Post-Crisis Risk Management: Building Blocks

The credit crisis has taught us valuable lessons on the limitations of models, the importance of risk reporting and the need to establish a more effective risk culture.

Monday, October 04, 2010 , By Carol Beaumier and Cory Gunderson

printPrint   |  Comment  |  Order  |  Email this Story  | 

The global financial crisis produced many painful outcomes: historic losses, institutional failure, fear, finger-pointing and unprecedented government actions. For those financial services firms fortunate enough to survive, however, the crisis also yielded a highly valuable output: sharp insights into the strengths and weaknesses of their risk management programs.

Leading organizations throughout the industry continue to harvest these insights to address their constantly evolving risks and strengthen their risk management capabilities. In this way, these companies are taking a page from their own risk-management playbooks to better understand how their current risk management capabilities can be fine-tuned to better manage and mitigate the impact of extreme events.

This process requires several steps. First, every firm needs to gain a clear assessment of risk management's role in the crisis. Second, it is important to understand what risk management-related lessons can be mined from the economic and regulatory events of the past two years. And finally, it is useful to understand the makeup and value of "post-crisis" risk management building blocks.

Redefining "Failure"

On first glance, the origins of the global financial crisis appear inexplicable, given the fact that the financial services industry has prided itself -- and rightfully so -- on leading-edge risk management. The shock of the crisis and its profound impact on financial services organizations worldwide has generated an understandable amount of finger-pointing, as well as an unhelpful level of oversimplification. Some pundits have gone so far as to blame risk management itself.

It is more instructive, and more constructive, to look deeper.

While failures in risk management certainly occurred within the industry, a wide range of factors, many of which fall beyond the purview of risk management programs, played key roles in sparking the financial crisis. On a macro level, financial accounting and reporting standards obscured important underlying economics. Government and monetary policies, along with overreliance on third-party viewpoints, also contributed to the meltdown.

Within organizations, deficiencies in corporate governance processes limited the recognition and use of important outputs that risk management processes produced. In many instances, a lack of effective transparency, accountability and escalation of crucial risk information hindered senior executives and corporate directors from understanding the true nature of the risks a company had undertaken. Several organizations went well beyond their "risk appetite" -- sometimes without even realizing it. Moreover, many organizations today continue to struggle with the establishment and implementation of a risk appetite.

Collectively, these corporate governance, executive management, board, regulatory and monetary policy issues extend well beyond the reach and scope of risk management. Underscoring this point, financial services companies today frequently request outside assistance related to (1) establishing a risk appetite; (2) developing corresponding risk tolerances and limits; and (3) improving risk transparency through such means as enhancing the flow of risk information up, down and across the organization. Efforts are focused on better aligning risk management activities and processes with corporate strategy and business objectives.

Lessons Learned

Executives do not cease decision-making after making one or two bad decisions. Instead, they seek ways -- e.g., involving more perspectives, identifying additional information inputs or eliminating sources of misleading information -- to strengthen their decision-making process.

The financial crisis and lingering recession provide lessons companies can apply to their ongoing risk management efforts, including the following:

  • If it sounds too good to be true, it probably is. Many crises are forged out of beliefs that tomorrow will be just like today. In retrospect, few individuals believed that real estate prices in the United States would not continue to go up or remain constant for an indeterminable period.
  • Don't bet your company on third-party assurances. In the period leading up to the financial crisis, too many companies relied too heavily on external assurances from third parties. The lesson here is that it is important, if not critical, for an organization to formulate its own independent view.
  • Balance quantitative measures with qualitative assessments. Many institutions failed to share a wide range of balanced rigorous quantitative measures and qualitative assessments to provide different perspectives on the same exposures. Such a balance provides more insight about evolving conditions and creates enterprisewide transparency.
  • Avoid undue concentration risk. Many companies relied on outdated assumptions that were unchallenged by management. These organizations did not integrate market and counterparty risks effectively to identify the size of their concentration risk.
  • Incentives influence behavior. Improperly designed compensation incentives create a "heads I win, tails you lose" situation, and can also focus too much on short-term gains versus institutional viability. Risk management often was not an equal player at the business table in terms of compensation, clout and organizational standing.
  • Liquidity can be as important as solvency. If stakeholders lose confidence in a business, the strength of the business' balance sheet may not matter.
  • Lack of transparency can fuel a crisis. Given the global economy's ever-present need for information, when the market cannot be certain of the exposures that exist among its counterparties, it may stop functioning altogether.
  • Time to act can be a real differentiator. Issues are no longer isolated. Because of the interconnectedness of the Information Age, crises are no longer confined to single institutions or even regions. What happens in Iceland or Main Street USA impacts all industry participants in one form or another at rapid speed. Market judgment is also swift and merciless, putting significant pressure on companies to make quick, accurate decisions. Time to act is one of the most valuable assets in managing risk, yet is often hindered by numerous hierarchical and silo organizational constraints.

Most, if not all, of these "lessons" existed prior to the crisis, and the recession simply illuminated them. The present challenge resides in determining how financial institutions can apply these lessons in a sustainable manner.

Leading companies have leveraged the lessons learned by reexamining and, where possible, strengthening key building blocks of effective, post-crisis risk management, such as the role of risk management, risk culture, risk reporting and risk measures.

The Role of Risk Management

In its most effective form, risk management begins with defining and understanding a company's risk appetite related to its strategic objectives. It should also identify the inherent risks associated with the achievement of the business strategy and determine the most appropriate techniques required for a company to operate within its established risk tolerances and limits.

