Embed Size (px)
Citation preview
Breaking Into Risk Management In Banks
by Boris Agranovich
the founder of GlobalRisk Academy
In association with GlobalRisk Community:
The world's premier online risk management forum for professionals
3
Table of Contents
Introduction ............................................................................................................................................... 4
About the author of this book ............................................................................................................... 5
Module 1 ..................................................................................................................................................... 6
The Importance of Risk Management and Regulations in Any Bank ......................................... 6
What is Risk? ........................................................................................................................................ 7
What is Risk Management? ............................................................................................................... 7
The Importance of Risk Management in any bank .................................................................... 10
Characteristics of Risk ..................................................................................................................... 11
Categories of Investment Risks ..................................................................................................... 15
Check your knowledge by taking the multiple choice Quiz 1 .................................................... 17
Module 2 ................................................................................................................................................... 18
The Essential Knowledge for Risk Managers in Banks ............................................................... 18
Bank’s Risk Divisions ....................................................................................................................... 19
Risk Management Framework ........................................................................................................ 22
Risk Management & Internal Control Policy ............................................................................... 23
What Can Go Wrong? ....................................................................................................................... 29
Risk Management Cycle ................................................................................................................... 32
Check your knowledge by taking the multiple choice Quiz 2 .................................................... 37
Module 3 ................................................................................................................................................... 38
Soft Skills and Technical Expertise of an Effective Risk Manager ........................................... 38
Soft Skills of an Effective Risk Manager ...................................................................................... 39
Risk Manager Priorities .................................................................................................................... 43
The Top 5 Time Management Principles for Risk Managers .................................................. 44
Conclusion ............................................................................................................................................... 49
Glossary of Risk Management Terms .............................................................................................. 50
4
Introduction The book delivers fundamentals of Risk Management in banks – overview of the principles, processes, and frameworks of Risk Management. What will you learn from this book:
How risk management can assist organizations to achieve their
objectives and optimize decision making
The types of internal and external risk exposure typically faced by an
organization and the concepts of positive and negative risk
How to assess risk effectively and to select appropriate actions and
controls
What does “Risk Universe” stand for
What are the main components of Risk Management cycle
What is the difference between risk and uncertainty
How to determine your organization’s tolerance for risk
The importance of culture, communication, and behavior in an
effective risk management structure
How to communicate your risks to all levels of your organization, and
externally
What soft skills are required from Risk Manager
What are the benefits of making a career in Risk Management field
By the end of the book you will have an understanding of concepts that allow you to recognize and escalate risk-related issues before they become too severe.
5
About the author of this book Boris Agranovich, the founder of Global Risk Community and creator of B2B Pioneers platform More than 25 years of global experience in working with large & medium corporations in Europe, the Middle East and Asia Pacific across multiple sectors including Financial Services, IT, Consulting, Manufacturers and Distributors. Speaker and panelist in the world's leading professional events. Specialties: Risk management systems, social networking for business consultancy, management reporting, policies and procedures, banking, corporate & Trust and hedge fund industry. My vision: Good risk management should facilitate business growth by understanding the risks involved and managing them to acceptable levels, rather than seeking to prevent new initiatives.
6
Module 1
The Importance of Risk Management and Regulations in Any Bank
7
What is Risk?
Risk is the possibility of an event occurring that will have an effect on the achievement of objectives.
An effect is a deviation from the expected (positive and/or negative).
Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
All activities of an organization or financial institution (bank) involve risk. Organizations manage risk by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria.
Risk is often characterized by reference to potential events and impact, or a combination of these. Risk is measured in terms of impact (including changes in circumstances) and likelihood of occurrence.
Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequences, or likelihood.
What is Risk Management?
Risk management is the continuing process to identify, analyze, evaluate, and treat loss exposures and monitor risk control and financial resources to mitigate the adverse effects of loss.
Financial risk management is the practice of economic value in a firm by using financial instruments to manage exposure to risk, particularly credit risk and market risk.
As a specialization of risk management, financial risk management focuses on when and how to hedge using financial instruments to manage costly exposures to risk.
8
Risk Management in Banking In the course of their operations, banks are invariably faced with different types of risks that may have a potentially negative effect on their business. Risk management in bank operations includes risk identification, measurement and assessment, and its objective is to minimize negative effects risks can have on the financial result and capital of a bank. Banks are therefore required to form a special organizational unit in charge of risk management. Also, they are required to prescribe procedures for risk identification, measurement and assessment, as well as procedures for risk management.
9
The risks to which a bank is particularly exposed in its operations are:
liquidity risk, credit risk, market risk, exposure risk, investment risk, operational risk, strategic risk, legal risk, reputational risk and risks relating to the country of origin of the entity to which a bank is exposed.
Risk Management in Banking Liquidity risk is the risk of negative effects on the financial result and
capital of the bank caused by the bank’s inability to meet all its due obligations.
