Let’s talk about risk baby, let’s talk about you and me. Let’s talk about all the good things and the bad things that may be, let’s talk about risk.
First things first, I’m not a risk manager and never have been in my career. But yet I am. Let me explain:
We are all risk managers
This was something that was emboldened across coffee mugs we had in the office at UBS. Not exactly a charm offensive but a strong message nonetheless.
UBS, like many banks, had been through a series of conduct issues and during post-mortem there was a glaring theme; Finger pointing – assuming someone else was on it.
It turns out risk isn’t just for the credit or market risk officer, and in fact operational risk is everywhere. So the phrase we are all risk managers, whilst a bit cliché, is spot on.
The battle between good and bad
Risk is not all bad though – no risk no return right? No such thing as a free lunch…the risk-free rate. Blah blah blah. I think the best way to consider this is to look at the derivatives market and options.
With an option, you get to choose whether you’d like the good risk (in simple terms a call option, or the right to buy) or the bad risk (a put option, or the right to sell). Crucially you get to choose, unlike most investments.
Why not let those who want more risk take it on, and those who do not, hedge.
Think about securitised assets. Who buys the riskier tranche with high returns? Those willing to accept the additional risk. Those who do not like that take a lower, more secured tranche. Risk is a powerful tool if deployed correctly.
Governance & Risk
It’s natural that once you’ve established strong governance and a clear strategy you need to be thinking about what obstacles will get in the way.
As is often said risk is what keeps you awake at night.
The Board and Management should have a firm appreciation of what risks they face – now and in the future. Risk is therefore multifaceted.
Let’s start at the beginning.
The link between governance and risk tends to come in the form of Risk Committees.
The Risk Committee will typically:
- Be responsible for independently reviewing the identification, measurement, monitoring and controlling of all risk types. This includes the adequacy of policy guidelines and systems
- Ratify the key policies and associated procedures of the firm’s risk management activities
- Monitor the effectiveness of these key policies
- Translate the overall risk appetite of the firm, approved by the Board, into a set of limits that flow down through the firm’s executive officers, business divisions and sub-committees
Such a structure is obligatory for FTSE 100 firms but smaller firms have also chosen to set up Board Risk Committees in the pursuit of good practice.
The Risk Formula
Let’s go back to Toyota as the base case we considered last time around. They have a three-step process:
STEP 1: Identify Your Risks
The Company’s fundamental approach is to recognise and consider the various risks that occur in the course of business operations, ensure management safety, and increase corporate value by exposing itself to risk only within an appropriate and controlled range.
Notice some key phrases here
Recognise – sounds obvious but if you can’t measure it you can’t manage it, so step 1 is to know your current (and future) risks.
Exposing – sounds a bit odd that turn of phrase, but this is about the risk appetite, and what level of risk are you willing to take on.
Appropriate and controlled – this is important, and we sometimes hear about banks ‘warehousing’ risk. This just means accepting risk, often on their balance sheet in exchange for a return. Again, a derivative is a good example of this in action.
STEP 2: Manage Your Risks
Back to Toyota: In June 2010, Toyota established the Risk Management Committee (now Sustainability Meeting and ESG Committee), and appointed risk managers globally and at each section to comprehensively prevent and mitigate the impact of risks that could arise in business activities
Prevent and mitigate not eradicate. It can’t be done. I’m sure you’ve come across this in projects too. Sometimes we need to risk accept. We can go live but someone needs to sign off on X or Y, or a patch might be needed post launch etc. Sure, you can always spend more on systems, people and training but no business is risk-free. And for those of you like me who studied economics back in the day and were told a US Treasury bond was a risk-free asset, then I’m sorry to burst the bubble but that just ain’t true.
So rather, this is about setting the risk appetite and then allocating it within the business. A bit like capital, how much risk are we willing to accept, and which parts of the business can and should take that risk.
Investment banks have followed this model since the financial crisis, winding down large parts of the investment bank where sales and trading operate, and revenues are volatile, driven by the risky nature of the business activities.
Instead, focusing more on ‘stable’ revenue-generating businesses; wealth and asset management for example. You could say fee rather flow driven.
Types of Risk
Let’s spend a moment to think about how to categorise risks.
If we are looking to first identify them then we can begin by putting them into risk buckets, not mutually exclusive but a starting point nonetheless.
This is the risk that your company’s strategy becomes less effective and your company struggles to reach its goals as a result.
A classic example is Kodak, which had such a dominant position in the film photography market that when one of its own engineers invented a digital camera in 1975, it saw the innovation as a threat to its core business model and failed to develop it.
It’s easy to say with hindsight, of course, but if Kodak had analysed the strategic risk more carefully, it would have concluded that someone else would start producing digital cameras eventually, so it was better for Kodak to cannibalise its own business than for another company to do it.
