«Anette Mikes1 Harvard Business School Abstract Risk management departments in financial institutions have been undergoing major transformations. New ...»
Risk Management at Crunch Time: Are Chief Risk Officers
Compliance Champions or Business Partners?
Harvard Business School
Risk management departments in financial institutions have been undergoing major transformations. New
regulatory requirements have raised the bar on compliance and expanded the remit of risk management
significantly. The compliance imperative requires banks to implement a firm-wide risk management framework
complete with analytical models for the measurement and control of quantifiable risks. In addition, recent corporate governance guidelines advocate the ‗business partner‘ role of risk management. The COSO Enterprise Risk Management framework (2003) explicitly defines risk management as a high-level strategic activity, contributing to board-level decision making, planning, and performance management. This role requires that senior risk officers possess an understanding of key strategic uncertainties and that they communicate these to senior management and the business lines.
But how do senior risk officers strike a balance between the twin roles of compliance champion and business partner? Too much reliance on the regulatory crutch may erode the credibility of the risk function as a business partner, while too much emphasis on the business-advisory function might weaken its policing capability.
In this paper, I assess the roles that risk functions and, in particular, senior risk officers play in fifteen large international banks. Because the research was carried out between June 2006 and June 2007, it offers a rare snapshot of the ‗calm before the storm‘—the state of risk management at fifteen large players before the liquidity and credit crunch became apparent in the second half of 2007.
The findings suggest that the role of chief risk officers (CROs) had expanded dramatically, with more than half of them frequently involved in firm-level strategic decisions. However, various compliance and risk-modeling initiatives were still works-in-progress in the majority of these banks at the onset of the market turmoil. CROs voiced divergent views on the uses, benefits and limitations of risk models, suggesting that they promoted different calculative cultures (quantitative enthusiasm versus quantitative skepticism). Strategically involved CROs therefore interpreted the business-partner role of their function in different ways. Some risk functions aspired for an influential expert voice in key business decisions (the risk function as strategic advisor), while others strove for the formal integration of risk management with performance management (the risk function as strategic controller).
The achievement of the strategic-advisor role in some banks and the strategic-controller role in others calls for a clarification of stakeholder expectations on risk management. This would reduce the danger of an expectations gap opening around particular risk management approaches that are adequate for certain banks but ill-suited for others.
Key words: Risk management; enterprise risk management; risk-modelling; calculative cultures; quantitative enthusiasts; quantitative skeptics; chief risk officers; banking industry; regulation 1 Email: email@example.com. I am grateful for the encouragement and instructive comments received from David Townsend, Robert Kaplan and two anonymous reviewers.
Electronic copy available at: http://ssrn.com/abstract=1138615 Risk Management at Crunch Time: Are Chief Risk Officers Compliance Champions or Business Partners?
The strategic aspirations of risk managers are widely discussed in the industry literature.
Studies suggest that risk management departments in financial institutions have been undergoing major transformations (PWC, 2007; Deloitte, 2007; IBM, 2006). The Basel II requirements have raised the bar on regulatory compliance and expanded the mandate of risk management significantly. It now includes risk assessment, capital needs planning, enhanced risk disclosure and increased governance responsibilities. The compliance imperative requires banks to implement a firm-wide risk management framework complete with analytical models for the measurement and control of quantifiable risks.
In addition, recent corporate governance developments advocate the ‘business partner’ role of risk management. The COSO Enterprise Risk Management framework (2004) explicitly defines risk management as a high-level strategic activity, contributing to board-level decision making, planning and performance management. This role requires that senior risk officers understand key strategic uncertainties and communicate them to senior management and the business lines.
But how do senior risk officers strike a balance between the twin roles of ‗compliance champion‘ and ‗business partner‘? Too much reliance on the regulatory crutch may erode the credibility of the risk function as a business partner, while too much emphasis on the business advisory function might weaken its policing capability.
In this paper, I assess the roles that risk functions and, in particular, senior risk officers play in fifteen large international banks. Because the research was carried out between June 2006 and June 2007, it offers a rare snapshot of the ‗calm before the storm‘ – the state of risk management at fifteen large players before the liquidity and credit crunch became apparent in the second half of 2007.
The findings suggest that the role of chief risk officers (CROs) had expanded dramatically. However, various compliance and risk-modeling initiatives were still works-inprogress (or under overhaul) at the onset of the market turmoil. CROs selected which modeling challenges they took on and voiced divergent opinions on the benefits and limitations of the available menu of risk-modelling initiatives. One group of CROs were committed to extensive risk-modelling and fostered a culture in which risk models were regarded as robust and very relevant tools in decision making (quantitative enthusiasm). Another group of CROs took a more cautious view, emphasizing that risk models are useful tools for managing a narrower set of risks, and fostered a culture in which the judgment of veteran experts was called upon in a wide array of risk decisions (quantitative skepticism).
These findings support a nascent literature on the likely existence of alternative ‗calculative cultures‘ in the risk management community (Power, 2003, 2007; Mikes, 2006, 2007). Based on an in-depth study of two major international banks and interviews with senior risk officers of several others, I have previously argued that chief risk officers foster alternative calculative cultures and that they interpret and realize the business partner role of their function differently.