Credit risk is the risk of negative effects on the financial result and capital of the bank caused by borrower’s default on its obligations to the bank.
Market risk includes interest rate and foreign exchange risk.
Interest rate risk is the risk of negative effects on the financial result and capital of the bank caused by changes in interest rates.
Foreign exchange risk is the risk of negative effects on the financial result and capital of the bank caused by changes in exchange rates.
A special type of market risk is the risk of change in the market price of securities, financial derivatives or commodities traded or tradable in the market.
Exposure risks include the risks of bank’s exposure to a single entity or to a group of related entities.
Investment risks include the risks of bank’s investment in non-financial sector entities, fixed assets and investment real estate.
Risks relating to the country of origin of the entity to which a bank is exposed (country risk) is the risk of negative effects on the
10
financial result and capital of the bank due to bank’s inability to collect claims from such entity for reasons arising from political, economic or social conditions in such entity’s country of origin. Country risk includes political and economic risk, and transfer risk.
Operational risk is the risk of negative effects on the financial result and capital of the bank caused by omissions in the work of employees, inadequate internal procedures and processes, inadequate management of information and other systems, and unforeseeable external events.
Legal risk is the risk of loss caused by penalties or sanctions originating from court disputes due to breach of contractual and legal obligations, and penalties and sanctions pronounced by a regulatory body.
Reputational risk is the risk of loss caused by a negative impact on the market positioning of the bank.
Strategic risk is the risk of loss caused by a lack of a long-term development component in the bank’s managing team.
The Importance of Risk Management in any bank Despite the financial and operational challenges of regulatory compliance, investments in modern risk management capabilities must be viewed as an opportunity — not a burden — for all banks, regardless of size. Banks, brokers, portfolio managers and even the entire financial industry are exposed to risks on a daily basis. Due to this and especially since the financial crisis, the importance of risk management has increased rapidly. The fundamentals of risk management are not to completely eliminate risks, but to manage them accordingly. As financial markets grow, there is an increasing need to manage risks appropriately.
11
Characteristics of Risk
Risk has the following characteristics: Uncertainty Irreversibility Probability Time
Uncertainty As certainty and risk are correlated, one may need to look at them
closely. All possible consequences of a decision can be enumerated, but
probabilities cannot be assigned. For ease of use, it is assumed that the risk and uncertainty refer to
the same thing. o Risk refers to event for which the chance of occurrence is
known in advance. o Uncertainty refers to the events for which the chances are not
known in advance.
12
Irreversibility It is important to bear in mind that scientific certainty has
boundaries. The failure to prove scientifically a product is unsafe does not
mean that it is safe. This is very relevant because some decision once made are
irreversible resulting in beneficial or harmful effects.
Probability The ranges of consequences are known (e.g., low/high prices,
low/high yields etc.) and each consequences can be assigned to a specific numerical probability of occurrence, both the specific consequence and the outcome are unknown.
Risk, thus, is defined as uncertainty based on a well-grounded quantitative probability.
Uncertainty on the other hand cannot be assigned such quantitative probability.
Further, genuine uncertainty cannot often be reduced significantly by attempting to gain more information about the phenomena in question and their cause’s quantitative probability.
13
Characteristics of Risk
Time
Time is a dominant factor in the event of risk. Risk is about future. Time is more relevant when decisions are irreversible.
Is There a Difference Between Risk and Uncertainty? We often find the terms “risk” and “uncertainty” used interchangeably. However, a distinction needs to be drawn between the two. Risk is often thought of in terms of chance (or probability) of loss. Uncertainty falls into two broad categories. There are those for which the probability of occurrence is calculable either on a priory grounds or through the statistical analysis of a series of similar events that have occurred in the past. The reminder do not lend themselves to such measurement, either because their occurrence follows no discernable pattern, or, because they are unique events. The importance of uncertainty arises from its influence on the process of decision making of individuals, businesses as also society. Is There a Difference Between Risk and Uncertainty
It is therefore possible to consider a situation risky if a number of outcomes are possible and the actual outcome that materializes is not known in advance.
Thus, risk is defined as the relative variation of the actual outcome from the anticipated or expected outcome.
14
Risk and Return The risk/return tradeoff is the balance between the desire for the lowest possible risk and the highest possible return. Low levels of risk are usually associated with low potential returns while higher levels of risk are normally expected to yield higher returns. The graph below depicts the typical risk / return relationship.
For example, the government securities represent the lower end of this risk / reward scale since their chances of default are almost zero. This represents risk-free return, which means, you can earn this rate of return virtually without any potential risk. But, earning 6% in a scenario where inflation is around 8% means that the value of your savings is steadily eroding. Traditionally, equity funds have given much more every year over the long term. Risk might be anything such as event, practice, process, activity, etc., which has an outcome of organizational objectives. Generally, risk is defined as the uncertainty of meeting objectives over a specified time horizon.
