Revisiting the Risk Basics

This article looks at different methods to ensure a capital markets firm has effective risk management policies in place.

In these days of financial turmoil, firms active in capital markets are focusing greater efforts on their risk management. Some will focus on elaborate change programmes with catchy acronyms like GRC (governance risk compliance) or ERM (enterprise risk management). Others will seek to retain, or strengthen, risk management by doing away with those superfluous elements that do not add exceptional value and impact the company’s bottom line. While both approaches are pragmatic, in the first instance there is the inherent danger that risk managers will add precisely what the second group is looking to get rid of - extra layers to the risk management framework that bring minimal value. Conversely, cutting internal controls and reporting elements from a firm’s risk management framework needs to be done with great care.

As a starting point, capital market firms would do well to step back and take stock of the fundamentals concerning risk management. Operating in today’s cost-containment environment, company boards and executive management are looking for reassurance that all risks have been identified and that the controls to mitigate these risks are effective. Simply put, there is no room for surprises and tolerance is near zero for losses in areas that are supposed to be well controlled. In parallel, line managers are seeking expert guidance through the web of existing and new regulatory requirements to which their internal controls and risk management practices must comply. Although the needs of upper- and line-management are different, both benefit from clear and well-articulated risk management goals, strategies and practices.

Two-way Communication

Effective risk management starts with an open and honest dialogue with the board on the risks the enterprise faces, ideally logged within a risk register. This register lists the known inherent risks that result from the company’s specific activity. Best practice includes defining the importance of all risks, not only market or credit risks, but also operational and business risks. The board approves a strategy to deal with these risks and issues control objectives in the form of policies with clearly defined business owners. Control objectives help executive and line management focus on managing what needs to work well instead of what could potentially go wrong.

Not only do business-owned control objectives increase management responsibility for the design of the control mechanisms, they should lead to better overall quality, because those designing the controls are also those with the process expertise and in-depth knowledge.

Moreover, business-owned control objectives also increase accountability where line management is part of the regular business-assurance process, through a yearly self-assessment process followed by official management sign-off. By empowering line management to assess and report on the effectiveness of the different internal and external control environments, a firm’s upper management is able to gain a holistic view of the company’s entire business-control environment.

This works particularly well in firms that are undergoing business process transformation programmes. This is a window of opportunity for risk management to embed its control framework and to instill risk management within the normal day-to-day responsibilities of line management. Business areas that are being transformed are required, as part of the programme, to regularly assess the controls’ effectiveness against board-approved objectives.

Best practice dictates that the role of risk management be limited to the design phase of a self-assessment framework. It should facilitate the detection of inherent risks and assist in articulating the control objectives across the organisation to ensure consistency. Control needs to be a management process. Line managers need to feel that they own and can manage the control objectives, in order for these objectives to be successful.

Where the control process covers the identified risks, firms should attempt to spot hitherto unknown risks. Currently, organisations tend to over-focus on controlling the known risks while potential risks are ignored or disregarded. But how do firms ensure that the important unknown risks are also identified, and that incident-specific risks do not transform unexpectedly to a business or strategic risk?

The Complete Picture

Risk management is uniquely placed within an organisation to create a comprehensive picture of the company’s risks at pre-determined intervals. To do this, a firm needs to glean valuable data from credit, market, liquidity and strategic sources. For example, a firm active in the capital markets will protect against specific country risk or political risk (both external operational risks) by installing formalised monitoring and rapid-response units. But do firms sufficiently account for the potential spillover of events such as country defaults generating incidents in other areas of the firm? These include pressures to skip standard procedures, breach of contracts or confidentiality agreements and unwanted press attention.

The financial world has changed dramatically with the aftermath of the global financial crisis. Risk management has moved on too. It can no longer be seen as a necessary evil within an organisation. It has an inherently pivotal role in setting the standards of day-to-day controls which can have an impact on the longer-term viability and direction of a firm. Yet, risk management need not mean elaborate and expensive control programmes, particularly where line managers are actually better suited to do the job.

Before entering into an expensive change management programme, be sure to meet three risk management basics. First, obtain buy-in from both upper management and the board for a detailed risk register, complete with defined control objectives and business owners. Second, regularly assess the known risks and the control framework for accuracy and effectiveness, making the necessary revisions to improve the framework. And finally, risk management should be a facilitator in the control process, intervening only when a consolidated cross-business risk assessment and mitigation approach needs to be taken. As a result, internal stakeholders, as well as regulators, will better appreciate the firm’s system of internal controls and risk management.

Article by Carl Hanssens, director in Euroclear's Risk Management division, is responsible for the Euroclear group's enterprise risk management framework, including the development, oversight and implementation of risk-related corporate policies. Hanssens is also an active member of the industry body Operational Risk Data Exchange Association ORX (ORX) - a market-representative group tasked with defining and implementing operational risk loss data reporting standards. Upon joining the risk management division in 2006, he was actively involved in a operational risk management project centring on Basel II, where he set up and co-ordinated the central operational risk cooordination centre for the group. Hanssens began his career in the operations division of the Euroclear Operations Centre (JPMorgan) in 1997, which later became Euroclear Bank. For the next eight years, he held several positions supervising and managing operational teams including: new issues, corporate actions warrants, convertible bonds and equities. Before joining the risk management division, Hanssens worked as a corporate actions risk controller where he set up the control and project team.