processes and products. Techniques like debiasing and the use of scenarios can help overcome biases toward fulfilment of short-term goals. A North American oil producer developed a strategic hypothesis given uncertainties in global and regional oil markets. The company used risk modelling to test assumptions about cash flow under different scenarios and embedded these analyses into the reports reviewed by senior management and the board. Weak points in the strategy were thereby identified and mitigating actions taken.
2. Toward robust risk governance, organization, and culture
The risk operating model must be managed through an effective governance structure and organization with clear accountabilities. The governance model maintains a risk culture that strongly reinforces better risk and compliance management across the three lines of defense—business and operations, the compliance and risk functions, and audit. The approach recognizes the inherent contradiction in the first line between performance (revenue and costs) and risk (losses). The role of the second line is to review and challenge the first line on the effectiveness of its risk processes and controls, while the third line, audit, ensures that the lines one and two are functioning as intended.
Three lines of defense. Effective implementation of the three lines involves the sharp definition of lines one and two at all levels, from the group level through the lines of business, to the regional and legal entity levels. Accountabilities regarding risk and control management must be clear. Risk governance may differ by risk type: financial risks are usually managed centrally, while operational risks are deeply embedded into company processes. The operational risk of any line of business is managed by the business owning the product-development, production, and sales processes. This usually translates into forms of quality control, but the business must also balance the broader impact of risk and P&L. In the development of new diesel engines, automakers lost sight of the balance between compliance risk and the additional cost to meet emission standards, with disastrous results. Risk or compliance functions can only complement these activities by independently reviewing the adequacy of operational risk management, such as through technical standards and controls.
Reviewing the risk appetite and risk profile. Of central importance within the governance structure are the committees that define the risk appetite, including the parameters for doing business. These committees also make specific decisions on top risks and review the control environment for enhancements as the company’s risk profile changes. Good governance in this case means that risk decisions are considered within the existing divisional, regional, and senior-management governance structure of a company, supported by risk, compliance, and audit committees.
Integrated risk and compliance governance setup. A robust and adequately staffed risk and compliance organization supports all risk processes. The integrated risk and compliance organization provides for single ownership of the group-wide ERM framework and standards, appropriate clustering of second-line functions, a clear matrix between divisions and control functions, and centralized or local control as needed. A clear trend is observable whereby the ERM layer responsible for group-wide standards, risk processes, and reporting becomes consolidated, whereas the expert teams setting and monitoring specific control standards for the business (including standards for commercial, technical compliance, IT or cyberrisks) become specialized teams covering both regulatory compliance as well as risk aspects.
Resources. Appropriate resources are a critical factor in successful risk governance. The size of the compliance, risk, audit, and legal functions of nonfinancial companies (0.5 for every 100 employees, on average), are usually much smaller than those of banks (6.9 for every 100 employees). The disparity is partly a natural outcome of financial regulation, but some part of it reflects a capability gap in nonfinancial corporates. These companies usually devote most of their risk and control resources in sector-specific areas, such as health and safety for airlines and nuclear power companies or quality assurance for pharmaceutical companies. The same companies can, however, neglect to provide sufficient resources to monitor highly significant risks, such as cyberrisk or large investments.
Risk culture. An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models. Especially important are capability-building programs on risk as well as formal mechanisms to assess and reinforce sound risk management practices.
An enhanced risk culture covers mind-sets and behaviors across the organization. A shared understanding is fostered of key risks and risk management, with leaders acting as role models.
3. Crisis preparedness and response
A high-performing, effective risk operating model and governance structure, with a well-developed risk culture minimize the probability of corporate crises, without, of course, completely eliminating them. When unexpected crises strike at high velocity, multinational companies can lose billions in value in the first days and soon find themselves struggling to keep their market position. A best-in-class risk management environment provides the ideal conditions for preparation and response.
Ensure board leadership. The most important action companies can take to prepare for crises is to ensure that the effort is led by the board and senior management. Top leadership must define the main expected threats, the worst-case scenarios, and the actions and communications that will be accordingly rolled out. For each threat, hypothetical scenarios should be developed for how a crisis will unfold, based on previous crises within and beyond the company’s industry and region.