For example, suppose a company's strategic objective involves entering a new foreign market to generate a new source of revenue. Inherent risks within this scenario might include political and foreign exchange risks. The risk management techniques should then determine (1) whether the inherent political risks represent an acceptable potential cost of executing this objective (i.e., doing business in the region); and (2) how the foreign exchange risk might be mitigated -- e.g., hedging contracts or requiring customer payments to be in U.S. dollars.

When deciding whether entering a foreign market is consistent with the company's risk appetite, capital needs, reputational risk, regulatory considerations and other matters should all be vetted by appropriate executive management (and, if necessary, the board). Scenarios should be modeled by looking at the effects of the new business venture under various stress points, including scenarios that may not have ever happened historically.

Risk Culture

This much is certain: while it may be difficult to deconstruct and/or quantify risk, a financial services company's risk culture qualifies as a crucial success factor in nearly every client debriefing, article and case study related to risk management.

By now, tone at the top may be an overused phrase, yet it remains critical to successful risk management. Communication represents another valuable building block of an effective risk culture. No matter how valuable the information that risk management processes and systems produce is, it quickly becomes worthless if it is not relayed throughout the organization in a timely fashion. Executive management and the board must encourage such real-time and transparent communication for an effective risk culture to evolve. Shooting the messenger only stifles the ability of people to step forward and raise serious issues to the appropriate management level.

While processes provide the pipes, if you will, for communications, culture provides the fuel: Managers must want to use and relay risk information if the risk management structure is to deliver on its full value.

Culture also represents the "glue" that enables the risk-related policies to be transformed into processes, and for those processes to be executed by people throughout the organization. Perhaps most important, an effective risk culture helps ensure that the focus on risk-based decision-making becomes sustainable over time.

Risk Measures

The financial crisis exposed model risk as a key risk area. Economic models remain an effective tool in post-crisis risk management. In fact, when used as one of several data points within an analysis, they can be extremely valuable -- but only if their limitations are understood and addressed.

Model risk refers to the risk of a loss due to significant discrepancy between the economic model's outputs and actual market experience. This form of risk stems from several causes, including inadequate tools, the use of adequate tools for the wrong purpose and/or misinterpretations and incorrect applications of the output.

In the wake of the crisis, pressure to manage model risk has intensified for several reasons, including:

  • Financial firms facing increasing model governance and validation expectations from regulators, rating agencies, investors and clients, to varying degrees;
  • Major model-related losses increasing scrutiny and demand for independent validations; and
  • Fair value accounting rules (FAS 157 and FAS 159) highlighting the focus on the number and types of instruments that are marked-to-model.

Model risks reflect a disconnection between reality and the picture of reality that powerful systems and tools produce. For this reason, they are in many ways emblematic of the missteps leading up to the financial crisis.

The crisis was not caused in isolation by risk management, a lack of regulations or the absence of effective management systems and tools. Rather, it was caused by a combination of factors that created dissonance between theory and reality. Some of these factors may have been identified and mitigated by risk management processes but were not communicated effectively throughout the organization, hindering the ability of management and the board to learn of and understand emerging risks clearly.

Relevant Reporting

One of the procedural shortcomings the crisis highlighted relates to risk reporting. At some companies, reporting was too detailed; at others, it was too general. In virtually all organizations, the challenge is not as much about having enough data but rather presenting far too much risk information to management and boards.

There is an abundance of data available, but relevant analysis is sorely missing. Most boards and senior management teams simply want to understand if the company is riskier today than it was yesterday, and why. They also want to know whether the current level of risk is within expectations and appetites. Despite these simple objectives, most risk reporting fails to deliver the key elements.

Effective risk reporting tailors the reports to different audiences. The same report or an excerpt of a report to management should not be used for the board.

Board reporting should focus only on the most significant risks, and then identify how these risks potentially affect performance and shareholder value. It also should promote awareness of risks throughout the organization, provide assurance that management processes are working effectively and, when appropriate, detail the impact (on both the organization itself and outside participants) of recent risk events that occur.

Senior management risk reporting should provide qualitative analysis to supplement quantitative tools and analytics, while identifying trends and important exceptions to risk tolerances. These reports should also identify key risks and related performance (and/or risk) indicators, identify required actions and contain discussions of current risk management initiatives and issues.

In addition, senior management risk reporting should contain several forward-looking aspects versus focusing on historically based accounting information. It is the forward-looking information that allows management to see what's coming and initiate appropriate risk mitigation responses.

At the business-line level (or even the process level), risk reporting should be more granular in nature; here the focus is typically historical and reporting is segmented by department (or product line, geography, etc.). Updates on control failures and improvements should be featured prominently, and the reports should address specific consideration of data integration and other reporting issues.

In closing, there is no "magic bullet" to protect everyone from the next crisis. Fortunately, risk management continually evolves within the financial services industry, where companies are reconfiguring their frameworks, establishing new risk agendas and bolstering their building blocks to ensure they will be better prepared for the future, regardless of what the future brings in terms of new risks and challenges.


Carol Beaumier is an executive vice president and head of the global financial services and regulatory risk consulting practices at Protiviti, a global business consulting and internal audit firm.

Cory Gunderson is a managing director and head of Protiviti's U.S. financial services industry and global risk and compliance practices.

Both authors can be reached through the firm's Web site at


Risk Management e-Journal
The Risk Management e-Journal publishes paper abstracts on the topics that matter most to risk professionals. See what your risk manager colleagues are reading about today.




Get Free Updates on the Dodd-Frank Act
Register for Morrison & Foerster's FrankNDodd service to receive Daily News Alerts on the Dodd-Frank Act, gain access to regulatory highlights and commentary, and use the exclusive FrankNDodd Tracker tool.


Banner Picture