.png)
US$73bn of exposures to stock index futures going unnoticed until they turned into a combined loss of US$7.2bn.
Jerome Kerviel’s “feat” will remain the perfect text book example of monumental risk oversight failure. It wasn’t the 1st time, or the last, that this has happened. So, why does history keep repeating itself?
Reflecting on my time in risk management, I feel there is as an opportunity to rethink what effective risk oversight entails. In my mind, it provides the assurance that a business’ threats and vulnerabilities are addressed, and that the strategic business objectives can be met. I find that the latter rarely occurs in a meaningful way.
This observation also connects to another one on the role of top executives and board directors.
The response to the J. Kerviel crisis from Daniel Bouton, the Société Générale CEO at the time, was symptomatic. In his view, risk and audit had failed and it wasn’t his fault. And I agree that both functions failed … but they failed under his watch.
I see this type of response as an abdication of management and leadership responsibilities, and one of the main causes of risk oversight failure underpinned by ineffective risk culture.
Is Risk Oversight about billions or trillions?
There are tremendous benefits in oversight “excellence”, beside protecting firms against life threatening situations.
When J Bezos decided to launch Amazon Prime in 2004, he understood his firm drove its profitability from volume of sales. And he seemingly put Amazon’s profitability at risk by changing the way his firm charged its clients for delivery. He had connected the dots between the risks his firm faced and what these risks meant from a business objective and strategy point.
His idea also triggered many internal tensions and healthy debates which helped to make Prime a resounding success – Amazon was valued $18bn at the time and it reached a market capitalisation of $1tn in January 2020, Prime being one of the key drivers of such a meteoric rise.
This example also illustrates the value of risk appetite and tolerance. Specifically, understanding the level of losses a company can absorb whilst remaining a going concern enables such strategic decisions. Of course, exceeding a firm’s risk-taking capacity is typically a synonym of business failure, as underutilising risk capacity is a synonym of missed opportunity and suboptimal profitability.
Risk Oversight is not a popularity contest!
“My definition of a free society is a society where it is safe to be unpopular.” - Adlai Stevenson (31st Governor of Illinois and United Nations ambassador 1961-65)
Oversight only works, when Board Directors are free to ask the hard but necessary questions.
I have faced board directors who did not feel they had the mandate to perform their legal duties. And some of the directors were really uncomfortable raising any type of challenge to the business executives.
They did not control the business strategy and resources, could not describe the regulated activities they were accountable for and had no idea how the business operated. As a result, they did not properly understand the connection between strategy and operational execution and could not act as a sounding board for the executives, or as a voice of reason.
In that context, the directors had no worries about losing the popularity contest. But they had no chance to win it either.
After many discussions including a detailed reminder of their personal duties and liabilities, the directors agreed that putting the Board back in control could generate significant value for the business and help the wider group to meet its objectives.
These types of situations might sound strange, but they are not uncommon especially when it comes to the oversight of regulated subsidiaries in large financial conglomerates.
Independence enables freedom
“We don’t know what we look like without the reflection of something outside of us”.
I heard this expression during a leadership podcast and I found it particularly relevant to illustrate why both the Board and Risk need to be independent. And why both are crucial to the business executives.
Back to my example - this Board needed a nudge. It also needed to be put in a situation where it could provide that “reflection” back to the business and move from being perceived as “tick box” to “value-add”.
Changes were required. For example:
We aligned EXCO and Board membership, and clarified/documented the escalation protocols and decision-making mechanisms to strengthen and simplify the governance. This was required to address one of the main imbalances in governance that I had observed over the years: the decision makers are not necessarily the ones “going to jail” if there is a problem. So, we gave the executives (legal) “skin in the game” and this had a material impact on decision making and board dynamics as the real issues started surfacing;
We established financial, business and risk monitoring mechanisms. For instance, the financials were completely scrubbed, top risk completely reviewed and compliance requirements fully mapped across all regulated activities. These processes were structured to be standardised and repeatable, including the risk register and top and emerging risk processes; and
We documented the end-to-end operating model and business capabilities. This proved particularly difficult to do and my team was able to document up to (only) 90% of the operating model with the rest being “unknown”. This exercise fleshed out many gaps and unnecessary complexity in the business setup.
All these activities opened the door to granular and informed discussions at Board level on business strategy, adequacy of resources and capabilities to execute the strategy and roadmap to address the major gaps which included
a change in business strategy when it became clear that the current plan could not be achieved, coupled with a material recapitalisation after it became transparent the capital resources did not align to the risk profile of the business
a material simplification of the business operating model and, as a result, of the legal entity footprint and regulatory exposure, which also removed many constraints on the business
This example also illustrates the role, and challenges, a Chief Risk Officer (CRO) can face.
For instance, the role of the Board and Risk can be revered. In the above situation, I provided a “mirror image” to the boards, and the executives, on the culture they were fostering and effectively their own values. And they didn’t necessary like what they saw.