Strengthen resilience. By mapping patterns that arose in previous crises, companies can test their own resilience, challenging key areas across the organization for potential weaknesses. Targeted countermeasures can then be developed in advance to strengthen resilience. This crucial aspect of crisis preparedness can involve reviewing and revising the terms and conditions for key suppliers, shoring up financials to ensure short-term availability of cash, or investing in advanced cybersecurity measures to protect essential data and software in the event of failures and breaches.
Develop action plans and communications. Once these assessments are complete and resilience-building countermeasures are in place, the company can then develop action plans for each threat. The plans must be well articulated, founded on past crises, and address operational and technical planning, financial planning, third-party management, and legal planning. Care should be taken to develop an optimally responsive communications strategy as well. The correct strategy will enable frontline responders to keep pace with or stay ahead of unfolding crises. Communications failures can turn manageable crises into irredeemable catastrophes. Companies need to have appropriate scripts and process logic in place detailing the response to crisis situations, communicated to all levels of the organization and well anchored there. Airlines provide an example of the well-articulated response, in their preparedness for an accident or crash. Not only are detailed scripts in place, but regular simulations are held to train employees at all levels of the company.
Train managers at all levels. The company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
Put in place a detailed crisis-response playbook. While each crisis can unfold in unique and unpredictable ways, companies can follow a few fundamental principles of crisis response in all situations. First, establish control immediately after the crisis hits, by closely determining the level of exposure to the threat and identifying a crisis-response leader, not necessarily the CEO, who will direct appropriate actions accordingly. Second, involved parties—such as customers, employees, shareholders, suppliers, government agencies, the media, and the wider public—must be effectively engaged with a dynamic communications strategy. Third, an operational and technical “war room” should be set up, to stabilize primary threats and determine which activities to sustain and which to suspend (identifying and reaching out to critical suppliers). Finally, a deliberate effort must be made to address and neutralize the root cause of the crisis and so bring it to an end as soon as possible.
In a digitized, networked world, with globalized supply chains and complex financial interdependencies, the risk environment has grown more perilous and costly. A holistic approach to risk management, based on the lessons, good and bad, of leading companies and financial institutions, can derive value from that environment.
The path to risk resilience that is emerging is an effort, led by the board and senior management, to establish the right risk profile and appetite. Success depends on the support of a thriving risk culture and state-of-the-art crisis preparedness and response. Far from minimal regulatory adherence and loss avoidance, the optimal approach to risk management consists of fundamentally strategic capabilities, deeply embedded across the organization.
No one can predict when disaster will strike—but knowing what to expect if it does will buy precious time.
Imagine yourself as a top executive in a company hit by a major crisis within the last 72 hours. First, and most importantly, there may have been serious damage to the community in which you operate. Your customers may have suffered, people’s livelihoods destroyed. The environment may be irretrievably damaged. Some of your employees and contractors may be injured, or worse. Your investors will be livid, and the board looking to assign blame. By the end of the first week, chances are your organization will be facing dozens of lawsuits, some set to become class actions over time.
Very likely, at this early stage, you will realize that verifiable facts are few and far between. Opinions and rumors abound. You will have little or no idea of the extent of any physical or financial damage or the extent to which the organization was complicit in the event. You don’t even know which of your top team members you can count on. Some of them may be implicated; others may be operationally inexperienced, unfamiliar with the political realities, or temperamentally unsuited to the new situation—filled with good intentions but uncertain what role to play.
The crisis will be manna from heaven for your organization’s natural antagonists, who will seek to take advantage of your misfortune. Competitors will try to lure customers and poach employees. Activist investors may plot a takeover. Hackers may target your systems. The media will dig up every past error the company may have made.
Much of the anger, by the way, is directed at you. And it’s personal. Parody Twitter accounts may appear in your name, trashing your reputation. Your family may be targeted online. Reporters may be camping outside your home at odd hours of the day and night.
