KPMG, in partnership with The Economist Intelligence Unit conducted a survey of over 500 world-wide risk management senior officers in the banking industry in October 2008. They were questioned about what role risk management played in the current economic crisis and how enterprise risk management would be used going forward. KPMG compiled this report about failures that led to the banking credit crisis and how risk management can be improved to prevent these types of catastrophes in the future.
Several themes permeate banking culture’s utilization of risk management that helped allow the current credit crisis: weaknesses in risk culture and governance, gaps in risk expertise at the non executive Board level, lack of influence of the risk function, lack of responsibility and accountability of those on the front line, a compensation culture too oriented towards year on year profit increases, and business models that were overly reliant on ample market liquidity.
To help businesses learn from these pitfalls, the report identifies several steps to improve risk oversight in organizations going forward. Businesses must ensure personnel in the risk management position and at board level have greater knowledge and experience. This requires effective communication throughout the organization. Finally, these components will ensure a three tiered approach to risk management, where the business unit is the front line, followed by an independent risk management team, and the oversight of the internal audit.
Just under half of the respondents believe their boards of directors lack risk knowledge and experience. Unfortunately, not many of the respondents indicated any plans to address this concern. A quarter of the respondents see no need for a separate Risk Committee. Ironically, a huge majority feel that greater “tone at the top” is key to transforming risk oversight in organizations going forward.
Clarifying Role of the Risk Management Function
Unfortunately, many banks that employed a risk manager did not show an advantage at avoiding the credit crisis. Part of the failure is tied to the fact that the risk management function was being used primarily as a support or regulatory role. The survey found that 76% of the respondents still believe that risk management is stigmatized as a support function. They were not consulted on the majority of major projects or on day to day activities. Most of their involvement was in traditional risk assessment activities related to pricing, loans, deposits, etc.
To strengthen risk oversight, the risk management function should serve not as a regulatory or support role, but be involved as a central component of business strategy. Almost 80% of respondents are planning to increase the risk management role. Corporate executives are planning to discuss risk more frequently, and the CRO or risk management team will be included at the planning stages of items such as: strategy development, new product development, entry into new geographic areas, mergers and acquisitions, capital allocation, and investments in new technology.
Linking Compensation to Risk Oversight
In many instances, existing compensation plans may have unintentionally created strong incentives to take on undue risks in order to meet pre-specified compensation targets. In those instances, boards observed performance targets being met, but were unaware of the excessive risk taking that was present. Over 52% of the respondents believe incentives and remuneration policies contributed to the credit crisis.
Boards are beginning to explore the linkage of compensation incentives and risk management, and are looking for ways to increase long-term incentives and risk adjusted performance measures. An independent risk management team could help create compensation policies that reward long-term profitability and staying within the company’s risk appetite. Some (36%) argue that regulators should become more involved in the setting of remuneration in the banking industry.
Placing the risk management function at the center of most decisions requires very knowledgeable and talented staff. Many executives said that lack of experience was part of the reason for the current banking crisis, but also stated they believed they had enough in-house knowledge to move forward with a more successful enterprise risk management strategy. The CRO must have risk management skills, and a range of practical experience. If banks don’t address these skill needs, many organizations may continue to lack rigorous risk oversight talent.
In order for a centralized risk management team to affect most business practices, the organization must have clear and free flowing information. The executives surveyed cited lack of communication as a top reason for falling into the credit crisis. The entity’s risk appetite should be clearly defined and communicated to every silo. Senior management should be kept aware of major developments and risky decisions made at the customer level. This means a governance system needs to be established that helps identify risks and the individuals’ role in mitigation. For example, the chairman of Banco Santander stated that “Banco Santander Board’s Risk Committee meets for half a day twice a week and that the Board’s 10-person executive committee meets every Monday for at least four hours, devoting a large portion of that time to reviewing risks and approving transactions.” This places risk management at the table for major transactions and cumulative ordinary activities.
The risk managers heightened role and pervasive communication described above should be used as part of a three tiered approach. The business unit is the first line of defense, followed by the risk committee and supervised by the audit committee. KPMG assesses that this will create a culture where “…everyone should consider him or herself a risk manager with a shared understanding of the organizational risk appetite, underpinned by a clear governance structure for managing risk…” Employing a fully integrated risk management strategy will help identify future possible risks and keep the entire company in line with current risk policies.