A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)


Published on

“Many firms have made progress in developing their risk appetite frameworks and have
begun multiyear projects to improve the supporting IT infrastructure,” said David M.
Wallace, Global Financial Services Marketing Manager at SAS. “As a provider of risk
solutions, we have seen much more interest over the past three years in firms looking to
have additional technology to support a firmwide view of risk exposures. Learn more at: www.nafcu.org/sas

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy (Whitepaper)

  1. 1. A Bridge Too Far?Risk Appetite, Governance and Corporate Strategy CONCLUSIONS PAPERInsights from a Global Association of Risk Professionals (GARP) webcastsponsored by SASFeaturing:Deepa Govindarajan, Lecturer,IMCA Centre, Henley Business School, University of ReadingLon O’Sullivan, Executive Director, Firm Market Risk,Morgan StanleyDavid M. Wallace, Global Financial Services Marketing Manager,SASPeter Went, Senior Researcher,Global Association of Risk Professionals (GARP) Research Center
  2. 2. SAS Conclusions PaperTable of ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Icebergs and Unsinkable Ships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Risk Appetite: What It Is and What It Isn’t . . . . . . . . . . . . . . . . . . . . . . 3Risk Appetite, Risk Tolerance, Risk Profile and Risk Ceiling . . . . . . . 3Seven Recommendations for Stronger Risk Management. . . . . . . . . 5 1. Address the Full Risk Ecosystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Create a Meaningful Risk Appetite Statement. . . . . . . . . . . . . . . . . . 6 3. Manage the End-to-End Risk Life Cycle. . . . . . . . . . . . . . . . . . . . . . 6 4. Establish an Environment of Collaborative Decision Making. . . . . . . 6 5. Strike a Balance Between Bottom-Up and Top-Down Approaches . 7 6. Report on Risk in a Way that Supports Sound Decisions. . . . . . . . . 8 7. Establish Ownership at Multiple Levels of the Company. . . . . . . . . . 9Closing Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9About the Presenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
  3. 3. A Bridge Too Far? Risk Appetite, Governance and Corporate StrategyIntroduction “ firms that recorded relatively larger unexpected losses tended to champion … the expansion of risk without commensurate focus on controls across the organization or at the business-line level.” “ senior management’s drive to generate earnings was not accompanied by … clear guidance on the tolerance for expanding exposures to risk.” “ balance sheet limits may have been freely exceeded rather than serving as a … constraint to business lines.” “ irms rarely compile for their boards and senior management relevant measures F of risk … a view of how risk levels compare with limits, the level of capital that the firm would need to maintain after sustaining a loss of the magnitude of the risk measure, and the actions that management could take to restore capital after sustaining a loss.”Those words came from the report, Risk Management Lessons from the Global BankingCrisis of 2008, submitted by the international Senior Supervisors Group. In hindsight,the authors could have dropped the year from that title. They did drop it the next year,when their report focused on risk management frameworks and the IT infrastructuresthat support those frameworks. The report card for financial services firms wasn’t much “ n integrated, firmwide risk Abetter in that report: management system – one that “ no single firm was observed to have developed a fully comprehensive … can provide immediate analysis framework containing all the better practice elements described in this report.” and speedy results… is going “ aggregation of risk data remains a challenge for institutions, despite its … to be key to success in the criticality to strategic planning and decision making.” volatile financial environment that we are clearly are going to “…considerably more work is needed to strengthen those practices that were revealed to be especially weak at the height of the crisis.”1 have for the next several years.” David Wallace“Many firms have made progress in developing their risk appetite frameworks and have Global Financial Services Marketingbegun multiyear projects to improve the supporting IT infrastructure,” said David M. Manager, SASWallace, Global Financial Services Marketing Manager at SAS. “As a provider of risksolutions, we have seen much more interest over the past three years in firms looking tohave additional technology to support a firmwide view of risk exposures.“Consolidation of risk data on spreadsheets doesn’t provide the required ability forstress testing and scenario analysis. An integrated, firmwide risk management system –one that can provide immediate analysis and speedy results, one that can allow seniormanagement and boards of directors to make decisions in near-real time – is going tobe key to success in the volatile financial environment that we are clearly are going tohave for the next several years.”1 Source: Senior Supervisors Group, Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, December 29, 2010. 1