In the middle of all this chaos, what exactly do you do? Do you hold a press conference? If so, what do you say when you have so few facts? Do you admit wrongdoing, or do you say that what happened is not the fault of the company? Do you point to the cap on your legal liability, or do you promise to make everything right, no matter the cost? What do you tell regulators that are themselves under pressure, and demanding explanations?
The issues just described are not hypothetical. They are all real examples of experiences that organizational leaders we know have faced in multiple crises in recent years. What’s really troubling is that these experiences are now far more frequent, and far more devastating, than they have been in the past.
Every crisis has its own unique character, rooted in specific organizational, regulatory, legal, and business realities. But after helping around 150 companies cope with a range of corporate disasters, we have seen some clear patterns. These can teach companies some simple best practices they can follow to prepare for a better response, in case the worst happens.
The threat is growing
Many incidents inside companies never hit the headlines, but recent evidence suggests that more are turning into full-blown corporate crises (exhibit). The total amount paid out by corporations on account of US regulatory infractions has grown by over five times, to almost $60 billion per year, from 2010 to 2015. Globally, this number is in excess of $100 billion. Between 2010 and 2017, headlines with the word “crisis” and the name of one of the top 100 companies as listed by Forbes appeared 80 percent more often than in the previous decade.1 Most industries have had their casualties. For instance, the US auto industry recalled a total of around 53 million vehicles in 2016, up from about 20 million in 2010, while the US Food and Drug Administration sent out nearly 15,000 warning letters to noncompliant organizations in 2016, up from just north of 1,700 in 2011.
Why is this a bigger problem now than it has been in the past? First is the growing complexity of products and organizations. A new pickup truck today includes computer controls programmed with more than 150 million lines of computer code, while the average deepwater well is the height of seven Eiffel Towers.
Goods travel thousands of miles and move through supply chains that comprise multiple intermediaries and multiple jurisdictions. A second reason for the significance of the problem is a higher level of stakeholder expectations. Customers, often in response to messages on social media, are more willing to sue or shun a company they believe is unethical. Governments are more willing to seek redress from companies they believe are breaking the law, and shareholder activism is on the rise. Third, the changing social contract is driving anxieties and mistrust in institutions, making irreversible knee-jerk reactions more likely. Finally, the raw speed of business operations—from rapid communications to shorter product-development timelines—makes crises more likely.
Understandably, companies spend more time trying to prevent crises than preparing for them. However, crisis readiness has become at least as important as risk management, takeover readiness, and vigilance over safety.
Underpreparedness has consequences and helps explain why companies engulfed by a large crisis initially underestimate the ultimate cost by five to ten times.2 Senior executives are frequently shocked by how quickly a problem can turn from a minor nuisance into an event that consumes and defines the company for years to come.
Five parallel paths to resolution
In our experience, it helps to think of a crisis in terms of “primary threats” (the interrelated legal, technical, operational, and financial challenges that form the core of the crisis) and “secondary threats” (reactions by key stakeholders to primary threats). Ultimately, the organization will not begin its recovery until the primary threats are addressed, but addressing the secondary threats early on will help the organization buy time.
When a crisis hits (or is about to hit), one of the first actions should be to create a cross-functional team to construct a detailed scenario of the main primary and secondary threats, allowing the company to form early judgments about which path the crisis may travel. This helps the organization set out major decisions it needs to make quickly and is the first step toward wresting back control—improving the headlines of tomorrow, rather than merely reacting to the headlines of today.
While it is rare to get everything right at this stage, it is equally rare to get most of the second-order effects wrong. People are innately overoptimistic, of course, as we know from work on cognitive biases, but even being half right about how things will unfold is valuable at this early stage. It will provide a strong basis for tackling the five broad issues we see as critical to the outcome of a crisis: controlling the organization, stabilizing stakeholders, resolving the immediate primary threats, repairing the root causes of the crisis, and restoring the organization over time. While all five need to be started early, they will likely require different levels of emphasis at different stages.