15
Categories of Investment Risks
Investment risks can be divided into two categories: systematic and unsystematic
Systematic Risk is also known as "market risk" or "un-diversifiable risk"
Unsystematic Risk is also known as "specific risk," "diversifiable risk" or "residual risk" Systematic Risk Systematic Risk is the uncertainty inherent to the entire market or entire market segment. Also referred to as volatility, systematic risk is the day-to-day fluctuations in a stock's price. Volatility is a measure of risk because it refers to the behavior, or "temperament," of your investment rather than the reason for this behavior. Because market movement is the reason why people can make money from stocks, volatility is essential for returns, and the more unstable the investment the more chance there is that it will experience a dramatic change in either direction. Interest rates, recession and wars all represent sources of systematic risk because they affect the entire market and cannot be avoided through diversification. Systematic risk can be mitigated only by being hedged. Unsystematic Risk Unsystematic risk is the part of an investment’s risk that is attributable to the investment itself or to the sub-group it belongs to — but not to the entire economic system. For example, news that is specific to a small number of stocks, such as a sudden strike by the employees of a company you have shares in, is considered to be unsystematic risk. Unsystematic Risk comes with the company or industry you invest in and can be reduced through diversification. The Power of Diversification
16
The purpose of Risk Management is to control risk relative to return. The broad diversification is the single most powerful risk management strategy.
Global exposure to all segments of the stock and bond markets not only reduces portfolio risk but also enhances return.
In today's global economy, investors can use diversification across all tiers to establish a portfolio with a risk profile that is consistent with their goals. Tiers of Diversification
Diversification helps manage the specific risks of each tier, as well as other residual risks inherent in investing.
Diversification across all tiers enables investors to create portfolios that can take advantage of opportunities — no matter where they exist — while managing for risk from unforeseen events.
17
Diversification does not ensure a profit or guarantee against loss. Small- Cap and Mid- Cap investing involve greater risk not associated with investing in more established companies, such as greater price volatility, business risk, less liquidity and increased competitive threat. Investments in international markets present special risks including currency fluctuation, the potential for diplomatic and political instability, regulatory and liquidity risks, foreign taxation and differences in auditing and other financial standards. Risks of foreign investing are generally intensified for investments in emerging markets.
This is the end of Module 1. The Importance of Risk Management and Regulations in Any Bank.
Check your knowledge by taking the multiple choice Quiz 1 Click on this link http://globalriskacademy.com/courses/breaking-into-risk-management-in-banks?product_id=45290&coupon_code=FREE to download the complete course and take the quiz for FREE!
Take the Quiz 1
18
Module 2
The Essential Knowledge for Risk Managers in Banks
19
Bank’s Risk Divisions
When the public thinks of the modern bank, they likely think of a stable organization committed to providing ongoing financial services for years on end, without a struggle. Yet banks face risks today as much as they always have, and perhaps more so in the current financial market. Banks should have an effective internal controls system and a Risk Management Division with sufficient authority, stature, independence, resources and access to the board. Bank’s Risk division plays a critical role in identifying and managing a wide range of risks to which the bank is exposed. These risks may include credit losses, volatility in markets, non-financial failures, liquidity shortages, as well as the impact of regulatory and legal matters. A sophisticated bank’s Risk Division should consist of the following departments:
20
Credit Risk Management Credit Risk Management (CRM) is usually the independent credit approval and monitoring function for the bank group. Using expert knowledge, CRM provides structuring advice and credit approval on transactions; manages the credit exposure of bank’s derivative and foreign exchange portfolios; actively ensures the recovery of impaired loans; and performs in-depth analysis of industry, sovereign and settlement risk. Liquidity Risk Control The Liquidity Risk Control (LRC) function provides oversight on methodology development, limit setting and model validation, with additional responsibility for internal liquidity risk reporting. LRC also works closely with Treasury's Liquidity Management (LM) under Group Finance to steer business activities and ensure the bank's adherence to its risk appetite. Market Risk Management The focus of Market Risk Management (MRM) is on encouraging risk to be taken where it is most optimal given the rewards and capital consumption. MRM has a strong focus on the activity on the dealing floors and works closely with traders and senior managers to perform the complex risk analyses that are crucial to inform their business decisions. Operational Risk Management Operational Risk Management (ORM) sets the framework for managing operational risks such as product liability, information security, IT system failure, frauds and even natural disasters. The ORM team performs analyses on operational risks and monitors operational risk loss and capital. Reputational Risk Reputational Risk sets the framework for the identification, assessment and management of reputational risk matters in a bank.
21
Risk Analytics and Living Wills Risk Analytics & Living Wills (RA&LW) develops, implements, validates and maintains advanced internal and regulatory risk measurement and management models for credit risk, operational risk, business risk and specific market risk. RA&LW also covers the design, implementation and operation of key risk management processes for capital adequacy (ICAAP) and recovery & resolution planning. Corporate Insurance Corporate Insurance (CI) protects the assets and liabilities of the bank group. The team has a crucial role to play in managing risk for the wider organisation by determining the extent of insurance cover across the bank. Chief Operating Office The Chief Operating Office is responsible for strategic planning and implementation of infrastructure to support data, processes, operations, IT program planning and other staff-related functions required to support the delivery of risk’s vision.
