All financial institutions[1] take risk to generate returns and most financial institution boards are looking for opportunities to strengthen their expertise and their risk governance approaches – all with the aim of allowing them to provide effective risk oversight by asking the right questions and effectively assessing the provided responses.
It is common at this point in this type of paper to stress that each organization’s strategy and situation will need to inform discussions and the specific questions to ask. However, for financial institutions, it is also important to note that every item brought before the board has a risk dimension, whether obvious or not, and that the nature of the item will also affect the type of risk questions that will be relevant. The following 16 questions are provided to act as a departure point for risk conversations and questions relevant to the specific financial institution. They are provided in several categories below[2]. An effort has been made to limit the number of questions per category to two or three. This is to emphasise that these questions are a starting point, not a prescriptive, comprehensive listing to be followed religiously.
The Board’s Capability
A fundamental, common sense position is that a financial institution must not take risks that are not fully understood. The board must know the risk characteristics of the financial institution’s operations and what the range of outcomes may be. This does not mean that the Board must be able to price or model each risk, but it must be able to understand the risks taken and how they affect the institution’s opportunity set and possible outcomes. The first question is:
1. What is the level of risk understanding of the directors, individually and collectively?
The immediate ancillary question is:
2. What does this imply for the types of risk and business opportunities that the board can effectively oversee?
The follow on from this is not only the ability to determine gaps and requirements for future board recruitment and director training, but to also ensure that the risks taken now are appropriate to the board’s existing capabilities.
The Language of Risk and Opportunity
The term “risk” is widely used and often specifically defined (i.e. “Market Risk is …”), but is also often treated differently by different individuals with different perspectives. The understanding of risk has also broadened dramatically, particularly post the 2008 Financial Crisis. There is now more concern over the interconnectedness of risk, emerging risks and systemic risks.
There is also, of course, the term “risk management” and what it means within an institution. In its early incarnation, risk management meant, or some individuals thought it meant, risk avoidance. From there, risk management advanced to being about risk understanding, modelling and risk pricing. Now, in leading financial institutions, risk management is an approach and set of tools used to help make risk-informed strategic decisions.
The relevant starting point for questions in this area is:
3. Do people in this institution, including both the line and staff functions, and the Board have a common understanding of the terms “risk” and “risk management”?
As implied above in the title to this section, risk is relevant within the context of the financial institution’s strategy, or its set of opportunities. The integrative aspects of risk and strategy will be dealt with below; here we are concerned with language and it is important that the language of risk include specific reference to opportunities. The risk return trade-off is critical to financial institution decision making.
The relevant question is:
4. Do people in this institution, including both the line and staff functions, and the Board fully understand and accept that risk and opportunity are intrinsically linked?
The Strategy Conversation
The strategy conversation is a process for determining an organization’s set of goals and objectives, the organizational positioning, the accepted view of future possibilities and the principle means by which objectives will be achieved.[3] The strategy is logically prior to other business activities and, in fact, creates the risk horizons and the risk capabilities needed by the institution. The strategy determines the opening perspectives of the risk/strategy discussion and, if the risk demands of the strategy exceed the risk capability of the organization, then the strategy must be changed in terms of timing or goals until the value proposition and the risk capabilities are aligned.
Within the strategy conversation there are implicit and explicit assumptions, various and often competing perspectives and ongoing adaptation to changing environmental conditions. The institution’s strategy, at a point in time, captures the assumptions (e.g. the firm’s capabilities, expectations of competitor and regulator actions, environmental trends, etc.), reconciles, or not, the competing perspectives and includes the current view of the environmental conditions, including customer expectations. A non-risk specific question of importance to boards is, “Does the board understand and accept the underlying assumptions and tensions embedded in the strategy?”. Following from that, the risk-specific question that should arise is:
5. Do strategy conversations include a strong risk influence and do risk conversations appropriately reflect the opportunities available to the institution?
Financial institutions exist within a dynamic and ever changing environment. Strategies and risk positioning must reflect this fact and must be dynamic and responsive to conditions. In this regard, boards will receive presentations on new or changing business opportunities and changing risk profiles and risk levels. In these cases, the board needs to ask:
6. Do the strategic initiatives adequately identify the associated risks and are they acceptable in terms of the institution’s overall strategy and organizational capabilities (i.e. can the institution understand, process, manage and oversee the resulting risks)?
7. Do the initiatives appropriately consider the resulting risk profile, the future risk possibilities and what is driving risk and opportunity for the foreseeable future?
The Risk Management Process and Organizational Capabilities
Similar to the common sense statement that financial institutions must not take risks that they don’t understand, is the second common sense statement that financial institutions must not trade, offer or process financial products and solutions for which they cannot identify, assess and manage the risks and for which they do not have the necessary processing and data management infrastructure.
With respect to risk management and the risk management process, it is important for the financial institution to meet the regulatory requirements and to go beyond those requirements to ensure that it is using the most appropriate risk management approaches and processes for the business / risk activities it undertakes.
The board should ask:
8. Does the risk management function employ the best, most appropriate practices to identify, assess and monitor the risks and support the organization in its risk response?
The board needs to understand what makes the risk management group and process effective and whether that effectiveness is both sustainable over time and resilient as the environment changes.
The board should also be sure that the financial institution has the capability of properly processing all of its interactions with clients and counterparties. This ranges from deal capture in the trading room to effective process management throughout the organization. This is particularly important when management is seeking to enter new markets or introduce new products. The board should ask:
9. Are the financial institution’s systems, risk management processes and data management capabilities sufficient to ensure that management knows what risks it has, how they are changing and what is driving them?