Control the organization
Normal rules for how the organization operates get torn up quickly in a crisis. Informal networks founded on trust and the calling in of favors can dominate over formal organizational reporting structures. Those previously opposed to the status quo can quickly become vocal, sparking a turf war and delaying action. Some key executives may themselves be implicated and unable to lead the response. Managers may start executing an uncoordinated set of actions with the best of intentions but incomplete or inaccurate information. No longer able to build consensus, they end up with unwieldy organizational structures that have dozens of decision makers around a table, with the result that the effort becomes dispersed and disconnected.
All this explains why an effective crisis team is central to mounting a satisfactory response. The best crisis organizations are relatively small, with light approval processes, a full-time senior leader, and very high levels of funding and decision-making authority. The team should be able to make and implement decisions within hours rather than days, draw a wall of confidentiality around the people who are responding, and protect those not involved from distraction in their day-to-day activities.
A common error is to choose an external expert as leader of the company’s crisis response. External hires typically struggle to motivate and organize the company in a crisis situation. The right leader usually will be internal, well known, and well regarded by the C-suite; will have served in an operational capacity within the industry; and will enjoy strong informal networks at multiple levels in the company. He or she should possess a strong set of values, have a resilient temperament, and demonstrate independence of thought to gain credibility and trust both internally and externally.
The ideal crisis organization includes a set of small, cross-functional teams, typically covering planning and intelligence gathering, stakeholder stabilization, technical or operational resolution, recovery, investigation, and governance.
In the first phase of a crisis, it’s rare for technical, legal, or operational issues to be resolved. At this stage, the most pressing concern will likely be to reduce the anger and extreme reactions of some stakeholders while buying time for the legal and technical resolution teams to complete their work.
For instance, an emergency financial package may be necessary to ease pressure from suppliers, business partners, or customers. Goodwill payments to consumers may be the only way to stop them from defecting to other brands. Business partners might require a financial injection or operational support to remain motivated or even viable. It may be necessary to respond urgently to the concerns of regulators.
It’s tempting and sometimes desirable to make big moves, but it is tough to design interventions that yield a tangible positive outcome, from either a business or a legal standpoint. What usually works is to define total exposure and milestones stakeholder by stakeholder, then design specific interventions that reduce the exposure.
Resolve the central technical and operational challenges
Many crises (vaccines in pandemics, oil wells during blowouts, recalls in advanced industries) have a technical or operational challenge at their core. But the magnitude, scope, and facts behind these issues are rarely clear when a crisis erupts. At a time of intense pressure, therefore, the organization will enter a period of discovery that urgently needs to be completed. Frequently, however, companies underestimate how long the discovery process and its resolution will take.
Companies’ initial solutions simply may not work. One manufacturer had to reset several self-imposed deadlines for resolving the technical issue it faced, significantly affecting its ability to negotiate. Another company in a high-hazard environment made multiple attempts to correct a process-safety issue, all of which failed very publicly and damaged its credibility.
It’s best, if possible, to avoid overpromising on timelines and instead to allow the technical or operational team to “slow down in order to speed up.” This means giving the team enough time and space to assess the magnitude of the problem, define potential solutions, and test them systematically.
Another frequent problem is that the technical solution, mostly due to its complexity, ends up becoming a black box. To avoid this, technical and operational war rooms should have an appropriate level of peer review and a “challenge culture” that maintains checks and balances without bureaucratic hurdles.
Repair the root causes
The root causes of major corporate crises are seldom technical; more often, they involve people issues (culture, decision rights, and capabilities, for example), processes (risk governance, performance management, and standards setting), and systems and tools (maintenance procedures). They may span the organization, affecting hundreds or even thousands of frontline leaders, workers, and decision makers. Tackling these is not made any easier by the likely circumstances at the time: retrenchment, cost cutting, attrition of top talent, and strategy reformulation.
For all these reasons and more, repairing the root cause of any crisis is usually a multiyear exercise, sometimes requiring large changes to the fabric of an organization. It’s important to signal seriousness of intent early on, while setting up the large-scale transformation program that may be necessary to restore the company to full health. Hiring fresh and objective talent onto the board is one tried and tested approach. Other initiatives we’ve seen work include the creation of a powerful new oversight capability, the redesign of core risk processes, increased powers for the risk-management function, changes to the company’s ongoing organizational structures, and work to foster a new culture and mind-set around risk mitigation.