22
Risk Management Framework The totality of the structures, methodology, procedures and definitions that an organization has chosen for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization. The foundations include the policy, objectives, mandate and commitment to manage risk. The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities. The risk management framework is embedded within the organization's overall strategic and operational policies and practices. Risk Universe Every financial institution should have a set of formal policies to manage and control of all financial and non-financial risks – the so-called risk universe. The risk universe is the full range of risks that could positively or negatively affect the ability to achieve long-term objectives. Risk Management policies provide practical direction on how to safeguard the business from events with excessive operational, financial or reputational impact. There are five main conceptual categories of risks and policies within the overarching risk management and internal control policy.
23
Risk Management & Internal Control Policy
24
1. Financial Risk Financial risk means the uncertainty of a return and the potential for monetary loss. Financial risk includes credit, equity, property, inflation, interest rate, currency, insurance and liquidity risk. Managing Financial Market Risk When managing financial risk, market risk – the uncertainty about how prices will change in the market – is a constant concern. And a valid one. You should always weigh the risks before making any market decisions. Prices may move to levels that cause you to lose control of your securities if investors redeem more than you can easily pay out. Alternatively, lenders may demand more cash than you can raise. Dangers can come from several directions. Volatility, the normal ups and downs of prices, is how you make money in finance, and the main market risk. Too low a level of volatility can mean that you don’t generate enough profits in good times to satisfy investors or survive bad times; too high a level can eat into returns and frighten investors and counterparties. Sometimes market prices move to a level that allows you to initiate a position you could not do in normal markets. Be prepared to seize such opportunities.
25
2. Strategic Risk Strategic risk is defined as the risk to current and future earnings or capital arising from adverse business decisions, improperly implementing decisions or not responding to changes in customer demand and the industry. Strategic risk includes the risk of missing targets because our business units do not respond, or respond inadequately to changes in the business environment. Managing Strategic Risk In general, the most forward-looking organizations are interested in connecting risk more closely with strategy. Typically, risk discussions and strategy conversations are happening in different parts of an organization. But business leaders today are beginning to see the value of bringing them closer together. They understand that every strategy, every strategic choice, carries risk. Having the ability to scan and monitor strategic risk on an ongoing basis and create regular, high-quality reporting is very important. Scenario planning is one of the methods that can help organizations see a set of both risks and opportunities more broadly, to imagine potential futures that might challenge their current strategic assumptions, and to spot potential sources of risk that may not surface in other ways. There have been a number of advances over the last few years in data analytics and the ability to scan, search and analyze huge sets of structured and unstructured data for a variety of risks, both internal and external.
26
3. Operational Risk Operational risk is the risk of losses that may occur due to inadequate or malfunctioning internal processes or systems, human error, criminal behavior or external events. Operational losses may have a direct impact (i.e. give rise to a quantified economic or financial loss) or an indirect impact (i.e. lower sales, opportunity costs or productivity losses in the future that may be hard to establish accurately). Operational risks relate to areas such as integrity and fraud, crime prevention, human resources management, information and communications technology, information security (including risk of innovative multimedia), business continuity management, physical security and outsourcing. Managing Operational Risk As a financial risk manager, one of the risks you need to consider is uncertainty within your own organization. Institutional or operational risks are many – employee malfeasance, computer errors, attacks (physical or cyber), for example – and too numerous to list. In managing operational risk, look to see how tight or loose the workplace is. Too loose a workplace leads to errors, inefficiency, bad discipline, frustration for talented employees, and damage from lazy or incompetent ones. Too tight a workplace leads to people hating their jobs, stress, and barriers to innovation; it can attract people who like to boss others around rather than do any work themselves. To help change operational risk to opportunity, concentrate on business practices that make work fun, build a useful business, meet social needs and contribute to employee career development, personal growth and financial security.
27
4. Regulatory Risk Regulatory risk is the risk of not complying with laws, regulations and internal policies and procedures, for example risks related litigation, compliance and tax. Managing Regulatory Risk Understanding and managing regulatory risk is a dominant theme for bank Risk Management. In particular, bank executives and boards need to focus on the following three areas of managing regulatory risk: Regulatory Reverse Due Diligence. Reverse due diligence on a buyer's regulatory standing must be among the top priorities of seller boards from the outset of transaction discussions. Pre-Announcement Regulatory Strategy. Virtually no bank transaction in today's environment is getting signed without significant pre-announcement discussions with the regulators. Regulatory Risk Allocation. Deal parties increasingly are focusing on the regulatory provisions in transaction agreements, including the covenant to seek regulatory approvals, the definition of a "burdensome regulatory condition" exception to the buyer's obligation to obtain regulatory approvals and complete the deal, and termination rights that affect risk allocation relating to the regulatory process.