  4. 4. SAS Conclusions PaperIcebergs and Unsinkable Ships“The recent financial meltdown has come as something of a shock to those who hadbeen led to believe the modern financial industry had seen the end of boom-and-bust cycles, through the optimization of resource allocation and very sophisticatedrisk diversification managed by very intelligent people sitting in financial analyst firms,”said Deepa Govindarajan, a lecturer at the Henley Business School at the University ofReading.“As a consequence of the crisis, firms, regulators and governments are paying muchmore attention to recovery and resolution plans, stress testing, and other tools toprevent future crises. Still, the correct scrutiny of corporate risk appetite has been givenconsiderably less attention than other prominently debated mechanisms, such asmacroprudential oversight and resolution tools. This might be because some influentialcommentators and regulators are still intrinsically wedded to the belief that the need fora regulatory presence or intervention is solely for cases where the market failed to make “ e may build very well- Wits own corrections. In their view, the regulators’ place in the financial world is to ensure capitalized firms and havethat failing firms are wound down in an orderly manner, and that any systemic bubblesare addressed as they come up. excellent macroprudential oversight, but it’s really“This sounds perfectly reasonable and proportionate, but it is based on an immature important that strategicphilosophy that views the world solely through the lens of utopian mathematicaleconomic models, such as those that assume that other things remain constant. choices are evaluated in conjunction with the risks“Here’s a simple analogy. Even if we build a very robust passenger ship – the Titanic, those choices pose. …for example – it is advisable not to crash it into icebergs every day. It is really importantthat the ship is well-run and on a sensible course in the first place. We need to ensure We must adopt a morethat the crew is not incentivized to take disproportionate risks that could cause a tragic realistic approach to thecatastrophe, even if the Coast Guard has sophisticated weather reports, or even if there management of risk, beyondare enough lifeboats to get people ashore. simply attempting to prevent“Similarly, we may build very well-capitalized firms and have excellent macroprudential stakeholder detriment oroversight, but it’s really important that strategic choices are evaluated in conjunction with addressing it after the fact.”the risks those choices pose. More attention deserves to be paid to proactively holdingboards accountable, and by this, I mean by institutional investors [and] regulators who Deepa Govindarajanare more really informed parties within the discussion about the firm itself. We must Lecturer, IMCA Centre, Henley Businessadopt a more realistic approach to the management of risk, beyond simply attempting School, University of Readingto prevent stakeholder detriment or addressing it after the fact.“As the first port of call, a formal risk appetite statement allows the board to providestrong boundaries within which management executes business strategy. It allowsinterested parties to properly evaluate those strategic choices. In situations whereboards are unwilling or unable to disclose this information more widely, we would requireregulators to step in to address those deficiencies, because there are some discussionsthat can only be held in a closed room.”2
  5. 5. A Bridge Too Far? Risk Appetite, Governance and Corporate StrategyRisk Appetite: What It Is and What It Isn’t“Experts argue that because risk appetite has been poorly understood, both by boards “ isk appetite is complex. Rand by senior management, in turn, it was inappropriately implemented by those whowere mandated to assume risks on a daily basis,” said Peter Went, Senior Researcher It reflects risk culture. It reflectsat the Global Association of Risk Professionals (GARP) Research Center. “That is widely how well active risk taking isbelieved to have contributed to the extent of this crisis.” understood and incorporatedIn a perfect world, risk appetite is: into the institutional, cultural, strategic and governance fabric• Defined as the level and duration of quantifiable and active risk exposure (including the potential for adverse outcomes) that organizations are willing and/or able to of the firm. If it is not incorporated assume to achieve strategic objectives. well, this delicate structure• Embedded in the governance framework in support of stakeholders’ tactical and breaks at its weakest link.” strategic priorities, decisions and objectives. Peter Went• Reflected in hard and soft risk metrics – such as threshold income levels and Senior Researcher, GARP Research Center benchmark risk-adjusted return levels – that support business decision making and reporting, both internal and external.• Understood to be a continuously evolving and consistently articulated connection between strategic objectives and realities, target setting and follow-up, and risk management priorities.