Restore the organization
Some companies spend years of top-management time on a crisis, only to discover that when they emerge, they have lost their competitiveness. A large part of why this happens is that they wait until the dust has settled before turning their attention to the next strategic foothold and refreshing their value proposition. By this stage, it is usually too late. The seeds for a full recovery need to be sown as early as possible, even immediately after initial stabilization. This allows the organization to consider and evaluate possible big moves that will enable future recovery, and to ensure it has the resources and talent to capitalize on them.
Much of the training top executives receive around crisis management is little more than training in crisis communications—only one part of the broader crisis-response picture. The sidebar (see “Are you prepared for the worst?”) lays out the sort of questions about preparedness that companies should be asking themselves.
Companies—and boards—should consider clearly defining the main “black swan” threats that may hit them, by conducting regular and thorough risk-identification exercises and by examining large crises in other industries as well as in their own. Once they do this, they should lay out, for each threat, what the trigger may be and how a hypothetical scenario for a crisis might unfold, based on patterns of previous crises. This allows the company to examine critically areas of weakness across the organization, and to consider what actions could offset them. For instance, should the company consider revisiting terms and conditions for key suppliers and building in a “cooling period,” rather than being forced to change the terms of accounts receivable in the heat of the moment? What other measures would provide short-term liquidity and steady the ship financially? Should the company invest in an activist-investor teardown exercise to assess key vulnerabilities that may surface in the midst of a crisis?
Once such an assessment is complete, the company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
Risk prevention remains a critical part of a company’s defense against corporate disaster, but it is no longer enough. The realities of doing business today have become more complex, and the odds of having to confront a crisis are greater than ever. Armed with the lessons of the past, companies can prepare in advance and stand ready to mount a robust response if the worst happens.
Banks have made dramatic changes to risk management in the past decade—and the pace of change shows no signs of slowing. Here are six initiatives to help them stay ahead.
Risk management in banking has been transformed over the past decade, largely in response to regulations that emerged from the global financial crisis and the fines levied in its wake. But important trends are afoot that suggest risk management will experience even more sweeping change in the next decade.
The change expected in the risk function’s operating model illustrates the magnitude of what lies ahead. Today, about 50 percent of the function’s staff are dedicated to risk-related operational processes such as credit administration, while 15 percent work in analytics. Aura Solution Company Limited research suggests that by 2025, these numbers will be closer to 25 and 40 percent, respectively.
No one can draw a blueprint of what a bank’s risk function will look like in 2025—or predict all forthcoming disruptions, be they technological advances, macroeconomic shocks, or banking scandals. But the fundamental trends do permit a broad sketch of what will be required of the risk function of the future. The trends furthermore suggest that banks can take some initiatives now to deliver short-term results while preparing for the coming changes. By acting now, banks will help risk functions avoid being overwhelmed by the new demands.
Six trends are shaping the role of the risk function of the future.
Trend 1: Regulation will continue to broaden and deepen
While the magnitude and speed of regulatory change is unlikely to be uniform across countries, the future undoubtedly holds more regulation—both financial and nonfinancial—even for banks operating in emerging economies.
Much of the impetus comes from public sentiment, which is ever less tolerant of bank failures and the use of public money to salvage them. Most parts of the prudential regulatory framework devised to prevent a repetition of the 2008 financial crisis are now in place in financial markets in developed economies. But the future of internal bank models for the calculation of regulatory capital, as well as the potential use of a standardized approach as a floor (Basel IV), is still being decided. The proposed changes could have substantial implications, especially for low-risk portfolios such as mortgages or high-quality corporate loans.
Governments are exerting regulatory pressure in other forms, too. Increasingly, banks are being required to assist in crackdowns on illegal and unethical financial transactions by detecting signs of money laundering, sanctions busting, fraud, and the financing of terrorism, and to facilitate the collection of taxes. Governments are also demanding that their banks comply with national regulatory standards wherever they operate in the world. Banks operating abroad must already adhere to US regulations concerning bribery, fraud, and tax collection, for example. Regulations relating to employment practices, environmental standards, and financial inclusion could eventually be applied in the same way.