28
5. Financial Reporting Risk Financial reporting risk includes reserving risk, the risk that the insurance liabilities of life, non-life and investment business are not adequately determined and reported. Financial reporting risk can be pervasive anywhere in an organization and can arise from an event or condition, external and internal factors, and decisions and choices made by many within the company. Financial reporting risk may also arise from inaction. Managing Financial Reporting Risk
Financial reporting can be grouped into three major components:
A variety of people responsible for extracting, assembling,
aggregating, and analyzing data The processes and timelines by which this data is obtained and
reported The systems that crunch the financial information and distill it into
meaningful form
Characteristics of each of these financial reporting components can be a potential weakness that increases financial reporting risk or a possible strength that reduces financial reporting risk. By posing some general questions to managers in these areas, a CFO may develop a fairly clear picture of the current state of an organization’s financial reporting risk.
29
What Can Go Wrong? Now, that you have an understanding of the types of risk, let’s look at some of the real life cases. You may recognize them from having being in the media spotlight.
30
31
32
Risk Management Cycle These cases should not just be of interest because they make good headlines. It is important to analyses and learn from them, while constantly seeking to refine and improve your internal systems and controls. A strong risk culture depends equally on a strong risk management framework and staff awareness, attitude and conduct. It is therefore important that personnel understands and follows the risk management cycle. A strong risk culture depends equally on a strong risk management framework and staff awareness, attitude and conduct. It is therefore important that personnel understands and follows the risk management cycle.
33
Risk management is a dynamic process, which needs constant focus and attention. There can be no single prescription for all the times Decisions have to be made at short notice Positions may have to be acquired and shelved Views may have to be change very often
All these point out the complex nature of the risk management process. Identification Risk Management starts with identification. What risks are present or are emerging? This is more difficult than it sounds. It forces us to think about complex situations beyond our actual experience. Risks seldom occur twice in exactly the same way. The leading banks have specific frameworks and tools, which enable us to identify risks. Measurement Having identified the risks you face, it is important, as far as possible, to attribute a value of those risks. Some risk can be easily quantified like exchange risk, interest rate risk, and market risk. They can be measured using mathematical or statistical tools like value at risk etc. Some risk like country risk, operational risk, and reputation risk cannot be mathematically deduced. They can only be qualitatively compared and measured. Therefore, it is very important to identify and appreciate the risk and quantify. Risk measurement tools seek to capture variations in earnings, market value, losses due to default etc., arising out of uncertainties with different risk elements.
34
Mitigation Having measured the risks you need to decide how much risk you are prepared to take. Mitigating business risk is meant to lessen any negative consequence or impact of specific, known risks, and is most often used when business risks are unavoidable. For example, an automaker mitigates the risk of recalling a certain model by performing research and detailed analysis of the potential costs of such a recall. If the capital required to pay buyers for losses incurred through a faulty vehicle is less than the total cost of the recall, the automaker may choose to not issue a recall. Similarly, software companies mitigate the risk of a new program not functioning correctly by releasing the product in stages. The risk of capital waste can be reduced through this type of strategy, but a degree of risk remains. Monitoring You then need to review the outcomes from the process. Risk monitoring is a major element of risk management. Generally, it is mentioned as the last element, but certainly not less important than any other element. Risk management is just like any other management function and therefore includes a process of organizing and planning. Once the basic risk management plan is in place, monitoring risk means to review and update it continuously.
35
Stages of Risk Monitoring Process
Monitoring
Risk management is really an ongoing process. It is essential to
ensure that all operational units of the banks function in consonance with the policies laid down.
A feedback system, may be as a part of the management information system, is a must for the success of the risk management function.
Therefore, the arrangements with regard to monitoring process require the following: Well prepared and explained policies Appropriate reporting framework Appropriate Management Information System (MIS) Periodical review and evaluation A separate risk management team Clear delineation of duties and responsibilities
36
Risk Tolerance Risk tolerance is the acceptable level of variation relative to achievement of a specific objective. This variation is often measured using the same units as its related objective. In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Therefore, an entity operating with its risk tolerances, narrow boundaries, is operating within its risk appetite, wide boundaries. Risk Treatment Risk treatment means by which an organization elects to manage individual risks. Risk treatments can also be called risk responses. As part of enterprise risk management, for each significant risk an entity considers potential responses from a range of response categories. Risk treatments that deal with negative consequences are sometimes referred to as "risk mitigation", "risk elimination", "risk prevention" and "risk reduction". Risk treatment can create new risks or modify existing risks.
Risk treatment can involve:
Avoidance/Terminating is a response where you exit the activities that
cause the risk. Some examples of avoidance are exiting product line, selling a division, or deciding against expansion.
Treating/Reduction is a response where action is taken to mitigate the risk likelihood and impact, or both.