“Risk appetite is both a process – developing the framework – and a policy statementthat reflects the risk appetite,” said Went. “A formal risk appetite statement, effectivelystated, allows the board to provide strong boundaries within which managementexecutes business strategy. A consistently promoted, policed and polished risk appetiteis an essential component of any robust risk architecture.”Risk Appetite, Risk Tolerance, Risk Profile and Risk CeilingWhat do we mean by risk appetite? People often talk about risk ceiling, appetite, “ isk appetite is a continuously Rtolerance and profile in the same breath, when they actually mean different things. Figure 1presents Govindarajan’s approach to differentiating these terms. evolving and consistently articulated connectionRisk ceiling. The black line at the top of the chart represents the risk ceiling, the between strategic objectivesthreshold beyond which firms would no longer be able or allowed to operate. Thisthreshold could be breached by financial weakness, loss of reputation or other and realities, target settingtemporary shock from which the firm might not recover without extreme measures, such and follow-up, and riskas government intervention. management priorities.”Risk appetite. The red line depicts risk appetite, the aggregated account of the Peter Went,board’s willingness to allow management to take certain risks in the pursuit of strategic Senior Researcher, GARP Research Centerobjectives. While the risk ceiling is relatively stable (assuming there’s no major financialcrisis), the risk appetite does change to reflect internal and external conditions. 3
  6. 6. SAS Conclusions Paper Risk profile. The green line describes the risk profile, the true risk position of the firm at any given point. “The diagram shows that it takes a little bit of time for the actual risk profile of the firm to adjust to changes in risk appetite, assuming it’s a well-run firm, and people actually do what the board wants them to do,” said Govindarajan. Risk tolerances. The two blue lines reflect the risk tolerances, the boundaries within which executive management is willing to allow the true, day-to-day risk profile of the firm to fluctuate. “The upper line reflects the level to which the risk profile can rise before the executive team expects board intervention,” said Govindarajan. “The lower bound of risk tolerance reflects the minimum level of risk the executive team would expect to take “ ome argue that risk appetite STerminology to achieve strategic objectives. We cannot achieve returns without risk. The risk-bearing capacity is basically that zone below the risk ceiling in which the firm seeks to achieve a is simply a chicken-and-egg trade-off between risk and return.” problem. The risk culture 6 reflects the risk appetite, and Ri sk Ce i l i ng the risk appetite shapes the 5 risk culture. Acknowledging this Ri sk Appe ti te interrelationship is essential, 4 since these two jointly define 3 Ri sk Profi l e the level, complexity and aggressiveness that firms can 2 Ri sk take risks and expose their Tol e rance - Uppe r stakeholders to these risks.” 1 Ri sk Tol e rance - Peter Went Lowe r Senior Researcher, GARP Research Center 0 Jan- Feb- Mar- Apr- May- Jun- Jul- Aug- Sep- Oct- 09 09 09 09 09 09 09 09 09 09 Ti me Hori z on Figure 1. The relative relationships among risk ceiling, risk appetite, risk profile and risk tolerances. It is important to distinguish between risk appetite and risk tolerance, because they are not the same thing, said Govindarajan. “In the real world, there is invariably a time lag between the communication of a board decision, the change in risk appetite, and the reality of when management can translate that into credible actions. … Setting the ongoing tolerance to the variability of the profile allows executive management to react to factors such as movements in the market, the competence of staff in achieving targets, cultural issues, measurement errors and model risks. “Even where risk appetite is understood and deployed effectively, events such as limit breaches can and do occur, and we all know that in our day-to-day world. An upper bound of risk tolerance therefore provides a legitimate and formal means for executive management to ensure that the time lag in the transmission of risk appetite to each of the various business areas does not result in breaches of the board’s risk appetite on a day-to-day basis. 4
  7. 7. A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy“The headroom between the risk profile and the upper bound of risk tolerance allows “ eflect on your own risk Rmanagement to deploy resources and take necessary mitigating actions before risk appetite statement, if youappetite as a whole is infringed. It also gives executives the freedom and the legitimacyto engage in risk taking and to act without constantly referring back to the board have one, and see whetherroom or requiring regulatory nannying. The lower bound is also important, because it it reflects a differenceunderlines the extent to which executive teams believe that it makes credible business between risk appetite andsense to make further investments that would result in the reduction of risk. There is nopoint reducing risk if it the investment is not generating return.” risk tolerance, whether you make a clear distinction“Reflect