This led to very challenging internal discussions, at first, on why a risk officer would effectively imply a number of executives and directors had “an opportunity to do their job better”.
To address “the challenge on my challenge”, I had to shift the emotions out of the way and focus on the key levers to get right. This required a sound understanding of the business strategy and operations to focus people’s minds on the key business enablers and what was required to effectively reach the business objectives.
So, what is a Chief Risk Officer?
In my experience: a debater, a salesperson, an influencer, a disruptor, a police officer, an accountant, a trader/business manager, a “punching-ball’, a technician, an innovator and more.
CROs are expected to protect their firm, enable strategic value creation through effective risk taking, management and oversight or challenge of group-think. In that context, CROs must also adjust to an ever-changing environment and scope, whilst justifying and demonstrating the value they create. Specifically, they must ensure (and constantly evidence) that the perceived costs of managing risks do not exceed the benefits risk management generate.
In that context, CROs are still not perceived as a “must-have” C-suite function. Deloitte found close to 90% of financial firms had a Chief Risk Officer (CRO) in 2013; I still come across financial firms today that do not have structured Risk function led by a Global CRO.
Risk Oversight, art or science?
Both credit risk and market risk are mature disciplines. Their quantitative nature helps to establish very clear monitoring frameworks. The risk-taking process (e.g. lending, trading) enables a clear segregation between risk taker and controller which in turn lends itself neatly to effective risk oversight.
Non-Financial Risk (NFR) is not so clear cut. Firms get exposed to NFR through “WHAT” (e.g. managing client money) they do and also “HOW” (e.g. fragmented, complex and manual end to end operating model and process set up) they do it. They do not enter “non-financial risk exposure” through a very clear and structured process like financial risks, at least most of the time.
For instance, the “HOW” is very often the result of years of organic evolution and increased process complexity and/or fragmentation. In that context, identification of NFR tends to be backward looking – we fix the problem when something goes wrong – and any forward-looking assessment tends to mix art and science.
A Focus on Non-Financial Risk Oversight
This observation raises an interesting question - what is the value of independent non-financial risk oversight?
The expertise required to identify, assess and manage such risks seems better located in the business operations (i.e. 1stLine of Defence) where the “WHAT” and “HOW” are effectively created and managed.
In that context, more and more firms have created business risk function in addition to 2nd Line of Defence risk function in charge of “independent oversight”. Invariably both functions end-up overlapping with each other and their value becomes clear as mud; the business only sees many (costly) “risk managers” asking them to do a lot of stuff. Stated differently, the costs of managing risks seem to exceed the perceived benefits.
On the opposite extreme, I have seen NFR functions solely focused on frameworks and methodology, policy, capital and losses management. Their approach was so theoretical and high level that they were completely disconnected from any strategic and operational reality.
In my view, NFR oversight functions can generate significant value by bridging strategy and execution, and defining how the management of such risks should be prioritised considering business imperatives and directions including regulatory requirements. Effective NFR management can lead to material cost benefits through business simplification, scalability and loss avoidance – please see my previous blog on this.
In addition, the function can take a strategic view on the core operational enablers required to deliver on the business strategy and inform executives and the board on desirable and undesirable risk profile arising from the business operating model setup.
In my above example, I established that having seven regulated entities to perform the firm’s activities had no legal/regulatory justifications whilst the in-built complexity acted as a vector of increased regulatory requirements and management distraction, and ultimately costs and risks. Though the unwinding of five regulated entities was always going to be a complex task, the board agreed it would ultimately remove significant noise and would enable both executives and directors alike to focus on strategic business management decisions.
Getting the basics of risk management right!
Huge and complex organisations are the enemy of effective risk oversight. The noise they create enables risks to creep in unnoticed and prevent Board Directors, Business Executives and Chief Risk Officers to focus on business strategy and execution.
In my view, this enabled the Societe Generale’s situation, and so many other oversight failures.
A lot can go wrong and has to be considered. Businesses are faced with a never ending and changing list of risks, driven by their organisational strategy and setup, industry and the wider global economic/societal/environmental context. They can only control part of them, and as a result, must be ready to respond to many unexpected situations.
In that context, risk functions must strengthen their approach to risk oversight by focusing their resources on protecting the core strategic business enablers, monitoring and assessing the culture of the organisation and providing that “mirror image” the Directors and Executives need so thoroughly. They must also increase the management of risk processes, such as risk and control self-assessment or risk events, to the business and enable the business folks to manage their risks autonomously.
So how do you see effective oversight? Feel free to share your thoughts in comments
Sources
https://www.icgn.org/sites/default/files/ICGN%20Corp%20Risk%20Oversightweb_0.pdf
https://www.pwc.com/us/en/services/governance-insights-center/library/risk-oversight-series.html
https://www.coso.org/documents/COSOBoardsERM4pager-FINALRELEASEVERSION82409_001.pdf
https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-risk-cro-taking-the-reins.pdf