A Study on Enterprise-Wide Risk Measurement and Management in Financial Services
by Alden Toevs, Robert Zizka, William Callender, and Emil Matsakh, First Manhattan Consulting Group
"Enterprise-wide risk measurement and management" entered the business lexicon in the late 1990s. In 2002, 30 leading financial institutions from around the globe joined a study sponsored jointly by the Risk Management Association (RMA) and First Manhattan Consulting Group (FMCG) to agree on a useful definition for enterprise-wide risk measurement and management (EWRM) and then assess each institution's performance vis-à-vis best practices. Selected highlights follow.1
Overview of the Study
Senior risk managers of 13 leading financial institutions collaborated with RMA and FMCG to design a comprehenive questionnaire to codify emerging best practices.
The study's scope and focus were guided by three overarching objectives:
Determine where the industry is today with respect to EWRM.
Identify current and emerging best practices in individual risk types (e.g., credit, operational, market, structural interest rate, and business risks).2
Speculate on how EWRM may evolve.
Early in the effort, the group drafted a working definition of EWRM:
"A holistic approach to measuring and managing major risk types based on their simultaneous consideration (and interrelationships where appropriate), thus allowing an institution to understand and adjust its risk exposures in an overall risk/reward framework."
Peer Groups Defined by EWRM Sophistication
Risk measurement and risk management go hand in hand. The term "measurement" was assigned to cover the requisite identification of types of risk and the data, analytics, and tools used to quantify risk across an organization using a common currency or metric whenever possible. "Management" was used to cover organizational approaches, policies, procedures, and decision making used to influence or alter the risk positioning of an institution.
To draw out consistent "themes" on the industry's state of play in EWRM, the survey respondents were segmented based on a "scorecard" of approximately a dozen higher-level risk measurement and management questions from the survey (see Figure 1). Out of this process three peer groups emerged: Leaders, Semi-advanced, and Traditionalists.
It is important to note that the survey participants as a group could all be characterized as advanced when compared to the entire universe of their peers. Figure 2 provides an illustration of this point: almost 90% of the survey participants already have, or plan to have, a separate credit portfolio management unit.
The scorecard in Figure 1 shows how participating institutions fared in measurement and management dimensions. Twelve fall into the leadership category—defined as being advanced in either measurement or management while, at a minimum, meeting the standard definition of the other—3 of the 12 scored as truly advanced in terms of both risk management and measurement. (There are 9 "Semi-advanced" and 7 "Traditionalists" — these 16 are collectively referred to as "Strivers.")
Consistency Across Segments
Leaders are more apt to self-assess their progress conservatively as compared to Strivers: This finding suggests that those who have made the most progress best understand just how much there is left to do.
One notable finding was that the segmentation scheme based on a dozen or so questions yielded peer groups with largely cohesive practices within each group. Over the more than 300 questions in the survey, peers in each group most often answered similarly to one another, but differently than institutions in other peer groups. Thus,
Leading institutions share basic characteristics in their measurement methodologies and management practices.
Although EWRM is a complex evolutionary process, financial companies can ask themselves a limited number of questions to self assess their relative aptitude.
The Role of Culture and Policy in EWRM
Leaders are almost three times more likely than Strivers to identify risk/reward management competencies as key sources of competitive advantage. For Leaders, EWRM initiatives are often championed by executives who look for improved risk/return trade-offs in the context of a stated risk appetite as the primary payback on EWRM expenses. Thus, Leaders' investments are driven by more than capital relief, lowered volatility, and loss avoidance.
Leaders indicated that their boards of directors are significantly more involved in setting risk appetite and monitoring risk levels. Boards of Leader banks more often have a series of one-off presentations made on risk topics. (Over the last three years, two-thirds of the Leaders had boards that requested more than five substantial presentations on risk management issues.)
Leaders more than Strivers encourage their risk officers to question the risk decisions of business managers; business managers, in turn, are more often encouraged to question the risk decisions of other business managers. Leaders almost all have risk directors placed into individual businesses. These risk drivers are given more authority to mitigate losses through a variety of methods, including stopping transactions from being booked, forcing the line to off-load risk, or hedging exposures with the cost of the hedge hitting the business's P&L.
Part of a risk culture involves defining the institution's "risk appetite"; here Leaders are twice as likely as Strivers to express risk appetite for each risk category in the form of explicit limits for expected and unexpected losses. Leaders are much more likely than Strivers to have well defined, formal policies for measuring, reporting, and managing newer risk types such as business and model risks. Moreover, many Leaders have clearly defined procedures for how to conduct measurement and management activities (for example, procedures on how risk events should be classified and held in databases); Strivers typically do not.
Compensation and incentives play a strong role in building a risk culture. Every Leader uses risk-adjusted performance measures in their incentive compensation; only 60% of Strivers do so.
Organizational Structure in an Enterprise-Wide Framework
There is a long-running debate on the degree to which risk management should be conducted on a centralized or decentralized basis. Clearly, the best approach is a function of the institution's corporate culture and its risk/return posture. There is a lack of consensus on the degree of centralization; yet a matrixed risk management organizational design is emerging.
As depicted in Figure 3, the organizational structure most commonly used has one person accountable for both overseeing the risk measurement process and supporting high-level risk governance decisions. That position, often titled the chief risk officer (CRO), usually reports to the president and/or CEO. The role of the CRO expands and becomes more fulsome as institutions move from Traditionalist to Leader status. For Traditionalists, the CRO typically addresses credit and market risks; at the Semi-advanced level, operational and business risks begin to enter the CRO's span of control; and for Leaders, the role often includes capital management activities and assurance functions(such as compliance).
In this structure, a functional risk officer is made responsible for measurement and staffing of governance committees for each major type of risk (such as credit). This person usually has a dedicated staff of specialists and most often directly reports to the CRO.3
An additional level of management exists in what might best be termed business risk directors (BRDs). These individuals carry no P&L responsibilities (that is, they are not "risk" portfolio managers), but they have advisory monitoring and control responsibilities for all risk types within a particular business unit. Given the centralized-versus-decentralized debate, there is a lack of a standard reporting hierarchy for BRDs. In some cases they report to the CRO directly and in others they act as direct reports to their respective business unit executive, with informational and policy reporting responsibility to the CRO. (BRDs rely on the risk specialist staffs of "Functional Risk Officers" for policy/procedural standards and guidance.)