Before the bottom fell out of the markets last year, most asset management firms thought they already had robust risk management processes in place. Now they're not so sure.
As firms rethink risk, experts say they should focus more on having a flexible program in place rather than on planning for every possible contingency.
The main problem with risk management systems and Monte Carlo simulations is that they don't take into account extreme, tail-end events, also known as "black swans." By their very nature, unpredictable events cannot be anticipated.
While businesses won't be able to plan for everything, there are a number of opportunities to strengthen risk management, said Edward Hida, a partner at Deloitte and a global leader of the firm's risk and capital management division.
Systemic risk to the global financial system has substantially raised the demands placed on both regulators and risk managers, Hida said in his report titled "Risk Management in the Spotlight."
"These events have demonstrated the need for enhanced risk management capabilities and reiterated a basic principle: Risk and return are generally correlated and should be evaluated together," Hida wrote. "Many institutions still may need to implement enterprise risk management programs to gain a more comprehensive view of the risks they face. More sophisticated methodologies will likely be adopted by many institutions to manage the risks in today's more complex environment, such as 'tail risks' from unlikely events and the risks from a lack of liquidity."
A solid risk-management system must have three lines of defense, Hida said. First, the company's board of directors or board-level risk committee must play an important role in providing guidance. Next, firms should create or enhance the role of a chief risk officer (CRO) to establish and lead the risk effort. Lastly, firms should do an internal audit to make sure the first two are functioning, he said.
Risk management should start at the board level, Hida said. "A formal statement of risk appetite can provide clarity and communication of the level of risk throughout the organization."
Hida said executive management must provide leadership that enhances and improves the transparency of the institution's risk strategy, risk appetite and risk management framework. It is natural for companies to take on more risk during bull markets, but it is the duty of the board to keep this risk in check.
"The board of directors should approve a statement of the institution's risk appetite," Hida wrote. "A formal statement of risk appetite can provide strategic direction for business decision-making by making explicit the amount of risk that an institution is willing to make."
In addition to the board, a CRO plays a vital role in defining risk appetite, guiding business decisions and assessing the aggregate level of risk across the institution, he said.
"Creating a risk-aware culture may require organizations to go beyond the CRO and senior executives, and to infuse risk considerations into the fabric of the organization," Hida wrote. "Successful enterprise-wide risk management efforts should include a significant communication component such that the key principles and goals of risk management are understood by all employees."
Part of this communication effort includes the clear support of the CRO by the board, the CEO and other members of the senior executive team, he said.
A recent survey of financial firms by Deloitte found that 73% have already developed a CRO or equivalent position. At nearly three quarters of the institutions surveyed, the CRO reported to the board of directors and/or the CEO. Only 36% of institutions surveyed said they had an enterprise risk management (ERM) program, although 23% more said they were in the process of creating one.
Among those companies with an ERM program, 85% said they found the total value of the programs, both quantifiable and non-quantifiable, to outweigh the cost of the program.
"To gain a comprehensive view of all the risks they face, their linkages, and how they are being managed, more institutions may need to consider implementing ERM programs," Hida said. "While financial institutions have a long history of managing the more traditional areas of market and credit risk, many firms may need to improve their ability to manage emerging risk types, such as reputation risk and liquidity risk. Risk management programs may also require more sophisticated methodologies that reflect the increasing complexity of financial products and interdependence of financial markets."
Most of the companies surveyed indicated relatively low levels of satisfaction with their current risk management systems (see chart), and 71% of institutions said they expect to increase spending on risk management technology over the next three years, in some cases substantially, Hida wrote. Although spending is tight right now, firms that invest now to upgrade risk technology systems could reap benefits from improved risk decisions in the future, he said.
"Risk management responsibilities may need to be infused throughout the organization and integrated into performance goals and compensation decisions," Hida wrote. "To the extent it has not already been done, creating a risk-aware culture, supported by specific methodologies, tools, and governance structures, will be essential to helping financial institutions navigate the challenging times ahead."
(c) 2009 Money Management Executive and SourceMedia, Inc. All Rights Reserved.