Specific Risk Exposures
Following from the question 8 above, it is obvious that Board should have a clear idea of the major risks faced by the organization, how they are changing and how well they reflect the financial institution’s strategy. The questions that can be included in this grouping can be extensive. As a starting point, the board should ask:
10. What are the top, or most significant risks for the organization and what are the emerging risks that are developing?
11. Are risks concentrating in any one area – geographic, market segment, corporation, product type, etc. – and is this intentional and justified or evidence of market trends and dynamics that may prove detrimental (including systemic risk)?
12. Does the risk profile, both as it exists and as it is changing, reflect the organization’s planned activities and forecasted outcomes?
13. Does the financial institution have reliable processes for identifying meaningful extreme / stress events and providing response plans to facilitate rapid and well-designed responses?
The board should be willing to dig deeper into any identified trends or issues that appear to be detrimental or for which the organization seems ill prepared or poorly informed.
Organizational Risk Behaviour, Culture and Ethics
John Farrel and Angela Hoon, in their May 12, 2009 Business Week article[4] correctly noted that, “A company's risk culture is a critical element that can ensure that "doing the right thing" wins over "doing whatever it takes”." The board needs to understand the organization culture, what it implies for the risk taking activities and the likelihood of divergent, or rogue, behaviors.
The financial institution should have a series of monitoring tools to provide information about the ethical behavior of its staff. The Board should make sure such an approach is in place and what the results indicate over time. The starting point could be:
14. What metrics does the organization track (i.e. compliance violations, limit breaches, etc.) and what do they indicate about the behaviors of individuals and the organization as a whole?
The board must also ensure that the compensation programs and rewards that it approves lead to the types of behaviors desired. The Chartered Accountants of Canada have published “20 Questions Directors Should Ask about Executive Compensation”[5]. Two questions, numbers 11 and 17, from this publication pertain to the risk context:
15. Does the use of mid and long-term incentives appropriately balance risk and reward, shareholder alignment and management engagement?
16. How effective has the organization’s executive compensation program been thus far in terms of motivating and paying for the desired performance?
Closing Thoughts
The real value of the board in risk oversight comes when its directors go beyond these questions and ensure they fully understand the risk profile, the vulnerabilities and the opportunities of the financial institution. Further, risk oversight is just the beginning. The board must tap into each director’s experience, knowledge and expertise to ensure their insights are brought to bear on the topics discussed around the board table.
Appendix I
The Questions Financial Institution Boards should ask with respect to Risk Governance
Question Listing
1. What is the level of risk understanding of the directors, individually and collectively?
2. What does this imply for the types of risk and business opportunities that the board can effectively oversee?
3. Do people in this institution, including both the line and staff functions, and the Board have a common understanding of the terms “risk” and “risk management”?
4. Do people in this institution, including both the line and staff functions, and the Board fully understand and accept that risk and opportunity are intrinsically linked?
5. Do strategy conversations include a strong risk influence and do risk conversations appropriately reflect the opportunities available to the institution?
6. Do the strategic initiatives adequately identify the associated risks and are they acceptable in terms of the institution’s overall strategy and organizational capabilities (i.e. can the institution understand, process, manage and oversee the resulting risks)?
7. Do the initiatives appropriately consider the resulting risk profile and what is driving the change and is the change appropriate?
8. Does the risk management function have the ability to employ the best, most appropriate practices to identify, assess and support the organization in responding to the risks faced?
9. Are the financial institution’s systems, risk management processes and data management capabilities sufficient to ensure that management knows what risks it has, how they are changing and what is driving them?
10. What are the top, or most significant risks of the organizations and what are the emerging risks that are developing?
11. Are risks concentrating in any one area – geographic, market segment, corporation, product type, etc. – and is this intentional and justified or evidence of market trends and dynamics that may prove detrimental (including systemic risk)?
12. Does the risk profile, both as it exists and as it is changing, reflect the organization’s planned activities and forecasted outcomes?
13. Does the financial institution have reliable processes for identifying meaningful extreme / stress events and providing response plans to facilitate rapid and well-designed responses?
14. What metrics does the organization track (i.e. compliance violations, limit breaches, etc.) and what do they indicate about the behaviors?
15. Does the use of mid and long-term incentives appropriately balance risk and reward, shareholder alignment and management engagement?
16. How effective has our executive compensation program been thus far in terms of motivating and paying for the desired performance?
Endnotes:
[1] Financial institutions include deposit taking institutions (banks, trusts, savings and loans, credit unions, etc.), insurance firms (life, health, property and casualty and reinsurance), investment management firms (pensions, hedge funds, etc.) and risk insurers (bond and mortgage guarantors, etc.). [2] The questions are also provided in Appendix I in list format. [3] As variously articulated by George Steiner (Strategic Planning, 1979, The Free Press), Michael Porter (Competitive Strategy, 1986, Harvard Business School Press) and Henry Mintzberg (The Rise and Fall of Strategic Planning, 1994, Basic Books). [4] John Michael Farrell and Angela Hoon, “What’s Your Company’s Risk Culture”, Business Week, May 12, 2009. [5] Elizabeth Greville, LL.B. and David Crawford, CFA, “20 Questions Directors Should Ask about Executive Compensation”, Chartered Accountants of Canada, second edition, 2011