The notion of risk has shifted over the past few years, from being an interesting but largely peripheral management concept to becoming a vitally important management practice. In part, this is a response to the 2008 financial crisis and a more rigorous regulatory environment, but that is not the whole story. It also reflects a growing appreciation that risk, and risk management, is a part of the business to which financial services companies need to pay greater attention.
This has been highlighted by the problems at The Co-operative Bank, which almost collapsed in 2013, and which now faces regulatory fines from the Financial Conduct Authority and the Bank of England over its capital shortfall in the period after the financial crisis.
James Lam, a specialist risk management expert who is widely credited with coining the term ‘chief risk officer’ back in 1993 when he worked in that capacity at GE, says: “Early on I had predicted that the role of CRO would become prevalent and that has come to fruition. I think it was becoming more accepted globally in any case, but the financial crisis was a strong wake-up call for those on the sidelines or on the fence.”
Lam and Hanna Kam, CRO at insurance group Hiscox, highlight four areas in particular which CROs need to address in order to improve their companies’ risk culture:
1. “Spotting ‘black swans’ [an event that deviates beyond what is normally expected of a situation and that would be extremely difficult to predict], such as cyber threats, global warming, pandemics is one thing, but how do you spot a ‘grey swan’ [an event that can be anticipated to a certain degree, but is considered unlikely to occur and may have a sizeable impact on the market if it does occur]?” asks Lam. “How does a business change its risk appetite or capacity when it becomes troublesome?”
2. Lam adds that there needs to be a good risk performance feedback loop. CROs must ask themselves what they are trying to measure and how the board knows that it is working effectively. “You can say, ‘Well, nothing bad has happened’ – in other words, that there have been no negative surprises, such as at Volkswagen recently, but that’s a negative proof. The key objective of risk management is to minimise unexpected earnings volatility – I want to be a risk optimiser rather than a risk minimizer, so earnings volatility is not necessarily a bad thing, but I don’t want it to be unexpected.”
3. Keeping staff engaged is imperative to good compliance, says Kam: “It’s a tricky area to get right because it’s all about people. That makes it a very dynamic and alive area to be working in, but there are some people who want to hang on to the legacy position, or who don’t want change, or who do but want different changes. But we are on the right path at Hiscox, we have a very solid building block, the board is engaged and that cascades out across the business.”
4. Lam concludes that CROs should keep key stakeholders informed: “Risk management monitoring and reporting needs to be continuous and distributed to the decision-makers throughout the company. These are the ways in which we will get to best practice.”
The original version of this article was published in the December 2015 print edition of the S&IR.