on your own risk appetite statement, if you have one, and see whether there between risk tolerances andit reflects a difference between risk appetite and risk tolerance, whether you make aclear distinction between risk tolerances and risk profiles, and whether your resource risk profiles, and whether yourdeployment and your investments reflect your risk appetite in appropriate policies, resource deployment and yourprocesses, systems and transparent limits.” investments reflect your risk appetite in appropriate policies,Seven Recommendations for Stronger Risk Management processes, systems and transparent limits.”Our panelists discussed seven practices that bring greater clarity to risk appetite whilealso embedding it into the overall risk management framework. Deepa Govindarajan Lecturer, IMCA Centre, Henley Business School, University of Reading1. Address the Full Risk EcosystemIn setting risk appetite, firms will attempt to quantify and analyze five common types ofrisk, said Lon O’Sullivan, Executive Director of Firm Market Risk at Morgan Stanley:• Market risk focuses on changes in portfolio value related to changes in market prices, correlations and volatilities, using tools such as Value at Risk (VaR) analysis, stress testing and reverse stress testing to articulate this risk and quantify it to senior management.• Credit risk relates primarily to lending and counterparty risk, pricing that risk and setting appropriate limits. “This is a critical piece for most banks, as a big chunk of the exposures that any financial institution will face has to do with counterparties Benefits of a Sound Risk and lending activities,” said O’Sullivan. Appetite Statement• Operational risk relates to processes and people, uncovering operational risk • Establish and communicate a issues and determining how to mitigate them, often revealed through such tools high-level strategy. as risk and control self-assessment (RCSA). • Ensure good governance and• Liquidity risk concerns the ability to fund and trade the products on the balance board accountability. sheet, to manage the sources and maturities of the funding, and to make sure • Evaluate performance and temper there is a sufficient liquidity pool. irrational exuberance.• Capital risk, or the risk of a company losing the amount of an investment, has become one of the most important aspects of the firm in the last few years, and • Mitigate capital and other financial one of the key metrics used to measure risk appetite and risk tolerance. risks. • Manage risk in holistic context. 5
  8. 8. SAS Conclusions Paper1. Create a Meaningful Risk Appetite Statement“Risk appetite is a corollary for business strategies, so boards that cannot articulate or “ isks are not additive in nature. Roversee risk appetite are inherently saying they cannot oversee the associated businessstrategy,” said Govindarajan. “Currently, executives have found it difficult to engage the If we were to take any traditionalrisk appetite statement, because the statement has come to resemble a series of very firm and simply sum up theempty platitudes. The banality of such statements ensures that they cannot be turned lowest limits there, no firminto practical policies, and this clearly defeats the motives of soundness, consistencyand transparency. would be in business. There are diversifications and correlations“Some boards have delegated the creation of risk appetite statements to the executive to consider to understand howteam or to the risk management function. This may be due to the mistaken belief thatrisk appetite can be aggregated from the underlying limits currently used within the risk the risks actually evolve in themanagement framework, which, unfortunately, means that the cart is placed before market and can interact orthe horse. In such cases, interactions of risks – and the articulation and balancing of trigger each other.”stakeholder objectives – have inadvertently been glossed over. Lon O’Sullivan“It is important that risk appetite is articulated by the board. The executives must then Executive Director, Firm Market Risk,translate that risk appetite into sensible processes, policies, limits and procedures.” Morgan Stanley3. Manage the End-to-End Risk Life CycleFinancial firms must have a mechanism that manages all the stages of the risk life cycleand aligns with the risk appetite statement. It must also have formal processes to:• Identify the key risks in their area, on all five dimensions described earlier.• Assess the potential impact of these risks, using standardized risk measurement methodologies and reporting.• Implement a control structure around these risks – such as stated limits, ongoing monitoring and early warning of potential breaches – to certify that risk appetite is being appropriately managed.• Report on all of the firm’s risk exposures, material concentrations and key risk indicators (KRIs).• Manage those risks to optimize the risk and capital profile, advise senior management on risk-based decisions, and help the corporate board and senior management set appropriate risk appetite levels.“Reporting needs to occur at a variety of levels – at a very granular level and a very highlevel – to be able to aggregate a comprehensive set of risk reports that capture the fullpopulations of positions and counterparties in one’s portfolio,” said O’Sullivan.4. Establish an Environment of Collaborative Decision MakingHigher-risk products may carry higher margins; more conservative products deliverlower returns. Therefore, should the risk management function define the productmix that traders should sell? Whose responsibility is it to strike that balance betweenmarketing/sales revenues and risk management controls?6
