How to Build a Well-Understood Risk Management Program

[Editor's Note: This month, GARP is transitioning from Cliff Rossi to Brenda Boultwood as our CRO Outlook columnist. We'd like to thank Cliff for all of his thought-provoking contributions, and also extend a warm welcome to Brenda - a former CRO with a wealth of experience and excellent insights.]

When starting from scratch, what is required to set up a risk management program? This was a question I recently received from a young woman who, as a company's star performer, was asked to join the risk management organization to help them develop a more effective program.

Yes, the question is foundational, and may seem obvious, but there is very little literature on the core components of an effective program - particularly in a form that could be recognized by management and the board. Moreover, even when they are in place, these components are frequently not well-communicated or understood. (Regulators have recently published the same finding when highlighting these deficiencies at some of the largest banks - we'll get back to this at the end of the article.)

The core components of a risk management program include framework, policy, taxonomy, methodology and reporting. We'll address each, in turn, and provide some examples of what each could look like.

But before we get to the five components, we must briefly note that the success of any component requires strong program management, communication and end-user acceptance across the lines of defense in all levels in the organization. Large program management is the ability to execute a risk management program successfully. However, one significant obstacle is that many risk management activities (risk assessment, for instance) are viewed by the people that should complete them as something outside the scope of their day-to-day job.

In the risk assessment example, the key question is, if assessments are required only semi-annually, how is this work scheduled, performed and tracked? A technology system could manage this workflow for the risk management organization, or this can be done manually by risk management staff responsible for reporting results to management and the board.

Communication of the importance and benefits of the program is critical, so it's important to engage your firm's internal marketing department to help create a brand and awareness for the program and its outcomes.

Even if a risk management program is well managed and communicated, end-users must accept the approach and believe its outcome is superior to an alternative. Of course, training is required, but end-users must be deeply engaged in the risk management program to understand the personal benefits.

For example, can a business manager see real-time updates of open issues and action plans? Is there, moreover, an intranet portal open to all employees to see a “hall of shame dashboard” of business owners with the highest rate of overdue action plans?

Acceptance comes through engagement, and engagement often comes from understanding how the individual will be made better off. (Tips around these soft-skill topics, including strong program management, communication and change management, will be addressed in a future column.)

Building Blocks of an Effective Program

Now, let's examine each of the core components:

Enterprise Risk Management Framework

Like the US Constitution, an enterprise risk management framework (RMF) has three purposes: (1) to create risk governance within the context of the organization's structure and strategy; (2) to summarize the key risks and the approach to managing risks; and (3) to explain the organizational structure and accountabilities for managing risk in an organization.

For each risk, the RMF should explain the approach to defining risk tolerance and risk appetite. It should also pinpoint the requirements for business and functional group managers, acknowledging the risks given their business strategy, people and internal processes.

Moreover, the RMF should summarize an organization's risk management policies, risk methodologies and risk and control taxonomy, and also describe how a disparate set of internal and external risks are integrated through a common risk assessment and issue-management approach.

A strong RMF can yield a defined strategy for minimizing the impact of downside risks while optimizing the level of upside risk, helping ensure the business meets strategic objectives - including growth. What's more, it can provide clarity about the structured processes and accountabilities required to identify potential threats to an organization.

Risk Management Policies

External or internal obligations - including regulation, legislation and management-desired outcomes - should be reflected in risk management policies. Typically, a risk policy describes how to identify events, reduce harmful outcomes, invoke consistent methodology, review past incidents and prevent or reduce future incidents. For qualitative risks, to calculate or subjectively assess risk ratings, a risk policy should describe quantitative and qualitative risk factors for the impact and likelihood of a potential risk.

All aspects of the RMF are typically reflected in one or more risk management policies.

Risk, Control and Business Taxonomy

Risk taxonomies should be established for both financial risks - such as market, credit and liquidity risks - and non-financial risks - such as operational process, human resource, third-party, cyber, compliance and other qualitative risks.

Controls are often considered across business process, IT and financial reporting, and may include such categories as policies, training, reconciliations, security and others. For risk aggregation, concise reporting and analytics, a common language should also be implemented for organizational structure, products, processes, issue types and event root causes.

Finding a common language that works for different risks and controls is an art form.

Risk Methodology

Risk methodology defines the standard formulas for risk measurement, capital calculation and stress testing. For quantitative risks, calculation formulas will describe the risk, capital and stress testing measures. For qualitative risks, a standard methodology should describe the approach for rating qualitative risk exposures, estimating capital and scenario stress testing.

The inherent level of a qualitative risk is typically assessed alongside an assessment of individual controls and the overall control environment to determine residual risk. Control ratings are often subjectively assessed based on the design and operating effectiveness of the control.

As part of your risk methodology, it is also critical to define an issue in your organization. Is an issue simply a control deficiency, or could it also be a perceived lack of readiness due to an external change? For example, do you have a potential control issue if a new regulation requires a change in business process?

Just as an issue must be defined, so must a reportable action. Does the action plan arising from a potential cyber vulnerability or third-party requirement, for example, have the same importance as the action stemming from an internal audit finding? There's no right answer, but an organization must be clear about its intent.

Risk Reporting, Stress Testing and Other Analytics

Risk reporting should be deliberate and anticipatory. Conceptually simple, it's about what's gone wrong and what else could go wrong, as well as how risks could impact financial performance.

This leads to some interesting questions. For example, what should a new hire understand about an organization's risks, and how freely should risk information be shared with all employees and third-parties?

When evaluating reports, stress testing and other analytics, one final point to consider is the value business stakeholders, executive management and the board get out of the resources expended in risk management.

Parting Thoughts

There is no doubt that the typical risk manager works hard. But if we take a step back, can we honestly say that each of these components of a successful risk management program exist?

Regulators have demonstrated recently that, even at the largest banks, some of the most fundamental components of a well-functioning risk management program do not exist. These recent consent orders should encourage all organizations to reconsider how well their risk managements program are working.

While a great deal of success within a risk management organization is programmatic, it is also deeply personal. To influence business strategy and external perception, the CRO must use the data and his or her position to be a trusted visionary storyteller, a strong communicator and a consultative leader.

Brenda Boultwood is a Risk Advisory Partner at Deloitte. She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Prior to joining Deloitte, she was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. Before that, she worked as the global head of strategy, Alternative Investment Services, at J.P. Morgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.