Transferring/Sharing is a response that reduces the risk likelihood and impact by sharing or transferring a portion of the risk. An extremely common sharing response is insurance.
Tolerance/Acceptance is a response where no action is taken to affect the risk likelihood or impact.
37
This is the end of Module 2. The Essential Knowledge for Risk Managers in Investment Banks.
Check your knowledge by taking the multiple choice Quiz 2 Click on this link http://globalriskacademy.com/courses/breaking-into-risk-management-in-banks?product_id=45290&coupon_code=FREE to download the complete course and take the quiz for FREE!
Take the Quiz 2
38
Module 3
Soft Skills and Technical Expertise of an Effective Risk Manager
39
Soft Skills of an Effective Risk Manager Most of Risk Management trainings and courses are usually geared towards imparting professional knowledge to risk managers. The specialized trainings educate the participants regarding methodologies for conducting various risk reviews, audits and assessments. This is definitely a requirement for risk managers to be able to do their jobs effectively. However, Risk Managers need a number of soft skills to be successful in their jobs. There is limited focus on equipping risk managers with soft skills to manage their jobs successfully. In our book we will cover that topic as well. Listed below are five critical soft skills which a risk manager requires for conducting his/her job. The risk manager’s role is different from a business manager’s role. Hence, the nature and degree a skill is required, is dependent on the job function. We have described below some bits of a risk managers’ role to emphasize the requirement of these skills.
40
Interviewing Skills A risk manager to do an audit, review or assessment needs to understand the business processes, requirements and criticality. For this, he interviews the business managers to obtain the required information. A risk manager needs skills to draft questions assimilate and analyze information. The deliverables of the project is significantly dependent of the quality of interview conducted. For example, in a fraud investigation, suspects and eye witnesses are interviewed to gather evidence. In such a case, it is critical for a fraud investigator to have good interviewing skills. Managing Virtual Teams As business complexity is increasing, a risk manager has to work mostly with virtual teams. Risk management projects involve managing business operation team members from multiple business units and locations. Risk Managers need to procure talent from different functions and locations to execute the project effectively. As a staff function, they do not have any authority on the resources, hence the intricacies of managing the team increase. Lastly, some of the projects are for short periods, so risk managers need to assimilate the team and make it productive in a short period. Communicating Bad News Employees do not like delivering bad news to their bosses as their survival and well-being is dependent of favorable opinion of their boss. In normal course of business, a risk manager is required to report on shortcomings of the business operations and in crises situations (for example: financial fraud, data thefts, physical security breach, fire etc.) extremely bad news to the management and employees.
41
In such situations, a risk manager should effectively deal with the negative emotions of the receiver of the news, and control his/her own emotional reaction while delivering bad news. Considering this aspect, the risk managers’ require skills on delivering bad news through verbal and written communication. Constructive Confrontation Most employees like to avoid disagreements, confrontations and conflict in professional life. Secondly, conflict resolution is sometimes achieved through brute force and might is right tactics, with the senior generally winning. In such cases, the right cause and principle is sacrificed. The risk managers’ job is to find problems and raise the contentious issues to the concerned business managers. In a few cases, these results in business managers reacting emotionally, taking the criticism personally instead of considering it a procedural or process issue, and thus creating a lot of political turbulence within the organization. Despite these factors, to be effective a risk manager needs to hold his/her ground and raise the problematic issues repeatedly. Managing From the Middle Risk managers are visible in the organization as their reports are submitted to the senior managers and circulated to the middle and junior managers. The risk managers’ position and role creates sensitive political situations in the organization. They need to manage the expectations of senior management and guide the juniors. A line manager of similar rank may need to manage his/her team and boss and super boss daily. Risk Managers should possess extensive influencing and persuasion skills to be effective. This skill facilitates them in managing the political situations sensitively.
42
Soft Skills of an Effective Risk Manager Risk managers’ role is becoming complex due to the changing economic scenario, globalization and advancement in technology. To be effective, besides have a firm grasp on regulations, laws, and risk management techniques, they require extensive training in soft skills. Success of risk management department is very much dependent of the soft sills of the risk managers. Hence, heads of risk management departments should find the soft skill gaps in their team members and provide the required training. Risk Manager Priorities A professional services firm “EY” conducted a survey, where they interviewed 54 heads of risk and chief risk officers representing a selection of large, medium and small traditional and alternative financial institutions operating in different countries worldwide. The interviews covered strategy, horizon risk, risk appetite and governance, themed risk areas, such as investment risk, product/ conduct risk, prudential risk, counterparty credit risk, operational risk, tax (FATCA/FTT) risk and reputational risk. The survey also covered practical areas, such as resourcing, prioritization, risk monitoring, systems and controls, and data/management information. One of the topics was how Risk Managers spend their time. The priorities in time allocations were recorded as follows:
43
Risk Manager Priorities What are the relative priorities for Risk Management in terms of time spend?
What are the relative priorities for Risk Management in terms of themed area?
