Managing risk now means a lot more, operationally, than just watching out for mistakes in the middle and back offices, in mismatching details of transactions.
The 2003 mutual fund afterhours trading scandal, the accounting discrepancies at large firms that led to the passage of the Sarbanes Oxley Act and, most directly, the global credit crisis of 2008 means now that a whole host of "new" risks have to be managed, in everyday operations.
These include regulatory, reporting, credit, liquidity, strategic and reputational risks, said Michael Fay, a principal with Deloitte & Touche at the NICSA Risk Management Seminar in Boston last month. Added to that list at Fidelity Management & Research Co. are concerns over counterparty, information and technology risks, said Brian Conroy, senior vice president, head of global equity trading at FMR.
Which means effective risk management has to go beyond systems to manage all of these individually critical and complex concerns, Fay said. Risk has to be managed across parts of an enterprise and its front-, back- and middle-office operations. "The primary characteristics we see in a 'Risk Intelligent Enterprise' is managing risk across all classes of risk to consider the extended enterprise, including service providers. Linkage is necessary, and it's predictive rather than just holistic," he said.
When these various risks can be properly controlled, asset managers and other financial services companies can feel comfortable developing new products and extending their business into new markets and channels, Fay and other speakers said. In that way, a truly comprehensive and effective risk management program is not centered on problems, but on bringing value to a company.
For mutual fund and other asset management companies, where the products are so complex and varied, it is necessary to coordinate risk management among the various business units, speakers agreed.
Deborah Siedel, vice president and business risk manager at T. Rowe Price Associates, said her company began a centralized risk management approach last year, and that her role is to "look at it above the trees." That does not mean that the individual business units are off the hook, Siedel stressed. "We still feel strongly that business units should still own their risk as they have the subject-matter expertise," she said.
Likewise, State Street studies how its various business units handle risks and is working on coordinating and aggregating these efforts more effectively, said Gene Morris, vice president, risk management, alternative investment solutions. Nonetheless, "We look for our business units to own the risk," Morris said.
Citi Fund Services is working to "eliminate overlap where we can" and to apply a "future-looking concept" to avoid unseen problems, said Chuck Booth, director of regulatory and compliance services.
Establishing a policy and the software to provide metrics is critical to being able to obtain risk-related information, Fay said. "We maintain a database for escalation issues," Booth said. "If you emphasize that, you get good information."
However, the risk-related data that asset management firms collect tends to be more qualitative than quantitative, making it difficult to sort through the information to spot potential problems. As hard as it is to develop quantitative standards for different types of business units, State Street is working on quantitative risk reporting standards.
The next step for asset management firms' risk management systems is to look for unforeseen problems, speakers said.
"We are still probably a little bit [mired in the] rearview mirror," Morris said. "We are attempting to take [risk management] to be more forward-thinking. Our business units are asking us to be predictive. We are not there. We are evolving to that."
Being able to see the whole picture and eradicate problems goes back to reliable, quantitative data, said Benton Brown, editor in chief of RiskNews.com.
Nine Principles of a Risk-Intelligent Enterprise
1.) Look to the top. Make executive management responsible for an effective, full-time risk program.
2.) Look both ways. Define risk management as a way to preserve but also to create value.
3.) Set standards. Develop a single risk framework.
4.) Define duties. Clearly define and delineate executives' roles, responsibilities and authority.
5.) Open the lines. Make sure your risk specialists communicate with one another.
6.) Spread the word. Share these risk management practices with the board, audit committees and other governing bodies.
7.) Spread responsibility. Make business units responsible not just for performance but also for the risks they take.
8.) Create a culture. Help your finance, legal, human resources, tax and IT departments support your risk management culture.
9.) Check yourselves out. Insure all of your risk management efforts with robust internal audits, risk management and compliance efforts.
Source: Deloitte & Touche.
Deloitte's full report is available at: http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/IMOs/Governance%20and%20Risk%20Management/us_risk_PuttingRiskintheComfortZone.pdf