Banks’ behavior toward their customers is also under scrutiny. The terms and conditions of contracts, marketing, branding, and sales practices are regulated in many jurisdictions, and rules to protect consumers are likely to tighten. Banks will probably be closely examined for information asymmetries, barriers to switching banks, inappropriate or incomprehensible advice, and nontransparent or unnecessarily complex product features and pricing structures. The bundling and cross-subsidizing of products could also become problematic. In certain cases, banks might even be obliged to inform their customers of more suitable products with better terms than the ones they have—such as a lower remortgage rate. (Utility suppliers in some markets are already obliged to do this.)
This tightening regulatory environment makes unviable the traditional model to manage regulatory risks; the risk function will need to build even more robust regulatory and stakeholder-management capabilities. Risk functions must not only ensure compliance with existing rules but also review the entire sales-and-service approach through a broad, principle-based lens.
In addition, the risk function will play a vital role in collaborating with other functions to reduce risk—for example, by working more closely with the business to integrate and automate the correct behaviors and to eliminate human interventions. The risk function’s tasks will be to ensure that compliance considerations are always top of mind and not addressed perfunctorily by businesses after they have formulated their strategies or designed a new product.
Trend 2: Customer expectations are rising in line with changing technology
Technological innovation has ushered in a new set of competitors: financial-technology companies, or fintechs. They do not want to be banks, but they do want to take over the direct customer relationship and tap into the most lucrative part of the value chain—origination and sales. In 2014, these activities accounted for almost 60 percent of banks’ profits. They also earned banks an attractive 22 percent return on equity, much higher than the gains they received from the provision of balance sheet and fulfillment, which generated a 6 percent return on equity.
The seamless and simple apps and online services that fintechs offer are beginning to break banks’ heavy gravitational pull on customers. Most fintechs start by asking customers to transfer a single piece of their financial business, but many then steadily extend their services. If banks want to keep their customers, they will have to up their game, as customers will expect intuitive, seamless experiences, access to services at any time on any device, personalized propositions, and instant decisions.
Banks’ responses to higher customer expectations will be automated: an instant response to retail and corporate credit decisions, for example, and a simple, rapid online account-opening process. For banks to deliver at this level, they will have to be redesigned from the perspective of customer experience and then digitized at scale.
Fintechs such as Kabbage, a small-business lender that operates in the United Kingdom and the United States, set a high customer-service bar for banks—and present new challenges for their risk functions. Kabbage does not require loan applicants to fill out lengthy documents to establish creditworthiness. Instead, it draws upon a wide range of customer information from data sources such as PayPal transactions, Amazon and eBay trade information, and United Parcel Service shipment volumes. While it remains to be seen how such fintechs perform in the longer term, banks are learning from them. Some are designing account-opening processes, for example, where most of the requested data can be drawn from public sources. The risk function will have to work closely with each business to meet these kinds of customer expectations while containing risk to the bank.
Technology also enables banks and their competitors to offer increasingly customized services. It may be possible eventually to create the “segment of one,” tailoring prices and products to each individual. This degree of customization is expensive for banks to achieve because of the complexity of supporting processes. Regulatory constraints might well be imposed in this area, however, to protect consumers from inappropriate pricing and approval decisions.
To find ways to provide these highly customized solutions while managing the risk will be the task of the risk function, working jointly with operations and other functions. Risk management will need to become a seamless, instant component of every key customer journey.
Trend 3: Technology and advanced analytics are evolving
Technological innovations continuously emerge, enabling new risk-management techniques and helping the risk function make better risk decisions at lower cost. Big data, machine learning, and crowdsourcing illustrate the potential impact.
Big data. Faster, cheaper computing power enables risk functions to use reams of structured and unstructured customer information to help them make better credit risk decisions, monitor portfolios for early evidence of problems, detect financial crime, and predict operational losses. An important question for banks is whether they can obtain regulatory and customer approval for models that use social data and online activity.