44
The Top 5 Time Management Principles for Risk Managers
45
The Top 5 Time Management Principles Principle 1: Allocate your time You can do many things, but not everything. Before doing anything, ask yourself how much time you're willing to invest in every activity you do. Write those shares of time down so you're able to reference them regularly. Then, stick to your time budget carefully investing the time in what matters and having the courage to let the less important stuff go. Don’t be afraid to say no. The success and achievements are primarily determined by what we consistently invest your time in. Principle 2: Focus your attention or use time boxing If the previous principle was about allocating time for the things that matter, this one is about how well you’re able to spend that time. Very often we just can’t concentrate, even though we know what we should be doing. The best strategy for overcoming resistance, dealing with distractions and procrastinations is to use time boxing. The concept is really simple: define blocks of time to work on tasks. Instead of working on a task until it’s done, you commit to work on it for a specific amount of time instead. When the end date is set it may not be changed. If the date is exceeded, the work is considered a failure and is cancelled or rescheduled.
46
Principle 3: Be effective or use Pareto principle
Effectiveness is doing the things that get you closer to your goals. Efficiency is performing a given task (whether important or not) in the most economical way.
To find the right things you have to apply the Pareto or the 80/20 principle to your working environment.
Pareto’s Law can be summarized as follows: 80% of the outputs result from 20% of the inputs.
Alternatively, depending on the context: 80% of the results come from 20% of the effort and time; 80% of company profits came from 20% of the products and
customers; 80% losses come from 20% of the causes.
This means that if you have a list of ten items to do, two of those items will turn out to be worth as much or more than the other eight items put together. Principle 4: Delegate
Effectively delegating to other people is one of the most powerful activities which create value both for individuals and for organization.
To delegate properly you should follow the 4 steps; Identify the guidelines within which the individual should operate.
These should be as few as possible, but should include any restriction;
Identify the resources; Set up the accountability standards that will be used when evaluating
the results; Specify consequences (good and bad) or what will happen as a result
of the evaluation.
47
Principle 5: Achieve work-rest balance and feel good about what you do Take your free time as seriously as our work time. It is very important to define clear boundaries between work and rest. Whenever you forget this, you end up in a very ineffective state. People are more important than things. To apply this principles take a one-minute self-assessment at the end of the day. Ask yourself: How was your day? Did you invest your time and energy according to your initial plan on tasks that really matters? Forget for a minute about your goals, focus on your journey and make life a priority. After all, if you’re only making sacrifices and not enjoying your life, what’s the point of being productive?
48
This is the end of last Module of this book, Module 3. Soft Skills and Technical Expertise of an Effective Risk Manager. Did you enjoy the book? Check your knowledge by taking the multiple choice Quiz 3 Click on this link http://globalriskacademy.com/courses/breaking-into-risk-management-in-banks?product_id=45290&coupon_code=FREE to download the complete course and take the quiz for FREE! CONGRATULATIONS! You have successfully completed the course Breaking Into Risk Management In Banks
Take the Quiz 3
49
Conclusion Risk Managers’ influence is growing at the highest levels, and also further down the chain of command with line managers. The latter increasingly view the Risk Manager as a partner in their key business discussions, whether around digital technology, HR, Research and Development or supplier and partner selection. Risk Management opens up promising career opportunities and an attractive compensation package, which often includes bonuses and profit sharing.
50
Glossary of Risk Management Terms The Glossary Risk Management Terms is designed to help those within and outside the Risk Management industry to communicate effectively. It has definitions of the most commonly used terms and abbreviations. This glossary is a practical guide to risk management terminology and vocabulary. Although every effort has been made to present accurate and up-to-date definitions, the list of terms is intended to be of a general nature only and is not necessarily comprehensive, as Risk Management is a complex field and changes rapidly. Acceptable risk The part of identified risk that is allowed to persist after controls are applied. Risk can be determined acceptable when there is slack of money or when further efforts to reduce it would cause degradation of the probability of success of the operation, or when a point of diminishing returns has been reached. Communication and consultation Continual and iterative processes that an organization conducts to provide, share or obtain information and to engage in dialogue with stakeholders and others regarding the management of risk. The information can relate to the existence, nature, form, likelihood, severity, evaluation, acceptability, treatment or other aspects of the management of risk. Consultation is a two-way process of informed communication between an organization and its stakeholders or others on an issue prior to making a decision or determining a direction on a particular issue. Consultation is: • a process which impacts on a decision through influence rather than power; and • an input to decision making, not joint decision making Control any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Controls include any plan, process, policy, device, practice, or other actions which modify risk, and organize and direct the performance of sufficient actions to provide reasonable assurance that objectives and
51
goals will be achieved. Controls may not always exert the intended or assumed modifying effect. Enterprise-wide risk management (ERM) a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Establishing the context defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy. Event occurrence or change of a particular set of circumstances. An event can be one or more occurrences, and can have several causes. An event can consist of something not happening. An event can sometimes be referred to as an "incident" or "accident". External context external environment in which the organization seeks to achieve its objectives. External context can include: • the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; • key drivers and trends having impact on the objectives of the organization; and • relationships with, and perceptions and values of, external stakeholders . Identified risk That risk that has been determined to exist using analytical tools. The time and costs of analysis efforts, the quality of the risk management program, and the state of the technology involved affect the amount of risk that can be identified.
