Senior risk executives gathered for a roundtable in London, mid-November, to discuss how risk reporting to boards of directors could be improved, in light of the crisis. Sponsored by SAP
OpRisk & Compliance: The financial services industry is going through an unprecedented crisis, caused in part by a lack of awareness from boards of directors of the risks their firms faced. What is wrong with governance, risk and compliance reporting and transparency at board level in the industry?
Priti Verma, head of business risk, Pictet Asset Management: I think there is more to risk awareness than just reporting. There is a fundamental issue around governance, risk and compliance getting sufficient time with board members for face-to-face meetings. However, this question regards reporting and transparency. Looking at the reporting side first, the way in which different reports are received by the board is different. What I mean by that is, if we take audit reports as an example, auditors hate being labelled 'the police' but that is how they are seen, and nobody wants to get in trouble with the police. So when audit reports arrive on a board table, they are put in the 'must read' pile. Compliance reports also go in the 'must read' pile as no-one wants the responsiblity of any FSA action. Risk is still the poorer cousin I think of the three. In my experience the roles and responsibilities, and therefore the power and authority, risk has are either undefined or misunderstood both by the board and by the business itself. Risk reports can sometimes be conceptual, for example, the bubble maps that we all have, or theoretical, such as the aggregation of risks at a group level. So risk reports make an interesting read but go in the 'will read when I have time' or 'will skim before relevant meeting' pile.
Fagun Shah, head of group operational risk, Prudential: When we say 'unprecedented crisis' we are talking about the credit crunch and the consequences of it, so I would separate out some of the issues that were underlying in products beforehand. I do not think anyone could have guessed the turmoil would have had such a knock-on effect on the whole financial services industry. But to me events of this nature are strategic and it really comes down to culture. Either the board is interested in listening or not. I remember a Q&A session in February 2007 between two investment bank risk managers asking: How many executives could say to the board, 'we really do not think you should go into collateralised debt obligations (CDOs) because this is risky stuff.' Saying all that, we have had questions internally in our organisation as to whose job it would be to pick up something like that. Would it be the credit risk function? Would it be operational risk? I don't think we really care as long as someone is willing to escalate the issue.
Roger Stockdale, senior manager, group compliance and op risk, Lloyds TSB: As Fagan says, I think some of the problems arose from the bankers herd instincts. Bankers saw peers moving into subprime or CDOs and followed them into these markets. As risk managers, there are times when we must be brave enough to put our hands up and challenge whether there is another way of doing things or whether we should simply not do something all our competitors are. The organisational culture can make it easier or harder for risk managers to voice their concerns. The culture comes from the board. Do we understand what the board considers important? This question moves us into the establishment of risk appetite. Does the board give us and the rest of the organisation a clear understanding of its risk appetite? What is acceptable and what is not in terms of behaviours and risk exposures? As risk managers, if we can get time with the exec, we should be having that discussion with them and explaining why certain things are important and how they can help us by telling us what they want. Once we have an understanding of their risk appetite, we can determine which activities are moving us outside it and monitor these in our reporting.
Ferry Bleijenberg, global Icaap and op risk manager, GE Money: What it actually comes down to is the Internal Capital Adequacy Assessment Process (Icaap) is either two years too late or the crunch came two years too early, but by doing things like Icaap - and I'm not saying it is the cure-all that will save us all - but by doing a good Icaap, what you are doing is going top-down from a business and strategic level, actively involving your board and letting it decide what the business and strategic risks are, what the goals are, and there you have your appetite.
Andy Hirst, senior director, financial services industry marketing, SAP: I agree the tone has to be set at the top and it has to be set for the company. There are a lot of issues that it has been a challenge to get addressed at the top. Managing all of your data is a very granular thing, and unfortunately it does not get the level of investment to perhaps help get the level of information you need to the top. So that is one point.
The second point is that board members will get information in terms of reports, but I think we all assume that when they are given the information they read it and understand it. I think we have learned that they get a lot of information in informal ways, by interacting with the human in this area, to give context to the figures on the sheet of paper.
So it is not set when we deliver the report. The trick is to deliver the context of the report. You gain far more from a two-minute conversation by telephone than you sometimes get by analysing more. But you need to have solid data, solid foundation to be able to produce the information in the way you need to for the board.
OpRisk & Compliance: Do governance, risk and compliance need to be integrated within the organisation across business lines and silos to produce truly integrated GRC reporting?