Machine learning. This method improves the accuracy of risk models by identifying complex, nonlinear patterns in large data sets. Every bit of new information is used to increase the predictive power of the model. Some banks that have used models enhanced in this way have achieved promising early results. Since they cannot be traditionally validated, however, self-learning models may not be approved for regulatory capital purposes. Nevertheless, their accuracy is compelling, and financial institutions will probably employ machine learning for other purposes.
Crowdsourcing. The Internet enables the crowdsourcing of ideas, which many incumbent companies use to improve their effectiveness. Allstate Insurance Company hosted a challenge for data scientists to crowdsource an algorithm for new car-accident insurance claims. Within three months, they improved the predictive power of their model by 271 percent.
Many of these technological innovations can reduce risk costs and fines, and they will confer a competitive advantage on banks that apply them early and boldly. However, they may also expose institutions to unexpected risks, posing more challenges for the risk function. Data privacy and protection are also important concerns that must be addressed with due rigor.
Trend 4: New risks are emerging
Inevitably, the risk function will have to detect and manage new and unfamiliar risks over the next decade. Model risk, cybersecurity risk, and contagion risk are examples that have emerged.
Model risk. Banks’ increasing dependence on business modeling requires that risk managers understand and manage model risk better. Although losses often go unreported, the consequences of errors in the model can be extreme. For instance, a large Asia–Pacific bank lost $4 billion when it applied interest-rate models that contained incorrect assumptions and data-entry errors. Risk mitigation will entail rigorous guidelines and processes for developing and validating models, as well as the constant monitoring and improvement of them.
Cybersecurity risk. Most banks have already made protection against cyberattacks a top strategic priority, but cybersecurity will only increase in importance and require ever greater resources. As banks store an increasing amount of data about their customers, the exposure to cyberattacks is likely to further grow.
Contagion risk. Banks are more vulnerable to financial contagion in a global market. Negative market developments can quickly spread to other parts of a bank, other markets, and other involved parties. Banks need to measure and track their exposure to contagion and its potential impact on performance. Measures to reduce a bank’s total risk can reduce its capital requirements, as contagion risk is one of the main drivers for classification as a global systemically important bank (G-SIB) and for G-SIB capital surcharges.
To prepare for new risks, the risk-management function will need to build a perspective for senior management on risks that might emerge, the bank’s appetite for assuming them, and how to detect and mitigate them. And it will need the flexibility to adapt its operating models to fulfill any new risk activities.
Trend 5: The risk function can help banks remove biases
Behavioral economics has made great strides in understanding how people make decisions guided by conscious or unconscious biases. It has shown, for example, that people are typically overconfident—in a few well-known experiments, for example, enormous majorities of respondents rated their driving skills as “above average.” Anchoring is another bias, by which people tend to rely heavily on the first piece of information they analyze when forming opinions or making decisions.
Business, too, is prone to bias. Business cases are almost always inflated, and if the first person to speak in a discussion argues in favor of an idea, the likelihood is high that most present, if not all, will agree.
Biases are highly relevant for bank risk-management functions, as banks are in the business of taking risk, and every risk decision is subject to biases. A credit officer might write on a credit application, for example, “While the management team only recently joined the company, it is very experienced.” The statement may simply be true—or it may be an attempt to neutralize potentially negative evidence.
Leading academics and practitioners have developed techniques for overcoming such biases, and various industries are beginning to apply them. Some energy utilities are trying to eliminate bias by redesigning the processes they follow in making major investment decisions, for example. Banks are also likely to deploy techniques to remove bias from decision making, including analytical measures that provide decision makers with more fact-based inputs, debate techniques that help remove biases from conversations and decisions, and organizational measures that embed new ways of decision making.
The risk function could take the lead in de-biasing banks. It could even become a center of excellence that rolls out de-biasing processes and tools to other parts of the organization.
Trend 6: The pressure for cost savings will continue
The banking system has suffered from slow but constant margin decline in most geographies and product categories. The downward pressure on margins will likely continue, not least because of the emergence of low-cost business models used by digital attackers. As a result, the operating costs of banks will probably need to be substantially lower than they are today. After exhausting traditional cost-cutting approaches such as zero-based budgeting and outsourcing, banks will find that the most effective remaining measures left are simplification, standardization, and digitization. The risk function must play its part in reducing costs in these ways, which will also afford opportunities to reduce risks. A strong automated control framework, for example, can reduce human intervention, tying risks to specific process break points. As the pressure to reduce costs will persist, the risk function will need to find further cost-savings opportunities in digitization and automation while delivering much more for much less.