52
Inherent risk the risk to an entity in the absence of any actions management might take to alter the risk's likelihood or impact. These risks may result from an entity's industry, strategy, and environmental factors. Internal context internal environment in which the organization seeks to achieve its objectives. Internal context can include: • governance, organizational structure, roles and accountabilities; • policies, objectives, and the strategies that are in place to achieve them; • the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); • perceptions and values of internal stakeholders; • information systems, information flows and decision-making processes (both formal and informal); • relationships with, and perceptions and values of, internal stakeholders; • the organization's culture, the integrity, ethical values; • standards, guidelines and models adopted by the organization; • form and extent of contractual relationships. Impact represents the potential effects and consequences that a given event could have on an entity and its objectives. An event can lead to a range of consequences. A consequence can be certain or uncertain and can have positive or negative effects on objectives. Events that have positive effects represent opportunities and those with negative effects represent risks. Consequences can be expressed qualitatively or quantitatively. Entities often describe events based on severity, effects, or monetary amounts. Initial consequences can escalate through knock-on effects. Level of risk magnitude of a risk, expressed in terms of the combination of consequences and their likelihood. Likelihood the possibility that an event may occur. It can be defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and it
53
can be described using qualitative terms (such as high, medium, and low) or quantitative measures (such as a percentage and frequency). Monitoring continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. Monitoring can be applied to a risk management framework, risk management process, risk or control. Operational Risk Management (ORM) a continuous, systematic process of identifying and controlling risks in all activities according to a set of pre-conceived parameters by applying appropriate management policies and procedures. This process includes detecting hazards, assessing risks, and implementing and monitoring risk controls to support effective, risk-based decision-making. Residual risk the portion of total risk remaining after risk treatment has been applied. Residual risk comprises acceptable risk and unidentified risk. Management must decide whether this residual risk is within the entity's risk appetite. Residual risk is also known as "retained risk". Risk analysis process to comprehend the nature of risk and to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment. Risk analysis includes risk estimation. Risk appetite amount and type of risk that an organization is willing and prepared to accept as it tries to achieve its goal and provide value to stakeholders. Risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable. It reflects the enterprise's risk management philosophy, and in turn influences the entity's culture and operating style. Many entities define their risk appetite qualitative, while other take a more quantitative approach. Risk assessment overall process of risk identification, risk analysis and risk evaluation.
54
Risk attitude organization's approach to assess and eventually pursue, retain, take or turn away from risk. Risk aversion attitude to turn away from risk. Risk criteria terms of reference against which the significance of a risk is evaluated. Risk criteria are based on organizational objectives, and external andinternal context. Risk criteria can be derived from standards, laws, policies and other requirements. Risk exposure the consequences, as a combination of impact and likelihood, which may be experienced by an organization if a specific risk is realized. Risk identification process of finding, recognizing and describing risks. Risk identification involves the identification of risk sources, events, their causes and their potential consequences. Risk identification can involve historical data, theoretical analysis, informed and expert opinions, andstakeholder's needs. . Risk management coordinated activities to direct and control an organization with regards to risk. Risk management plan scheme within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk. Management components typically include procedures, practices, assignment of responsibilities, sequence and timing of activities. The risk management plan can be applied to a particular product, process and project, and part or whole of the organization. Risk management policy statement of the overall intentions and direction of an organization related to risk management.
55
Risk management process systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk in order to provide reasonable assurance regarding the achievement of the organization's objectives. Risk map a graphic representation of likelihood and impact of one or more risks. Risk maps may plot quantitative or qualitative estimates of risk likelihood and impact. Often, risk maps are referred to as “heat maps” since they present risk levels by color, where red represents high risk, yellow moderate risk, and green low risk. Risk owner person or entity with the accountability and authority to manage the risk. Risk profile description of any set of risks. The set of risks can contain those that relate to the whole organization, part of the organization, or as otherwise defined. Risk register/risk log a master document that records identified risks, their severity, and the responses to be taken. Risk source element which alone or in combination has the intrinsic potential to give rise to risk. A risk source can be tangible or intangible. Risk evaluation process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk treatment. Review activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. Review can be applied to a risk management framework, risk management process, risk or control.
56
Stakeholder person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity. A decision maker can be a stakeholder. Total risk The sum of identified and unidentified risk. Ideally, identified risk will comprise the larger proportion of the two. Unacceptable risk That portion of identified risk that cannot be tolerated, but must be either eliminated or controlled. Unidentified risk That risk that has not yet been identified. Some risk is not identifiable or measurable.
