Executive Head-to-Head: Strategic risk management

Here Graham Mellor, from Basis Point Group, and Andrew White from Reuters discuss the essentials of risk management.

Strategic risk management is often seen as a discrete function of a dedicated department within financial services. What are the benefits of this approach, and what are the risks?

GM. Strategic risk management is critical to improving the resilience of firms. Over time a discrete function deploying the right people with clear roles should provide the value-added focus to make risk management an integral part of the business.

A proactive risk team that raises firm-wide awareness and mitigation of risks if invaluable to a firm if it can implement judicious, operationally practical methods that assist management and staff at all levels. Risk management units have already enhanced many boards’ ability to understand conflicting priorities and better manage operational integration to establish the right balance in a firm’s investments in information systems and resources, front-back.

Risk managers must be closely aligned with peers in all business lines, provide relevant, actionable information, and be seen as a proactive element of corporate development. The team must constantly review and refresh the ‘science’ of risk management while determining the best approach to monitoring exposures as new products and instruments evolve.

AW. It is absolutely essential to ensure guaranteed independence of a risk management department within an enterprise – keeping its management, reporting and auditing separate from business units. The advantage of this is the ability to provide an accurate, enterprise-wide view of risk measures that significantly benefits the direction and management of the business. With the relatively recent understanding of these benefits the pressure is on (understandably) to provide this capability at a department level.

Ensuring that high-level risk management polices and controls are implemented in practice on the shop-floor is important. How can risk managers ensure that procedures are embedded and applied across the business?

AW. It is important that this direction and empowerment of risk managers comes from the very top of the organisation – ideally the board. With this level of backing organisations can implement the necessary audit and risk control processes. The growth in derivatives and plethora of complex products has made the risk managers job much more difficult – in order to have an accurate, consolidated view of risk, all systems involved in the risk management process must be cross asset class and provide comprehensive, flexible reporting and auditing capabilities.

GM. The secret is a judicious implementation of prescriptive and mandatory policies that provide useful and sensible controls. In much the same way highway codes and traffic signals influence driving practices, the risk management policies and controls must encompass embedded regulatory thinking as well as rules of reasonable behaviour to keep each system flowing smoothly.

Arguably, the selection process for financial professionals sets a far higher standard than a driving test, and risk awareness levels should be higher. There is no substitute for consistent, proactive, senior-level action combined with an ability to demonstrate context through formal measurement, attribution and communication of operational performance

The biggest challenge is that risk mitigation policies are viewed as imposed from above by the management and auditors. Risk systems have introduced additional overhead into line management responsibility without providing an obvious complementary benefit in process improvement. The quiet operations belief is that these policies fix blame for errors in operations, after the fact.

Advances in methods and clear, straightforward measures of operational performance that embody the essence of operations will eventually make risk management relevant across the board.

Good risk management relies on getting the right information and applying it at the right time. How can financial services firms improve the way they gather and disseminate information through their operations?

GM. There are three different major categories of operational risk, acts of God, fraud and processing deficiencies. Each category requires significantly different actions and thus relies on unique information, timing and availability.

The ability to design solutions that react quickly and appropriately relies heavily on: having people that understand the content, form and context of the risk; availability of appropriate information and the ability of the person receiving it to make use of the information in a timely and effective manner.

Understanding the detailed workings and interdependence of internal processes before information on external threats becomes relevant to line management is crucial.

We have found that unrecognised risks associated with client or counterparty failure can often be identified by employing our transaction stream analyses. Once you know what you are looking for it is much easier to find it and mitigate future recurrences.

AW. Most large firms work on centralised data warehouses. It has become critical for good practice and regulatory compliance to control the way data originates, is stored, used and redistributed. This becomes an even more complex undertaking when it comes to securities and structured products. Reuters actively contributes to this type of project through a comprehensive suite of enterprise data management capabilities.

Developing straight-through processing and automating transactions can help manage operational risk by removing the avenue for human error or fraud. But does the removal of human oversight bring its own risks?

AW. Where humans are replaced by a machine or process, we still have the need for the human element of overall management and control – and the handling of inevitable exceptions to the automated process – just like any automobile assembly line run by robots. These measures of control and management will still be open to human error and inherent risk – to this extent one can say that the only truly unavoidable risk is operational risk.

GM. I often think of straight-through processing as a utopian state: a condition we all strive to achieve but never quite reach. The main impediment being the inevitable catch-up lead-time required before even the best developers can enshrine the latest, evermore complex instruments and structures into front to back IT application architectures.

For many institutions, especially in IT ranks and consulting firms, STP is a ‘no brainer’ and is pushed as a strategy that should provide higher quality at lower risk. However, there are so many moving parts that even third-party investment service providers often struggle to stay abreast of rapid market change.

Maximising effective automation is in everyone’s interest. Unfortunately attempts to remove human error often create new unanticipated types of ‘non-conforming’, potentially fraudulent or erroneous transactions. Basis Point Group anticipates the new risks associated with increasingly complex investment strategies and products, helping firms measurably reduce processing risk while improving quality.

What is the biggest challenge facing the industry and its approach to risk management in your view?

GM. Basis Point Group understands that risk begins when we take a client’s money and that every avenue in the investment process should be monitored to maximise returns. Whereas the industry measures yields, returns and relative investment performance at extraordinarily minute levels, quantifying and mitigating losses attributable to often opaque operational processes is somewhat of an anathema.

Ensuring effective operational performance and minimising losses from this source should dictate the progressive introduction of an industry-standard mechanism for measuring operational performance, in a manner relevant to clients, consultants, mangers and the board.

Attempts to create consolidated indexes of operational performance measurement have failed largely because they attempt to consolidate key risk indicators in a quasi-quantitative measure that fails to answer the question ‘how did we do today?’ Basis Point Group has bridged this gap with the OPERA Indices, providing a single quantitative measure of operations performance and volatility.

AW. The biggest challenge is to extract the true potential of risk management. Generally speaking risk is currently not proactively managed. More likely it is calculated, assessed and reported – and as such the potential contribution to the active management of the business is yet to be realised. If businesses can move risk management from a position of ‘required’ spend into a leveraged, strategic investment in competitive position they will benefit from improved management of business capital for a better return.

BIO

Graham Mellor is Basis Point Group’s lead Partner in London and is a former regional board-level Managing Director with UBS and PIMCO and financial markets strategy consultant with PwC. His expertise includes directing corporate development, aligning/integrating business, operational and IT strategies, governance and compliance for top tier capital markets and investment firms.

Andrew White is Global Head of Trade and Risk Management at Reuters. White joined Reuteres in 2005 from Misys, where he was CEO within the Banking Division, and before that he was COO at Marlborough Stirling plc. He has over 20 year’s experience in the banking and financial services software industry including stints in the US.