Andy Hirst, Senior director of industry marketing, SAP BusinessObjects
Mike MacDonagh, ERM product manager, Sword, ARC Logistics
John Thirlwell, Rapporteur, Institute of Operational Risk’s practice guidance on operational risk governance and culture
John Whittaker, Group head of operational risk, Barclays Bank
Embedding a risk culture is essential to ensuring better risk governance and reporting in financial services firms. That’s the central message from a webinar panel discussion hosted by Operational Risk & Regulation and sponsored by SAP and ARC Logics, a Wolters Kluwer business, which focused on how financial services firms are gearing up to confront the challenges posed by increased regulation in this area.
“When talking to regulators, institutions and other bodies, a couple of things come up all the time: the ability for firms to get hold of data and the systems that data sits on, and therefore their ability to report the right information to the right committees at the right time,” says John Whittaker, group head of operational risk, Barclays Bank. “For me, another important area to focus on is the culture of an organisation. If you have the culture of an organisation and its risk reporting correct, then the processes around the organisation will ensure that the right information is getting to the right committees on a timely basis; and in such a way that the members can understand and make the right decisions.”
John Thirlwell, rapporteur at the Institute of Operational Risk’s practice guidance on operational risk governance and culture, and a co-author of Mastering Operational Risk, concurred: “The really important issue for this webinar is the question of culture and behaviours. If they were at the heart of the crisis, will governance, in the sense of frameworks of itself, make the difference? No governance framework is going to create a risk culture. If the culture is there, a framework institutionalises it and then you can get the whole thing to work effectively.”
The main consensus of the panel is that regulators won’t be able to drive the banks back to good behaviour – it has to come from within. Getting the right framework in place, however, is what a bevy of reports and guidance from international and national regulators have focused on. John Thirwell ran through the key points on risk governance guidance to have emerged from the Basel Committee on Banking Supervision, the European Commission’s green paper and The Walker Report from the UK. Central to all of these was the idea of forming an independent board risk committee.
“Most organisations have always had a board audit committee that was also looking at risk,” says Whittaker. “But one of the big changes you will see is the breaking out of responsibilities at subsidiary-level board committees. So you will end up with a board risk committee and a board audit committee that are of enough importance to be run separately. As soon as you set up an independent board risk committee, [you need to ask] do you have directors with the right capability to sit on that committee? That may mean, for some organisations, a remixing of the skills of board members.”
The Walker Report, the Basel Committee and the European Commission’s green paper all refer to the importance of having a good balance of skills on boards as well as ensuring members have the appropriate experience and integrity.
John Thirwell questioned whether regulators are expecting to have people sitting on board risk committees who have a better handle than most on how credit, market and operational risk work. “It is slightly worrying because you are beginning to say that you can only be on a bank board if you are a banker,” he says.
“We have a risk committee that is staffed entirely by non-executive directors,” says Whittaker. “We have ensured that the non-executive directors have the necessary skills to carry out their functions.” Continuous training of those board members was a factor brought up in The Walker Report and one that resonated with all of the panellists.
“You certainly need risk-aware business people,” says Mike MacDonagh, ERM product manager, Sword, a part of ARC Logics. “It should be people who are engaged in the business of banking or insurance but who have that risk awareness. It is those people who are able to ask the ‘so what?’ question.”
But what information should these boards be requesting? Whittaker says: “If we have people who have a good understanding of the business we are operating in, who have a lifetime of experience of operating in orderly financial markets, particularly in the risk space, and we have continually trained them and given them the right information, that then allows them to ask the relevant questions. It is not the requirement of a board risk committee to lay out everything it needs to see. That is a bit of abdication of management in a way.”
The panel discussion also covered what information needs to be reported to the board to allow it to perform its oversight function.
Andy Hirst, senior director of industry marketing, SAP BusinessObjects, observed that this is about giving boards “the right information at the right time in the right format”.
“At the moment there are still quite significant data issues,” he says. “Firms have enormous amounts of structured and unstructured data in different systems, formats and files, including email, call records, and Excel and Word documents, so it is not easy to get a unified view of that information to make the right decisions. It’s trying to find the balance between the right information at the right time but not to overflow those recipients.”
Whittaker asked the same question on whether financial services firms were joining the dots of the information they have in the most effective and most efficient manner. “From an operational risk point of view, you would have data coming up around your risk and control self-assessment process. You would have information coming up around your actual losses, and you have information coming up not necessarily from the risk areas such as internal audit. Looking at all of those in a stovepipe manner will give us some of the story, but if we can join the relevant parts together in a holistic manner you will make sure you are presenting the right information in a timely manner.”
Siloed departments have long been a problem for risk management. “The problems are largely organisational,” says MacDonagh. “You have siloes in the risk categories but you also have siloes in the assurance function that are all providing information. You have information about the past, which are your losses; you have information about the future, which are your risk assessments that are being done in a different part of the organisation; and you have the indicators that tell you what is happening now. The goal is to pull all of those together so you can look at them at the same time and get a consolidated view of where you are going with risk.”
Cadence is also important and was demonstrated to be severely lacking in financial institutions during the financial crisis. “During periods of stress, how fast we got information was an issue,” says Hirst. “Liabilities and assets can change in value very quickly. Being able to react and being able to see that through the normal processes you have as a company is important. Some of the cadence of reporting and information wasn’t as fast as it needed to be.”
Walker points to reporting problems in his report that were exposed during the crisis, such as the defective flow of information, poor analytical tools and an inability to bring insightful judgement to the data that was there.
“Information is at the heart of this,” says Hirst. “How financial institutions manage data is going to get more and more important over time because firms need to be able to find the gems of information that will help them make better business decisions. The challenge is not to report for compliance sake, but to get some business benefit from that.”
MacDonagh agrees that firms need to be able to find the business benefit from new regulation: “There is a risk that, like the Sarbanes–Oxley Act, some organisations will treat it [Solvency II] as a compliance exercise,” he says. “It is much easier and potentially cheaper to hand it over to compliance…Clearly, however, there is a benefit to be had by applying the risk practices to the businesses of the organisation, to improving and enabling business decisions.”
All reports – but particularly those sent to board risk committees – need to be fit for purpose, pointed out John Thirwell. “As a non-executive director sitting on boards, I have found myself very often challenging the information in the reports and the nature of the reports: was there more information than was needed, or indeed, which is not terribly interesting? You have to be bold and brave enough to ditch things. If a report has stayed in exactly the same format for 12 months, is it still fit for purpose?”
Whittaker questioned whether managers were sending data or information to these committees. “How many times do we look at a piece of reporting and ask ourselves the ‘so what’ question?” he says. “What does this tell me and what am I meant to do? That is a key issue that requires us all to stand back and ask that question before we send the papers in.”
Click here to view this article in PDF format