Stockdale: I think the simple answer is Yes. A clear and straightforward governance structure is very important in enabling information to be escalated promptly to the board, or to the senior decision-makers very quickly. This can be further facilitated by a clear set of accountabilities and responsibilities. At Lloyds TSB, we have a risk director in group risk responsible for both the group operational risk and compliance frameworks. The reason we have formally integrated the two disciplines is that more and more operational risks are becoming regulated. The introduction of the US Sarbanes-Oxley Act and Patriot Act are examples. In addition, the regulators increasingly expect firms to use a risk-based approach to implement regulatory requirements and the regulators themselves use principles-based regulation. So we need to bring together our risk and compliance knowledge to effectively manage the impact of regulations and determine the appropriate way to implement within the organisation.
Bleijenberg: My simple answer is No. Partly for the reasons you describe, our business model is different to your centralised, large organisation and we are a decentralised organisation. For me what is important is that they work together. I do not need them to be, for any price, integrated into one team. We often have businesses that are quite small in certain countries where it is much more a person-to-person relationship. In that case, I do not care if risk and compliance is all one team and all reporting to one person. It is much more about how well they cope together and that is more important than a standardised structure for every bank.
Hirst: Yes, certainly from our view, we try to align with what the bank and the industry want in this area. Our perspective is to be as flexible as possible, to make sure that whatever we are producing aligns with the structure within the company. So from our perspective you need one version of the truth of information, and it might be that you have to integrate lots of information together before presenting it, and have controls with clear workflows across business lines and across different departments. But we do not need the structure to change for the solutions we put in place. We are not trying to alter the industry, we are trying to align with the processes and structures within it, and that is part of the solutions we do in this particular area.
Shah: I thought I was going to be first in saying No! There is nothing wrong with having two different messages coming out, as long as someone is asking the question 'why?'. If audit is saying one thing and the risk reporting is saying something else, you should be asking why are they saying different things and investigating that discrepancy, because that is where the true risk benefit comes in. Having said that, I do think many firms are definitely trying to integrate their governance, risk and compliance in lots of ways to work better together. There are a number of reasons for that. First of all the business itself gets really fed up with lots of different people asking exactly the same question. Now I personally think that is a good thing, because if you get different stories you can ask the question 'why?'. To do that, what is really important is that everyone uses a common language/terminology. We use a consistent language so that when we have been told a different story we know it. Where integration does not work and where it fails is where we use totally different language so we do not realise we are disagreeing with each other, and neither does our audit committee or our board of directors or whoever might be looking at this information.
OpRisk & Compliance: What types of metrics, indicators and reporting do boards receive on GRC issues, and what is problematic about them? Or what is good about them? And how can they be improved and perhaps made more dynamic or predictive?
Hirst: I think at the moment there is wide variance in this area. I think one of the biggest challenges is getting down to what the critical indicators are that drive your business. This is a very tough exercise so I think you have to engage the management team and then gain consensus across the group that these truly are what drives your business. When it has been reported up to the board, the idea is to provide all the information and let the board fish through it. Well, actually most people feel overwhelmed when they get more. They would rather take a few and then discover more. So it is partly about being able to put those key risk indicators up there, allow the board to interact with them, perhaps do some scenario-ing, maybe some predictive work, in terms of providing tools to help the board on that, and try to get to a point where it can discover more if it wants to go down that path. That is the challenge we face not just in this industry but in others.
Shah: Whatever it is, there is too much of it. I have seen audit committee packs or executive committee packs with 20 agenda items. In my opinion, the best thing to do would be to get rid of most of that - allow us to do that job, to filter and look at the metrics - and instead give them a list of questions that they should be asking, with some information behind it as to why we have come out with those questions. So forget all these metrics, all that detailed information that is going to them. I should clarify that I mean this in an operational risk context rather than a credit risk context or in a market risk context. I think for those types of risk, some of those metrics are important because you can aggregate information and you can simplify and summarise that more easily than for operational risk.
Bleijenberg: I like the thought about throwing it all away! What I have seen in the old-fashioned reporting is: 'Do we have trackers? Do we have some kind of red/amber/green?' The data is always old and it is not forward-looking, so I agree and I like the questions, and it comes back to what we said before on the strategic. If you have the board thinking strategically, you can have it come to you and say: 'OK, we have seen this information going around in the world', because I think one of the main new things in reporting we will end up using much more is external data. What we have seen in this crisis is that it is all happening outside and it all has an effect on us. It is about the major things going round and which will affect us most, also on op risk.
Verma: I think for me, metrics are a bit theoretical. Indicators tend to be backward-looking and, as we all say in our disclaimers, past performance is no indication or guarantee of future performance. So for me it is not quite working at the moment and, as I mentioned before, reports, and to some extent data, are politically represented to the board.
OpRisk & Compliance: Given recent events, regulators will be focusing on GRC issues in the coming 24 months. What kind of approach do you think they will take and what specific issues do you think they will focus on first?