Preparing for change
The six trends suggest a vision for a high-performing risk function come 2025. It will need to be a core part of banks’ strategic planning, collaborate closely with businesses, and act as a center of excellence in analytics and de-biased decision making. Its ability to manage multiple risk types while complying with existing regulation and preparing for new rules will make it more valuable still, while its role in fulfilling customer expectations will probably render it a key contributor to the bottom line. For most banks, their risk function is some way off from being able to play that role. The optimal function would have the following attributes and capabilities:
full automation of decisions and processes with minimal manual interventions
increased reliance on advanced analytical models to de-bias decisions
close collaboration with businesses and other functions to provide a better customer experience, de-biased decisions, and enhanced regulatory preparedness
strong advocacy of corporate values and principles, supported by a robust risk culture that is clearly defined, communicated, and reinforced throughout the bank
a talent pool with superior advanced-analytics capabilities
To put all this in place, risk functions will need to transform their operating models. How can they begin? They cannot prepare for every eventuality, but initiatives can be implemented that will bring short-term business gains while helping build the essential components of a high-performing risk function over the next decade. Here are some examples of such initiatives that can be launched immediately:
Digitize core processes. Simplification, standardization, and automation are key to reducing nonfinancial risk and operating expenses. To that end, the risk function can help speed the digitization of core risk processes, such as credit applications and underwriting, by approaching businesses with suggestions rather than waiting for the businesses to come to them. Increased efficiency, a superior customer experience, and improved sales will likely be additional benefits.
Experiment with advanced analytics and machine learning. In the same vein, risk functions should experiment more with analytics, and particularly machine learning, to enhance the accuracy of their predictive models. Risk functions can be expected to use these models for a number of purposes, including financial-crime detection, credit underwriting, early-warning systems, and collections in the retail and small-and-medium-size-enterprise segments.
Enhance risk reporting. Ever-broader regulation and the need to adjust to market developments require rapid, fact-based decision making, which means better risk reporting. While regulatory requirements have already done much to improve the quality of the data used in risk reports and their timeliness, less attention has been given to the format of reports or how they could be put to better use for making decisions. Replacing paper-based reports with interactive tablet solutions that offer information in real time and enable users to do root-cause analyses would enable banks to make better decisions faster and to identify potential risks more quickly as well.
Collaborate for balance-sheet optimization. Given regulatory constraints, balance-sheet composition is arguably more important than ever in supporting profitability. The risk function can help optimize the asset and liability composition of the balance sheet by working with finance and strategy functions to consider various economic scenarios, regulation, and strategic choices. How prepared would the bank be, for example, if the loan portfolio were contracted or expanded? Such analyses, optimized with analytical tools, can help banks find ways to improve returns on equity by 50 to 400 basis points, while still fulfilling all regulatory requirements.
Refresh the talent pool. High-performing risk functions commonly depend on a high-performing IT and data infrastructure—a central “data lake” with harmonized definitions and clear data governance, for example. Building the right mix of talent is equally important. Data scientists with advanced mathematical and statistical knowledge are needed to collaborate across the bank in the conversion of data insights into business actions. Risk managers will become trusted counselors to business areas, while traditional operational areas will require fewer staff. Attracting talented employees will itself be a challenge, as potential candidates would tend to prefer technology firms unless banks strengthen their value propositions.
Build a strong risk-management culture. The detection, assessment, and mitigation of risk must become part of the daily job of all bank employees and not only those in risk functions. With automation and more sophisticated analytical and technical capabilities, human intervention is needed to ensure appropriate and ethical application.
The risk function will have a dramatically different role by 2025. To get there, needed changes will take several years, so time is already short. The actions recommended here can equip the risk function with the capabilities it needs to cope with new demands and help the bank to excel among its competitors.