  9. 9. A Bridge Too Far? Risk Appetite, Governance and Corporate StrategyThis is a provocative question for which the answer is evolving, said Went. “We have “f you look at the lessons from Iseen a change in practice in that the control function is getting more and more powerin some decisions. Even though it should not be the risk managers’ role to decide what the financial crisis, it seemstrades to put on, their voices have to be heard. Their understanding of other risk aspects that many risk decisions werethat perhaps the business side is not fully aware of must be incorporated in these made in silos. There wasn’tdecisions. It should be an integrated and mutually supportive discussion between the a very good feedback loopbusiness and the control side. between the bottom-up risk“I cannot masquerade as a trader, and traders cannot masquerade as risk managers. It decisions and what the boardis more important for these two professional groups to jointly arrive to a solution that is and senior managementnot only beneficial for the trader but also beneficial for the long-term success, survivabilityand sustainability of the institution.” understood was going on from the perspective of the5. Strike a Balance Between Bottom-Up and Top-Down Approaches risk appetite and the level ofO’Sullivan described and compared two very different models for managing risk: bottom- exposures that were trendingup and top-down. up in many cases during the“Bottom-up risk management considers risk at the transaction or risk factor level and height of the crisis.”is very detailed. For each product or position that comes on, an evaluation is done. David WallaceLimits or other controls are set at the individual trading desk or at the business level. Global Financial Services MarketingRisk reporting is typically done at the product or business level as well. Market, credit, Manager, SASoperational and liquidity risks tend to be managed independently at this level. Risk andbusiness heads attempt to put the story together in order to construct the big picture.“The advantage to this bottom-up approach is that you get much more detailedinformation about product or business-facing risks in your portfolio. You are able toindependently evaluate market, credit and operational risk in isolation – and spend a lot oftime thinking about how each will impact the desk level or an individual transaction. Youget a very detailed understanding of each transaction, which makes it easier to manageat a very granular level. Typically, you are working with heads of desks or individualtraders to define the risk appetite and tolerance, and to negotiate amongst these parties.The challenge here is that it is very difficult to see the forest when you’re focused on “ he advantage to this Tspecific trees.” bottom-up approach is that you get much more detailed“If you look at the lessons from the financial crisis, it seems that many risk decisions weremade in silos. There wasn’t a very good feedback loop between the bottom-up risk information about product ordecisions and what the board and senior management understood was going on from business-facing risks in yourthe perspective of the risk appetite and the level of exposures that were trending up in portfolio. … The challenge heremany cases during the height of the crisis,” said Wallace. is that it is very difficult to seeIn contrast, a top-down risk management approach takes a more enterprise-level view the forest when you’re focusedof risk, looking across combined market, credit, operational, liquidity and capital risks. on specific trees.”Stress testing and reverse stress testing is implemented across all products, businessesand risk types. There may be a dedicated team that works with business and risk heads Peter Wentto manage the big picture. Risk appetite decisions are made at the firm level. Senior Researcher, GARP Research Center 7
  10. 10. SAS Conclusions Paper“The key advantage of this approach is that you can focus not only on individualtransactions but also the correlations amongst the various assets, products, positionsand counterparties,” said O’Sullivan. “We can consider risks across businesses andacross products.