This article, published by the Economic Intelligence Unit,  proposes ten practical lessons learned from the current financial crisis that companies can use to help address perceived weaknesses in risk identification, assessment, and management.  These findings are the result of academic and industry research and a series of interviews with senior risk professionals, financial services participants, and academics.  Findings are directed primarily at financial institutions but are widely applicable to other industries.

Risk Management Must Be Given Greater Authority

Risk management has been occupying increasingly senior positions in corporations in recent years and investment in risk management has been rising.  However, risk managers’ opinions and concerns often become secondary when there are profit opportunities.  To be effective, risk managers need to be an independent function with sufficient authority to effectively challenge risk-takers.  Companies should consider if risk professionals have appropriate authority in the organization as well as if the company appropriately balances authority for risk management and the profit-making objective.

Senior Executives Must Lead Risk Management from the Top

For risk management to gain sufficient attention in an organization, it must be led and supported by the most senior levels.  Risk management should be the role of senior management, elevating the authority of risk management and allowing this risk focus to filter through the organization to build a pervasive risk culture.  The board should also exercise appropriate oversight of risk; this is often accomplished through an audit or risk committee.  Organizations should consider if their leadership is providing suitable tone from the top in setting risk management expectations, if there are appropriate committees in place to review risk management practices, and if there is an individual in the organization with overall responsibility for risk management.

Institutions Need to Review the Level of Risk Expertise in Their Organization

Companies should ensure that they have sufficient risk expertise, particularly at the highest levels.  These individuals should have the tools and information to understand the company’s risk appetite and positions and there should be channels of communication to ensure risk information is passed to the appropriate individuals.  Companies should consider if executive management is aware of the main risks facing the company and their potential impact.  Companies should also ask if senior management is able to understand the true risk picture or if information is filtered as it rises through the hierarchy.

Institutions Should Pay More Attention to Risk Model Data and Combine Model Output with Human Judgment

There has been a recent trend for quantitative techniques to replace human judgment in measuring risk, in part due to the increasing complexity of quantitative modeling.  However, models, no matter how sophisticated, are always limited by the quality of the data and they often magnify small input errors.  Because of these concerns, people need to remain responsible for making risk management decisions, and human judgment and qualitative approaches should accompany any quantitative methods used.  Companies should consider the sources of information used to understand their risk position, the extent the company relies on historical data, and the extent human judgment is used in risk management.

Stress Testing and Scenario Planning Can Help Executives Respond Appropriately to Events

Stress testing and scenario planning, always important tools in risk management, are regaining importance as some of the problems with quantitative models have come to light.  These techniques can help companies understand the impact of severe but plausible scenarios and prepare for highly unexpected events.  To be effective, stress testing should be integrated with a company’s overall risk management processes and have sufficient involvement from the board and senior management.  Organizations should consider if senior management discusses the impact of different scenarios on the company, if different scenarios are considered when setting long-term strategy, and if senior management tests its assumptions using a range of viewpoints.

Incentive Systems Must Be Constructed So That They Reward Long-Tem Stability

Incentives have to be carefully designed so that they do not encourage pursuing short-term profit without regard for long-term costs.  This is a key area for reform as there has been a mismatch between short-term incentive structures and long-term risk exposures.  Companies should ask if their corporate governance processes are sufficiently robust to ensure compensation issues do not cause reputational problems.  Companies should also consider the links between corporate performance and compensation to ensure they motivate and reward without encouraging behavior detrimental to long-term shareholder interests.

Risk Factors Should Be Consolidated Across All the Institution’s Operations

Companies need to look at risk on a firm-wide level to be able to identify and aggregate risks, as examining risks in silos can make it difficult to understand the interaction among risks.  There should be a risk culture where risk is a concern for all employees and there is clear and frequent communication across organizational boundaries.  Companies should also create a consistent data structure and IT architecture to enable aggregating risk at a firm-wide level.  Organizations should consider if they understand the interactions among different risk categories and any potential effects.  Organizations should also consider if there is a common risk language to ensure understanding across the organization.

Companies Should Ensure Appropriate Reliance on Data from External Providers

There has been criticism of credit rating agencies for their risk pricing models and their delay in downgrading securities.  Many question credit rating agencies due to the inherent conflict of interest that exists since they are paid by issuers to rate their securities.  These concerns highlight the need for companies to address overdependence on credit ratings and to supplement ratings with their own continuously updated analyses.  Companies should consider the extent to which they rely on external sources of risk information and their understanding of any limitations.

A Careful Balance Must Be Struck Between Centralization and Decentralization of Risk

There should be a central, independent risk function to set risk appetite, implement and monitor controls, provide oversight of a firm’s risk position, and aggregate risk information.  There should also be risk management embedded in regional or business units so each profit center takes ownership of its own risks and so that a risk culture is instilled throughout the organization.  Companies should consider the extent to which risk management is seen as a support function and ensure risks are identified and aggregated centrally.

Risk Management Systems Should Be Adaptive Rather Than Static

Assumptions about risk should be questioned and updated, feeding observations from the real world back into the system on a regular basis.  This enables risk management to correct inherent weaknesses and recognize and respond to changing business conditions.  By regularly monitoring changes, a company can adjust their overall risk appetite and risk limits for individual lines of businesses appropriately.  Companies should consider how frequently the company reviews and updates its assumptions about the risk environment and how that information is communicated to senior management.