During the past 18 months, we at Egon Zehnder International have examined the enterprise risk management (ERM) practices at 10 major global banks, and the good news is that all of them see ERM as a strategic imperative. They recognize that risks of all kinds — not just credit, market, and liquidity risks — can threaten their performance and even their viability. And they embrace ERM’s central principle, that risk is best addressed holistically. The bad news is that translating that principle into practice isn’t always successful.
Barriers to achieving genuinely integrated ERM include:
- Everyone operating in default mode. Although boards recognize that they bear ultimate responsibility for risk management, they often default to the chief executive officer, who, in turn, defaults to the chief risk officer to see that ERM is operational.
- Ambiguous mandates and limited resources for supporting holistic ERM. Business and functional verticals, including the CFO team, are budgeted to accomplish their operational tasks, leaving the leaders of those verticals no time, resources, or incentive to engage with the broad and integrated risk picture.
- Risk is siloed in functional and business verticals. Below the level of CRO, risk officers oversee tightly defined areas of an organization’s risk — and lack the authority and credibility to influence the wider organization. In fact, the risk function itself is often a silo, largely devoted to setting and monitoring quantitative risk parameters and leaving holistic risks, such as reputational risk, to others.
- There is no mechanism for addressing risk holistically. While the board, CEO, CRO, and executive committee may address various kinds of risk issues as they arise, there typically is not a cross-functional, organizationwide forum (or merely a limited one) where those issues converge and are addressed holistically.
In the face of these obstacles, ERM in many organizations remains fragmented and provides poor visibility of risks. As recently as two years ago, for example, no one was contemplating the risks of robo-signings and other foreclosure problems. In other cases, risk limits were determined through financial analysis without regard to public perceptions of “reasonable risk taking.” Continued fragmentation of ERM, in fact, promises more such unforeseen mishaps in the future.
Getting It Right
Recognizing the limitations of a default-mode, fragmented approach to ERM, some organizations have responded by establishing a head of ERM to integrate risk issues. This, too, is more of the same, however — the only difference being that the integration itself is defaulted into one role.
To better affect the wider organization, one CRO we worked with had the head of ERM as his direct report, with the CEO as primary advocate of best ERM practices. But the CRO and the CEO failed to align the executive committee with the scope of the ERM leader’s mandate. As a result, ERM didn’t elevate its influence and remained another function within the various business verticals.
One institution that has gotten it right started with a full analysis, considering all the different types of risk it faces: credit, market, liquidity, operational, legal, compliance, strategic, and reputational. Understanding that managing those risks is a multidimensional problem in which any element can influence another, it looked for the nexus where they all converge. It concluded that the convergence point is the bank’s reputation: anything that goes wrong can adversely affect the way the bank is viewed by stakeholders, the industry, regulators, policymakers, legislators, and the public.
With a mandate from the board, and coordinated by its risk committee, the bank set up a new ERM infrastructure, consisting of a group reputational risk committee and a regional reputational risk committee. Each committee is composed of leaders of the business verticals and the top financial, risk, legal, and audit officers of the bank. Both committees meet regularly to explore the implications of any activity: client portfolios, customer experiences, deal activity, and virtually anything bank-related.
Most importantly, the committees explore how the risks involved in any of those activities might impinge on each other and the bank’s reputation. On the group committee, for example, the CRO might report on the quantitative limits of a particular trade. The other members of the committee could then explore what legal, political, or other repercussions might occur if the maximum risk were realized, and how those things might translate into reputational consequences.
The discussion could result in any of the various responses to risk: avoidance, reduction, sharing, or even acceptance of the trading position. But whatever the response, the bank would know all of the implications had been considered. Recent trading debacles, though only a drop in the bucket for the institutions financially, might have been avoided through similar holistic vetting, which enables not only more considered responses to interrelated impacts but also integrated responses to multiple risks.
Key to Success
Institutions do not necessarily need to establish stand-alone, cross-functional ERM teams. The holistic consideration of risk could be performed just as effectively by the executive committee, as long as sufficient time is regularly allocated to the process. All of the functions and business verticals are represented there; the risk considerations from all key areas converge there, meaning enterprise risk can become a natural part of its deliberations and decisions.
Because the vehicle for creating holistic ERM is necessarily the team, the key to success is team effectiveness at both the board level, including the risk committee, and the executive-committee level, where the CEO directs the implementation of the board’s mandate.
Making sure a holistic ERM team is effective requires a close look at three critical elements: the competencies of the team leaders, the competencies of individual team members, and the attributes of the team as a whole.
An effective board, instead of deferring to the risk committee or one of its members or defaulting to the CEO, communicates a fully realized vision of risk to the chief executive. And then, if the executive committee is effective as a team, each member — exchanging perspectives across the table — comes to own enterprise risk equally.
Each member gains a unified, integrated view and takes it back to his or her area of responsibility. Moreover, as the habit of holistically viewing enterprise risk cascades downward, everyone comes to own enterprise risk individually. Over time, the institution creates — and continually refreshes — a culture in which it becomes second nature to strive for the ultimate goal of ERM: an enhanced capacity to increase stakeholder value by more effectively dealing with the risks and opportunities offered by uncertainty.
Rob Sloan is managing partner of the financial-services practice at Egon Zehnder International, a global executive-search firm.