Stockdale: There are some issues that have already been aired or published and once the environment becomes more stable I am sure there will be more of that coming to light. Compensation policies, in particular rewarding people for short-term success in cash, are in the spotlight, but the challenge is how to ensure people are rewarded for looking after the long-term performance of the organisation.
Secondly, the effectiveness of the stress testing performed in organisations needs to be reviewed. Stress testing must be related to the business strategy and the business plan. Historically, stress testing has been focussed on the straightforward retail banking or credit risk areas. Stress testing has got to include operational risk components as well because in times of stress, correlations between risk types increase. I think stress testing is a key area that financial organisations already recognise needs to improve.
Thirdly, I can see an interest in new product development and associated approval processes. This is a problematic area for risk managers as their experience is gained from historical events. For a totally new product, you will not have that history of loss events or near misses to help fully understand its real risks and implications. New products might be signed off even though interdependencies and the risk profile are not completely understood.
Bleijenberg: They are not looking at regulation. They are fire-fighting, just like everybody else is at the moment. So, all of the planned reviews are being postponed because there are other things going on. Certainly the point that we see the regulators really pushing us on is stress testing, focusing on liquidity, on a business basis and a strategic basis.
Hirst: Certainly. There is a focus on 'survival', which is exactly the right word. It is the word I have heard when meeting with the FSA. I think at the moment it is just about making sure that, through fire-fighting, we survive through this process, certainly until Christmas. After that time we will obviously have the new US president. We could have a lot of new US regulation come down the pipeline. What is not clear is how the regulators are going to get together. How do we work across country borders? Are the regulations that come out of that going to be the right ones?
Verma: Having just been to Tokyo, I think the UK FSA could learn a lot from the Japanese regulators, where an inspection is a bottom-up thorough audit. An inspection consists of detailed testing and the thorough findings are really something to behold. Compare that with the UK, where we have a top-down, 'skim-the-surface' conversation with executive board members (and, come on, let's be honest, we have all prepped our board members on what they might expect). So I think that it is a completely different approach in Japan and that the UK FSA needs to get tougher.
OpRisk & Compliance: Aligning GRC in the organisation and improving reporting is one hurdle. The next is achieving an integrated GRC culture throughout the organisation. How is that achieved?
Verma: I think it is all about understanding the roles and responsibilities of G, R and C and doing this through company-wide training and awareness. So I think a lot of it was covered already.
Hirst: Culture is ultimately an important part - you can provide any type of information or any type of guidance but the tone has to come from the top. The leadership has to come from the top about the risk appetite of the business. What is the firm's position in a particular business for taking on particular new products, new areas and new potential risks? I think whatever systems you put in place, you need to have continual education built into the institution that encourages the whole culture of risk management and the respect of that particular group. I see differences between some of the banks that have had more success in recent years and others where perhaps there was more ability to stand up to the rainmakers in the business. So that has to come from the top. It is difficult to argue with someone who is bringing in a large line of business, even if you know it has a larger risk profile. So that takes a strong management team and setting that pace from the top.
Shah: Everything I have said so far is my own personal opinion but this last statement obviously is. To me, you need to start with asking, why does each financial services company not have a chief risk officer sitting on their board? Financial services companies are in the business of taking risk, so they must have a CRO on the board. It might be the chief financial officer has ultimate responsibility for the risk management framework. Fine, call them chief risk officers. That sends a powerful cultural message about what we do.
Stockdale: I fully agree on the importance of the leadership giving guidance and drive to embed governance, risk and compliance throughout the firm. From a business unit perspective, there are two areas that I would comment on. Firstly, given the linkages between compliance and operational risk, and especially the way in which regulatory requirements are being developed and rolled out, I think there is a clear business case for integrating the two areas. Secondly, we can support the embedding of an integrated approach by aligning the ways in which we assess compliance, operational and potentially other risk types into a single methodology. Providing a clear, consistent method of assessing and reporting on risks and controls will overcome barriers and provide operational efficiencies for the business units.
- To view the complete video of the roundtable, visit www.opriskandcompliance.com
- All statements made by the financial services participants during this discussion have been made on personal title, and do not represent the companies' official opinions.
Topics: Corporate governance
More on Operational Risk
Hoodless and Madaras among those suspended
Focus needs to be on reacting, not stopping every threat
Keeping track of fraud and money laundering made easier through machine learning
Sponsored survey analysis: Protiviti
Sign up for Risk.net email alerts
Sponsored webinar: IBM
Watch highlights of this year's London conference
Operational risk and the challenges of defining and dealing with conduct risk
Watch discussions and speakers from our North America conference
There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.