“Putting together a cohesive picture of risk across all dimensions is challenging, and “ ffective risk management Esomething that needs to be invested in by firms to consider all risks, not just individual is often about delivering therisks. Sometimes the sum of the parts is more than the whole, and sometimes it’s less,but putting this kind of structure in place will allow firms to gain competitive advantage.” message in a simple and clear manner, while still translating6. Report on Risk in a Way that Supports Sound Decisions the key message or challenge“Risk reporting sometimes gets trivialized as just something that one does,” said that will require a risk decisionO’Sullivan. “However, it is one of the most critical components of the risk framework. to be made. Many riskPoor risk reporting, missing exposures, not having consistency in the way that you’re managers are notoriously poorthinking about risks – it all equals bad decision making in firms. at this critical management“Good risk reporting should cover all material product areas and all of the skill.”aforementioned risks. It should use standardized measures, so risks can be clearlycommunicated,” said O’Sullivan. “If we have, say, interest rate risk being calculated Lon O’Sullivan Executive Director, Firm Market Risk,one way for one position and a different way for another position, how would the firm Morgan Stanleyput those risks together and determine its aggregate risk exposure on interest rates?Without standardized measurements, it is very difficult for a board or senior executivesto act on a risk decision.”Risk reporting should reflect ongoing monitoring of key controls, such as positionlimits or VaR limits, so the control process is transparent and senior management canevaluate how the portfolio stands relative to risk appetite.Equally important, risk reporting should address its audience, be readily understood bythem, and be comprehensive enough to support decisive action.“The second element of delivering the message is effective management through riskadvisory,” said O’Sullivan. “In my view, risk advisory is the most important element in riskmanagement. Measuring and reporting is fundamental, but influencing risk decisions isthe most important aspect of being a risk manager.“In order to exert that influence, you have to be able to explain a case to boardmembers who are not likely to be intimate with the jargon and complexities ofrisk professionals. Therefore, the most effective risk managers are those who canmake themselves understood to an audience that might not have a technical orrisk background. When I construct presentations, I often think: If I had to give thispresentation to my grandmother, would she understand it? And if my answer is no, thenI start over.”8
  11. 11. A Bridge Too Far? Risk Appetite, Governance and Corporate Strategy7. Establish Ownership at Multiple Levels of the CompanyO’Sullivan summarized three levels of governance that would typically occur in a financial “ ood risk management is not Ginstitution: only about having the right• At the top of the list is the Board Risk Committee, a subcommittee of the board answer. It’s about being able to of directors that is chartered to handle specific risk issues. Typically composed of communicate the answer and non-management directors, this subcommittee sets risk appetite, enforces the risk governance structure and monitors the risk profile against the agreed-upon risk influence the correct decision appetite. to be made.”• Executive Risk Committees are management committees typically composed of the Lon O’Sullivan most senior officers (C-level executives and their direct reports). These committees Executive Director, Firm Market Risk, tend to meet once or twice a month and are accountable for day-to-day risk Morgan Stanley management for the firm.• Divisional Risk Committees are charged with looking at each division independently and coming up with a risk strategy and a risk tolerance. These committees are typically made up of desk heads and other key executives who meet weekly and focus on business-specific issues.“Effective governance means that information flows seamlessly up and down thishierarchy of risk committees,” said O’Sullivan. “Risk decisions made by the Board RiskCommittee should be pushed down to the Executive Risk Committee and ultimatelydown to the Divisional Risk Committees. A feedback and interaction loop flowing up thechain is equally important.” “ here should be no such thing TGovindarajan agreed: “There should be ownership at board level, ownership at executive as a separate, standalonelevel, and ownership within the firm. The board must oversee how the scene is setand balance strategic objectives. Executives must manage the risk profile and the risk risk appetite framework. Riskmanagement framework. And through a good risk culture, the organization must own appetite guides your riskthe risk appetite statement.” management framework and the way you manage risk withinClosing Thoughts the firm.”“Boards that view risk functions simply as a way to keep out of trouble – and who do not Deepa Govindarajanplay an active role in setting risk appetite and risk limits – are really not doing a service Lecturer, IMCA Centre, Henley Businessto their shareholders,” said O’Sullivan. “Risk is also about addressing strategic business School, University of Readingrisk and future business opportunities, in addition to managing what’s currently on thebooks.” Effective governance structures promote better management of future risks, aswell as better understanding of past risks.“To do this well – to establish a meaningful risk appetite statement and framework –requires consistent and unwavering support and monitoring by the board and faithfulenforcement by senior management,” said Went. “That is why risk appetite is not astatic statement, but rather a proactive and dynamic framework that distills changingconditions, possibilities and constraints.” 9
