Syahril Nizam Hasan, Chief Risk Officer, Manulife Malaysia
What is risk management? Is it a pre-audit function or is it a close associate of compliance? Why do we manage risks? Is it a necessity to have dedicated personnel in managing risks for a particular company? I’d like to say that risk management is a distant cousin of both audit and compliance and it should be embedded within business or risk unit instead of outside the business units. In short, risk management is seen as a vehicle that drives business to an optimum decision—keeping intact the threat, opportunity, weakness, and challenges in perspective.
High-risk, matured businesses could reduce dependency on independent watchful eyes tracking and observing the adherence of risk management’s expectations. In short, if the company is matured in managing its day-to-day challenges and weakness, business as usual’s (BAU) resources are more than adequate in managing risk management’s expectations. However, would that mean that it is the end of risk specialist? I still beg to differ. As long as businesses leverage on human capital to manage risks, there will always be on-going questions on integrity and discipline.
In today’s continuous business evolution, managing the uncertainty to avoid vague and less unpredictable outcome is of essence. The ability to predict and foresee the worse in the unforeseen market outlook becomes increasingly crucial for business continuity. For instance, how much capital would a company need to set aside to manage risks? How long does a company expect to tolerate interim losses from its long-term investments to avoid liquidity crisis? What are the steps and mitigations required to manage the foreseeable barriers? It may work wonders if anybody could time the disasters with such precision. While risk management provides tools to measure foreseeable weaknesses and challenges, the unforeseeable risks are what matters most. Innovation and performing beyond norm are new frontier that makes evolving/emerging risk management crucial. By late, stress and scenario analysis has become a norm in accommodating the gauging impact of unforeseeable factors or the evolving risks beyond the normal market conditions.
Disruption to the ordinary line of business is becoming a persistent threat to company’s survival. As such, new ways of managing risks and the need for new business strategy which would outline weaknesses and challenges are crucial to ensure the continuity and survival of a business.
A good CRO should know when to escalate risk to a higher authority with guided and structured framework
The days, absolute monopolies in the business industry are gradually coming to an end as continuous business enhancement comes into demand. This in turn requires robust evolving/emerging risk management that has clear business continuity in mind. Having said that, the question arises, “Could my product line become obsolete/irrelevant?”
As risk management stands in between good governance and acceptable business objectives, it is important to keep the balance between these various expectations. If it is overly skewed towards one goal, risk management then becomes less effective. In order to mitigate uncertainty in the decision making of risk management, the Chief Risk Officer (CRO) or head of equivalent position must command the right experience, the technical know-how of risk management and the strong trait of leadership to ensure its continued independence.
Being independent is easier said than done. An effective CRO would know how and when to intervene and escalate material that matters to various levels of authorities. Senior Management Team and Board member have various different approaches in managing as well as understanding a particular risk. An effective CRO would take the time to evaluate and understand each and every member of the committees to gauge the right amount information for sharing. Additionally, a good CRO should know when to escalate risk to a higher authority with guided and structured framework. The use of key risk indicators/risk tolerance limits/risk appetite should guide and facilitate the CRO on when, whom and what needs to happen when certain tracked risks emerge and requires immediate action and attention. To bear in mind, Senior Management and Board members dislike escalation of false alarm which triggers unnecessary action and attention.
In earlier write ups, I mentioned about KRIs/risk tolerance limits which forms a foundation for what, when and how to measure risks as well as the set of action plans to mitigate risks. While that may sound easy to understand, the challenge lies in the details of appropriate KRIs for the use of the risk taking units. The advantage of KRIs/risk tolerance limits is that it can be used to track all types of risks; financial and non-financial risks.
Similarly, risk tolerance limit could also be mobilized to gauge and assess level of market risks (which is financial risk in classification) which requires immediate attention or level of alert when it hits certain risk threshold - value at risk or earning at risk. Incident, loss date or event is another popular tool to assess and gauge the strength of the existing or current internal controls to manage foreseeable risks. This tool is also useful in gauging whether the risk taking unit has already gauged and assessed the newly identified risk for consideration. While traditional risk management tools focus entirely on normal market conditions, these tools are meant to assist in gauging situations that are beyond normal market conditions. One of the worst case scenario analyzes that could lead to the question of business continuity is imaginary situation of massive customers’ information leak leading to legal actions as well as punitive regulatory action. The key scenarios are basically the worst case situations that are beyond business appetite risk that they are willing to take. Robust risk management provides stewardship to strong business acumen that could forecast business opportunities. Risk management does not tell the risk taking unit what to do exactly however it alerts them of the potential consequences. Even if risk is materialized, business could still accept risk by increasing its appetite for more risk exposures that are beyond its pre-agreed threshold.
The key is to escalate such situation to a higher authority with clear set of action plans if the increasing level of risk is accepted.