This article was published in the April, 2009 edition of Risk Management Magazine. It describes how any organization, but financial institutions in particular, can build a top-down and bottom-up risk management system.
Rebuilding Financial Risk Management Published in Risk Management Magazine in April, 2009 http://www.rmmagazine.com/MGTemplate.cfm?Section=MagArchive&NavMenuID=304&template=/Magazine/DisplayMagazines.cfm&Archive=1&IssueID=334&AID=3875&Volume=56&ShowArticle=1 By Vincent H. O’Neil
Rebuilding faith and confidence in the financial services industry will take a long time, but the best place to start is with financial risk management. This cannot be mere window dressing; the end product has to be a risk management system that engages every financial institution employee from the CEO down. The current situation can be traced to risk management failures at every level, so it only makes sense that the solution should exist throughout all levels as well. Risk management should not be viewed as a department. Risk management is a system, an attitude and a climate — and everyone is a risk manager. Everyone is a Risk Manager
Risk Management is Everyone’s Job With so many people working in risk management positions, with reams of rules regarding acceptable exposure, and with million-dollar modeling and monitoring technology, why does financial risk management so often fail? When business is good, it’s easy to assume that nothing is wrong and that nothing is going to go wrong in the near future. Complacency can blind an institution to potential reverses, and it can stop people from speaking out when they think something might be wrong. Many of these people remain silent because they believe risk management is someone else's job, or they doubt their own understanding of the situation they are observing. A sound risk management system trains and motivates employees at all levels to examine their own business practices, even when everything seems fine, and to raise any issues they might find.
Managing in an Incentive-based World (1) The private sector is also an incentive-based world, however, and those incentives — if properly administered—usually yield improved performance. Unfortunately, they can also create circumstances where employees and managers break or ignore the rules in a quest for further compensation. Individual and department-level incentives are effective motivators, but they can tempt people to do the wrong thing.
Individual and department-level incentives are effective motivators, but they can tempt people to do the wrong thing. Employees can knowingly enter into bad deals in order to improve their bonus numbers. Managers can fall into this trap as well, ignoring violations of corporate policy in the name of helping their departments meet assigned business goals. At all levels, the institution's management must actively discourage the pursuit of short-term gains that violate the institution's rules or risk management fundamentals. Every employee must be made to understand the genuine danger represented by bending the rules, using historical examples ranging from the demise of Barings — formerly the oldest British merchant bank — to the events of 2008. Managing in an Incentive-based World (2)
If not properly administered, incentives pose the additional threat of creating an unhealthy risk management climate. In such an atmosphere, risk managers — and the rules they enforce — come to be regarded as obstacles to be overcome or avoided. When not supported by management, risk managers can become marginalized to the extent that the institution's rules can be ignored. Such an atmosphere can have far-reaching effects: If the management fails to enforce risk management regulations, their employees can come to view all of the institution's rules as being open to interpretation. Managing in an Incentive-based World (3)
The Danger of Ignorance (1) Ignorance is another hurdle to effective financial risk management. During the long economic boom of the 1990s, it was noted that many of the junior analysts in the financial industry had no personal experience of a bear market. Although recent events have clearly demonstrated that risky practices can have cataclysmic consequences, those lessons can be quickly forgotten. Unacceptable risk is frequently accepted by people who fail to recognize the hazard in the first place.
The Danger of Ignorance (2) Ignorance of the real consequences of a risk management failure can make an institution's risk regulations seem unnecessary, and even silly. Training is the answer to ignorance, and one of the most important goals of risk management training is convincing all employees that the danger is real . Risk management training must be an ongoing process, linking real-world case studies to explanations of the institution's control mechanisms. The recent examples of Lehman and Bear Stearns serve as a reminder that risk management failures can cost many people their jobs.
The Danger of Ignorance (3) On a related note, technology has the capacity to create a kind of passive ignorance that is quite dangerous to an institution's risk awareness. While technological monitoring is a valuable tool, overreliance on technology can create risk "blind spots" where financial modeling and risk-warning systems come up short. These blind spots can be missed if the employees using these systems are not trained in risk management fundamentals. At the very least, employees must be made to understand that the machines only do what they are programmed to do, and that only humans can expect the unexpected.
The Culture of Fear (1) The final — and perhaps the most difficult — challenge is overcoming the culture of fear. Concern over "not measuring up" and "not rocking the boat" can cause individuals to remain silent when they should speak out. Such silence strikes against the heart of the risk management climate, which seeks to create teams of redundant watchers trained to raise the alarm. Just as incentives can encourage individuals to make questionable deals, concern over a job can tempt employees to exaggerate the advantages of a potential transaction (or the creditworthiness of a potential customer) in order to bring in business and keep pace with their colleagues. It is the duty of the institution's management to create an atmosphere where this will not occur.