  12. 12. SAS Conclusions PaperAbout the PresentersDeepa GovindarajanLecturer and Visiting Fellow, ICMA CentreHenley Business School, University of ReadingDeepa Govindarajan, Lecturer and Visiting Fellow at the ICMA Centre at the Universityof Reading’s Henly Business School, teaches compliance, risk management andregulation within the master’s program. Her research interests cover corporate riskappetite, senior management arrangements and governance within financial institutions,qualitative decision making, operational risk, the sociopolitical context of banking andfinancial regulation, and the comparative study of international banking regulations.Govindarajan periodically serves as an independent expert advisor to regulators, banks,asset managers and insurers. She facilitates board discussions related to the definitionand dissemination of risk appetite, and the risk implications of strategic choices. As aspecialist in governance and risk oversight, Govindarajan also evaluates financial firms’governance arrangements, risk management frameworks and risk culture.In addition to roles at Citigroup, the UK Financial Services Authority (FSA), and LloydsBanking Group, Govindarajan has also held positions in consulting and academia.Lon O’Sullivan, FRMExecutive Director, Firm Market Risk DivisionMorgan StanleyAs Executive Director in Morgan Stanley’s Firm Market Risk Division, Lon O’Sullivan leadsthe Global Portfolio Analysis group and is responsible for briefing senior managementon key market risk exposures. He spent three years at Morgan Stanley’s London office,where he was responsible for creating the regional analysis and reporting team.Prior to Morgan Stanley, O’Sullivan worked as a market risk manager for foreignexchange and commodity risk, and as an equity derivatives product controller atDeutsche Bank.O’Sullivan earned a bachelor’s degree in economics from Binghamton University,State University of New York (SUNY), and a master’s in finance from the LondonBusiness School. He has been a certified Financial Risk Manager (FRM®) with theGlobal Association of Risk Professionals (GARP) since 2005. O’Sullivan served on thecommittee for GARP’s professional chapter in London before his relocation back toNew York and is currently a co-director for the New York chapter of GARP.10
  13. 13. A Bridge Too Far? Risk Appetite, Governance and Corporate StrategyDavid M. WallaceGlobal Financial Services Marketing ManagerSASAs Global Financial Services Marketing Manager for SAS, David M. Wallace isresponsible for defining industry strategy for the banking and capital markets segmentsof the global financial services industry. He has more than 30 years of experience inapplying information technology to solve customer needs, including a focus on thefinancial services industry for nearly 20 years.Before joining SAS, Wallace was Manager, Corporate Investment Banking,Americas FSI Marketing for Hewlett-Packard. He also held a number of senior salesand marketing positions over a 23-year career at HP. During a 10-year assignmentmanaging the relationship with a top-five US financial services firm, Wallace wasresponsible for client projects in consumer banking, commercial banking, trustadministration, retirement services, corporate and investment banking, shared services,and retail brokerage, among others.Wallace holds a bachelor’s degree in economics from the University of North Carolina atWilmington and an MBA from East Carolina University.Peter WentSenior ResearcherGARP Research CenterPeter Went is a Senior Researcher for GARP’s Research Center, where he conductsresearch in financial risk management. Went has co-authored five books on riskmanagement and numerous articles on foreign exchange, global equity market andcommodity risk, as well as on the effects of emerging financial regulation on financialand capital markets.Previously, Went worked for a boutique investment firm and taught finance and riskmanagement at University of Nebraska and the University of Connecticut.Went has a degree in economics from the Stockholm School of Economics and adoctorate in finance from the University of Nebraska. He is a Chartered Financial Analyst(CFA) and a board member of Woodlands Financial Services Corporation. 11
  14. 14. About SASSAS is the leader in business analytics software and services, and the largest independent vendor in the business intelligence market.Through innovative solutions, SAS helps customers at more than 55,000 sites improve performance and deliver value by making betterdecisions faster. Since 1976, SAS has been giving customers around the world THE POWER TO KNOW ® For more information on .SAS® Business Analytics software and services, visit sas.com. SAS Institute Inc. World Headquarters   +1 919 677 8000 To contact your local SAS office, please visit: sas.com/offices SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA egistration. Other brand and product names are trademarks of their respective companies. Copyright © 2012, SAS Institute Inc. All rights reserved. 105872_S83089_0712