Failure to adapt to this strategic risk led to bankruptcy for Kodak. It’s now emerged from bankruptcy as a much smaller company focusing on corporate imaging solutions, but if it had made that shift sooner, it could have preserved its dominance.
Facing a strategic risk doesn’t have to be disastrous, however. Think of Xerox.
Xerox became synonymous with a single, hugely successful product – the Xerox photocopier.
The development of laser printing was a strategic risk to Xerox’s position, but unlike Kodak, it was able to adapt to the new technology and change its business model.
Laser printing became a multi-billion-dollar business line for Xerox, and the company survived the strategic risk.
Another one to read up is the rise of Netflix and the fall of Blockbuster. In 2000 Netflix co-founder and CEO Reed Hastings approached Blockbuster’s then CEO, John Antioco, with a merger proposal for $50m. Blockbuster considered Netflix to be small potatoes, and would come of course to realise only too late that having an online platform would be the way of the future!
Are you complying with all the necessary laws and regulations that apply to your business.
Let’s park this and come back on this one next week in more detail when we look at the ‘C’ in GRC but for now, I want you to think beyond the rules, regulations, and policies. We can all stick to those. Instead for a business, this is much more about judgement. Just because we can, should we act that way?!
Refers to an unexpected failure in your company’s day-to-day operations. It could be a technical failure, like a server outage, or it could be caused by your people or processes.
This is one of the biggest risk areas since its all to do with
In other words, everything in a business. No way to fully remove this so we need to think carefully about how to mitigate and manage. You’ve seen this in action for sure, with risk logs, RAG statuses and the such like.
Check out this howler: Someone at Samsung Securities Co, one of South Korea’s largest brokerages, was trying to pay employees 1,000 won (93 US cents) per share in dividends under a company compensation plan. Somehow, they gave them 1,000 Samsung Securities shares instead. In total, the company distributed 2.83 billion shares, worth — on paper — about 112.6 trillion won. That was more than 30 times the company’s market value!!
Wonder why retail banks have things like two-factor authentication on your purchases? It’s to avoid operational errors, and/or fraud as well. Four-eye checks on control processes, same deal.
Most categories of risk have a financial impact, in terms of extra costs or lost revenue. But the category of financial risk refers specifically to the money flowing in and out of your business, and the possibility of a sudden financial loss.
Financial risk is increased when you do business internationally. Think macro, interest and FX rates.
Exchange rates are always fluctuating, meaning that the amount a company receives in dollars will change. The company could make more sales next month, for example, but receive less money in dollars. That’s a big financial risk to take into account. Especially if we are talking in millions or even billions of revenue. No wonder firms try to mitigate such risk. With what you ask? – derivatives to the rescue again, and FX forwards and futures can be useful here.
Of course, these are not exhaustive categories and its helpful to use the PESTLE analysis approach to overlay your identification, seeking to ask did we miss anything, especially from an external viewpoint.
Once we have identified the risks, the next task is to prioritise them.
Here the focus would typically be on impact and probability.
The UK Cabinet Office publishes an annual UK Risk Register as to most material risks faced, and the methodology is exactly what we just mentioned – probability and likelihood. It is clear a pandemic was in the critical category. However, labelling as a critical risk is not enough – it’s about the action you then take to plan, prevent and mitigate.
As with many things, it will be highly subjective, and someone within your team may have a very different view.
Let’s take a silly example. Say the email server goes down for a few hours. Some in the team might think happy days, not a big deal, we have chat, Zoom, a mobile etc (i.e. mitigants in place). For others, the impact could be critical, waiting on a document to come through that is time- sensitive.
Placing that on the grid opposite is easier said than done, but a powerful exercise to work through within teams.
The final part of the puzzle, once risks have been identified and prioritised, is to manage. This comes in the many ways we have discussed already, but most typically deployed in some form of the three following lines of defence:
Line One: Business Management: ‘Own’ risk on a day to day basis.
Line Two: Risk Control & Compliance: Minimise and mitigate risk
Line Three: Audit: Independent verification and review of lines one and two
But it is too simplistic as a model, and in reality we see many layers in between.
For example, Front Office supervision teams are a hybrid of lines one and two – part Front Office and part support function.
There are many challenges in getting this right:
- Getting the right authority and autonomy for risk managers
- Segregating between risk-takers and risk managers
- Proximity of risk managers to the business
- Change-related challenges – planned (e.g. mergers), unplanned (e.g. resignations)
Much to ponder, but let’s go back to where we started. Are you a risk manager? Let me hear it loud and proud, YES YOU ARE!
Stay safe, stay curious, and keep learning.