The marginalization of risk managers was mentioned earlier, but there is a similar circumstance, closely related to fear, in which the risk managers are at fault. This is the case of co-opted risk managers, who so closely identify with the departments and people they monitor that they fail to report violations of risk fundamentals. Risk managers are human, and the fear of being regarded as interfering or unreasonable by the people they see every day can cause them to become nonentities. The risk management hierarchy must be on the lookout for cases like this, and should consider a rotational system that prevents long association from becoming a problem. The Culture of Fear (2)
What to Do? <ul><li>Given all the factors opposing a proper risk management culture, attempting to overcome them all can seem daunting. But by focusing on four areas, organizations can build a top-down and bottom-up risk management system: </li></ul><ul><li>Senior Management Emphasis </li></ul><ul><li>Training at all Levels </li></ul><ul><li>Monitoring </li></ul><ul><li>Corrective Action </li></ul>
Senior Management Emphasis (1) Senior management must take the lead in creating a risk management climate that encourages every employee to study, understand, and monitor risk. This cannot be a one-time, or even a once-a-year, thing. Creating a risk management climate is an ongoing effort: The CEO as chief risk officer : Although the institution can still have a chief risk officer, the entire senior management team must be seen promoting risk awareness. This will not only motivate subordinates to do the same, but also serve to reinforce the importance of this effort. One possible route is to treat this like an internal advertising campaign, with posters and videos showing various employees, from senior management on down, stating, "I am the chief risk officer."
Senior Management Emphasis (2) Frequent, meaningful reminders : Senior management has a role in creating a sustainable level of risk awareness, and should take the opportunity to provide some of the instruction themselves. From breakfast speeches to classroom-style training to off-site seminars, there are numerous ways for leaders to reinforce the institution's dedication to risk management. Do not lead them into temptation : As mentioned earlier, bonus-based incentives can lead people astray, and sometimes for seemingly good reasons. Only senior management can create an atmosphere in which employees will choose to forgo a questionable business transaction that would have helped them earn a reward. Only senior management can convince employees that obeying corporate regulations will not place their jobs in jeopardy — disobeying them will.
Senior Management Emphasis (3) Enforce the rules : All the words in the world will not create risk awareness if violations are not corrected. Remedial training and verbal reprimands can reinforce an institution's risk management system, but they must be backed up with more serious punishment — including termination — when appropriate.
Training at All Levels (1) Building an inclusive risk management system is not an easy task. Overcoming complacency and ignorance is often a function of motivation, and so the training must convince employees that risk management is important — both to the institution and to the individual. Offer a free, recognized, and transportable risk management certification course : This is an excellent way to motivate employees at all levels to learn the fundamentals of risk management. It can be an internal program, an external certification, or a combination of the two. Offering this certification, regardless of rank or job, will go a long way toward creating risk awareness at all levels. Best of all, the employees who complete the course and receive this certification will fully understand the importance of risk management and know what to look for in terms of risky or fraudulent behavior.
Training at All Levels (2) Sustained training : The training effort, though containing some mandatory instruction at set time intervals, must be more than an annual or quarterly requirement. Middle and junior management can take part in this without making the time burden onerous. Using a series of brief lessons, middle managers can reinforce the message that the danger is real by citing examples taken right from the news that show how people who were not in "risk" jobs made (or could have made) a difference.
Training at All Levels (3) Constant reminders : Flash videos, wall posters, and junior management talking points can serve as frequent reminders of the importance that the institution places on risk awareness. To gain the proper impact, these reminders could be focused on the consequences of failed risk management, citing the number of jobs lost and legal penalties incurred. This can do a lot to reinforce earlier training showing the dangers of adopting an "everybody is doing it" attitude.
Monitoring Most of the risk management structure already in place will remain, including the risk managers themselves and the technology that measures risk exposure. As recent events have demonstrated, merely appointing a risk hierarchy and installing risk management software is not enough, even if this system is fully understood and obeyed. One of the key benefits of establishing a risk management climate in which every employee acts as a risk manager is the exponential increase in monitoring performed by the extra sets of trained eyes.
Corrective Action All the rules, managers, and software in the world will not create an effective risk management system if that system has no teeth. One sure-fire way to ruin a risk management system (and destroy the effectiveness of risk managers) is to tolerate repeated violations. Punishing violations is not always easy, particularly when the offending party is perceived as a star or rainmaker, but allowing these transgressions to continue brings the entire system into question. Corrective action can range from re-training to termination, but it must take place — and the reality of its presence must be understood by employees at all levels.
About the Author Vincent H. O'Neil was employed as a risk analyst for FleetBoston Financial and Bank of America for seven years. A West Point graduate, he has been involved in risk management for most of his working life. He is also an award-winning novelist. Website: www.vincenthoneil.com Email: email@example.com