A wake-up call to the financial services industry sounded this Spring, with the second largest bank failure in history—Silicon Valley Bank—alongside the collapse of Silvergate Bank, Signature Bank, and First Republic Bank. Risk management has been thrust onto center stage, with the renewed interest of stakeholders including investors, bank regulators, rating agencies, and the Senate Banking Committee.
There are two immediate takeaways that the financial services industry can start to act upon:
- Perform better data analysis, and
- Ensure your enterprise risk management (ERM) function is equipped with the tools, processes, and resources required to support your Chief Risk Officer (CRO).
Benefits of ERM
An effective ERM function helps maintain compliance and avoid regulatory criticisms and adverse reputational events. Strong ERM processes and systems, when in place, assist the risk function to be more of a revenue enabler than an inhibitor of growth and change. In addition, a highly performing ERM function will lead efforts to identify risks and opportunities impacting the firm’s overall strategic objectives.
To be effective, though, an ERM function needs robust data and associated analysis.
Alignment of Strategy
Business strategies and risk strategies must be aligned, thus enabling risk management to effectively challenge the business when appropriate. Accordingly, the CRO, with support from their ERM function, can develop and present an informed point of view (POV). The CRO must have the proverbial “seat at the table” when strategies are discussed and established.
Risk strategies must be able to adjust to changes caused by internal or external environmental factors affecting the business. Business and risk strategies should be reviewed frequently (e.g., quarterly) to ensure continued alignment and execution as intended.
Unraveling Data Complexity
Sometimes identifiable risks reflect conjectures by a firm’s management that are derived from limited or incomplete information. Recent events remind us that even when risks can be identified with available data, incomplete or incorrect data analysis can obscure those risks. Information about Silicon Valley Bank’s (SVB) securities portfolio was public and reported by SVB’s finance division in its regulatory filings as illustrated below:
Increasing unrealized losses on SVB’s securities portfolio reached over $17 billion on 12/31/2022, representing 109% of the firm’s equity. In addition, 42% of securities were in long-dated maturities of over 15 years, and another 20% were over 5 years. The average duration of SVB’s fixed-income portfolio rose from 3.7 years in FY 2020 to 5.7 years in FY 2022. These long-duration assets were held against short-duration deposits, which resulted in a fatal mismatch of assets and liabilities. Further, SVB’s interest rate risk management was almost non-existent. The value of interest rate swaps (aka hedge or risk mitigation) declined by 65% over this same two-year timeframe, leaving the bank critically exposed.
All the above information was discoverable, and management and the board could have acted upon it sooner.
So, What Does an ERM Function Do?
Historically ERM has been an aggregator and disseminator of information across the enterprise, but after recent events, more will be expected. ERM needs to support the CRO by delivering an informed POV derived from the following data:
|
|
Risk originates from a myriad of sources, whether internal (e.g., ineffective processes and controls, or balance sheet inequities as just seen in the market) or external (e.g., macro-economic, geopolitical, and regulatory). Such risks inhibit a firm from achieving its strategy if not recognized and addressed early. Data is crucial to successfully identifying risk issues and avoiding regulatory issues ranging from the least severe (a matter requiring attention, or MRA) to the most extreme (a cease-and-desist order). The same data elements can also be used to identify emerging market, credit, and operational risks that can harm the institution’s financials. Sometimes the speed, volume, and diversity of data available can be daunting to assimilate and utilize. Therefore, firms must invest in the people, processes, and systems needed to mine and manage data. |
|
|
Assessing and prioritizing risks is always challenging given the number of risk assessments performed at a firm. These risks are generally financial (i.e., interest rates, capital, and liquidity) and non-financial (i.e., compliance, operational, anti-money laundering, privacy, or cyber). ERM must look across the enterprise and discern which issues rise to the top as requiring attention. Firms must sharpen their analysis to determine those risks that are most impacting strategic, operational, and compliance objectives. Data, when analyzed together with risk indicators, effectively confirms the firm’s actual risk profile, and causes management and the board to take action. Risk appetite statements are where the rubber hits the road. No longer can statements be high-level and nebulous to measure. Drill-downs are required with metrics that measure performance and indicate what could emerge. There is no better place than in ERM for investment in data ingestion, data models, and analytical tools, since ERM functions can no longer be just information aggregators. ERM must arm the CRO with a POV derived from quantitative analysis to support and effect the change desired at the management and board level. |
|
|
Effective risk response must evaluate the alternative actions of acceptance, avoidance, disposal, or mitigation of risk. An impact assessment can indicate which of these responses is the better choice. Any risk response, when taken, must be reviewed regularly to determine whether it is producing the desired outcome. Impact assessments cannot be performed for every risk identified. Therefore, firms should adopt a risk-based approach concentrating on the top and emerging risks. Impact assessments should be done in collaboration with the business and support functions where risk resides. Risk modeling techniques can be utilized to integrate various data sources and then generate “what if” scenarios, with the integration of various data helping to bring a well-rounded and informed perspective for making a risk response decision. |
|
|
Monitoring takes many forms, with metrics reporting as the most common. Metrics must be dynamic and responsive to a changing and complex environment, with internal protocols established for identifying which metrics are relevant, need to be added, or should be retired. Metrics must have integrity and be derived from data that is consistently captured, measured, and reported to obtain accurate period-over-period comparisons. It is important to identify leading and lagging indicators. Tools exist to implement automated alerts and reminders linked to established data sources, which helps to reduce resource consumption, leaving opportunities for the forensic study of root cause and impact analysis. |
|
|
An effective ERM function addresses the risks of the enterprise by the timely and accurate reporting of them, effectively reducing the frequency and severity of both financial and non-financial surprises. The consistent capture, measurement, and reporting of data are again key to achieving this objective. Understanding the definitive sources of risk and financial data, and supporting its governance with structure, maintenance, and defined user rights, goes far to help management’s decision-making. Integrated technology platforms can assist with generating scheduled and on-demand reports that enable a real-time view of risks, no different than trading desks that receive live data feeds for market positions. |
Turning the Ship of Risk Culture
Implementing an effective ERM program often creates a cultural shift within the organization. It usually occurs slowly and is hard to measure. There is no single best practice to perform this measurement, but again, data analysis is crucial to understanding behavioral risk amid culture change. Indicators of cultural change include but are not limited to the timely and sustainable remediation of risk issues; training results that dispel repeated audit or regulatory findings; or a decline in customer complaints.
We cannot stress enough the importance of data. It is the key driver for the success of an ERM function, which then enables the CRO to support management and the board with a POV as they make decisions. Without the timely and accurate capture and interpretation of data, risk management is not complete, and the firm becomes vulnerable to shocks that could otherwise be avoided.
Author