The current study, based on surveys and over fifty interviews conducted at fifteen major banks, provides further evidence that strategically involved CROs interpret the business partner role of their function in different ways, corresponding to the calculative cultures they foster.
2 Electronic copy available at: http://ssrn.com/abstract=1138615 Among the eight CROs whom I found to be highly involved in strategic activities, two groups emerged. CROs inclined towards quantitative skepticism achieved an influential expert voice in key business decisions, playing the role of the strategic advisor. CROs inclined towards quantitative enthusiasm presided over extensive and sophisticated modeling infrastructures, which provided detailed information on risk-adjusted performance, drilling down to each business and risk exposure and summing up across a variety of positions. Moreover, these CROs acquired the requisite status and skills to make risk-adjusted performance calculations count in key strategic decisions, enacting the role of the strategic controller.
The roles of the risk function
Risk managers fulfill diverse roles. The particular amalgam of these roles determines
the type of risk management function an organization adopts. I distinguish four types:
Compliance champion. The risk function is focused on complying with pressing stakeholder requirements, keeping up with new regulations, and building and safeguarding the risk management framework, a policy framework that determines what risks must be addressed and by whom. Senior risk officers oversee the development of risk measurement tools for each risk type included in the risk management framework and provide assurance to senior management that adequate controls and processes are in place.
Modelling expert. The risk function is focused on highly sophisticated riskmodelling and on delivering the most advanced measurement and compliance options from the regulatory menu. Senior risk officers spearhead the implementation of firm-wide risk models that are capable of giving an aggregate view of financial risks in the business, focusing on quantifiable market and credit risks.
Strategic advisor. Senior risk officers gain board-level visibility and influence largely due to their command of business knowledge and their experience of what can go wrong. Their role is to bring judgment into high-level risk decisions, challenge the assumptions underlying business plans, and use traditional risk controls and lending constraints to alter the risk profile of particular businesses.
Strategic controller. Having built sophisticated firm-wide risk models, capable of giving an aggregate view of the financial risks, the risk function enables the company to operate a formal risk-adjusted performance management system.
Senior risk officers preside over the close integration of risk and performance measurement, and ensure that risk-adjusted metrics are reliable and relied on.
They advise top management on the absolute and relative risk-return performance of various businesses, and influence how capital and investments are committed.
The compliance champion role is ingrained in the mandate of all modern-day risk functions. The modelling expert role appears to be optional. Banks with high modelling propensity develop their own internal rating models in the credit risk area and the so-called ‘advanced measurement approach’ to tackle operational risks. Alternatively, banks with lower modelling propensity implement simpler models of risk measurement, choosing between the prescribed ‘basic’ or ‘standardized’ approaches. There are other risk-modelling initiatives that banks may take on by their own initiative, such as active credit-portfolio management, and the implementation of risk-based performance measurement at various levels of the organization.
3 The taxonomy distinguishes two parallel strategies that may result in high strategic significance for the risk function. Both business partner roles assume a high degree of pathdependency: The requisite resources and capabilities can only be obtained over time. The
strategic advisor role requires an intimate knowledge of the business and what can go wrong:
experience, which managers earn through long service, having lived through organisational successes, losses and crises. The strategic controller role assumes a sophisticated risk modelling capability, which is foundational to risk-based performance management. However, the project to redefine what ‘good performance’ means in an organization is inherently political. Risk teams with highly advanced models and analytical talent need executive support to succeed in the world of organizational politics. Risk-adjusted performance measures will not work by themselves; they must be made to work. Senior risk officers with exceptional political flair and communication skills can make risk numbers count in planning, performance management, and board-level decisions.
Risk initiatives and the roles of the risk function
The senior risk officers I interviewed repeatedly emphasized that the risk function creates strategic value when risk professionals partner with the business lines and help them understand the cost of risk taking and the long-term implications of short-term profit-seeking.
Industry studies suggest that a growing number of risk-modelling techniques can make up a risk management infrastructure capable of producing such insights. But do all CROs agree that they need to develop the full technical arsenal of risk management in order to understand the relevant risks that threaten the achievement of their banks’ strategic objectives? And have they successfully implemented their chosen risk management techniques? In 2005, the Economist Intelligence Unit identified twelve risk-quantification projects that risk functions claimed to run (see Appendix A). I asked CROs to identify which of these risk initiatives they have started and why, and to assess the state of their completion. They considered the status of the
initiatives according to the following qualifiers:
• Completed and running smoothly
• Partially completed
• Overhauling or replacing a previous methodology
• Not applicable (N/A).
With the exception of market risk modelling, -assessed by all as a mature, business-asusual affair- most risk management projects were works-in-progress in the first half of 2007. In other words, more than half of the surveyed risk functions were still engaged in finalizing various modelling initiatives at the onset of the credit crisis. Figure 1 shows the status quo in the credit risk area.
-----------------INSERT FIGURE 1 ABOUT HERE--------------------------Figure 1: Modelling credit risk exposures In general, fewer than half of the respondents had completed the credit risk initiatives they had embarked on: portfolio-level credit measures (40 per cent), active credit-portfolio management (40 per cent), risk-based performance measurement at the transaction-level (27 per cent) and risk adjusted pricing (25 per cent). The implementation of credit risk assessment methodologies, however, stood out: 60 per cent of the respondents had declared a victory there.