Better, clearer governance

By Richarcd Pike

The recent financial crisis is generally seen as a failure of risk management. This has sent shocks through the risk management world, both internally and in how we are perceived by the general populace. Many of the mathematical models and management tools are being reviewed and retested. In general, the mathematical models themselves are not seen as being a root cause; however, the way in which they are used and the gaps between them have been found seriously wanting.

Enterprise risk and governance solutions (ER&G) are the only manner in which the two-pronged problem of ensuring that the context in which risk numbers are calculated and used, and raising the trust in risk by providing proof of the veracity of the numbers, is achieved. In fact these should be the key goals of any enterprise risk and governance implementation project.

Model governance

It is now clear that many risk models make assumptions about the quality of their data inputs that may not hold water. It is therefore vital that all of these assumptions are challenged and controls are put in place to ensure that the data conforms to the model's requirements. An ER&G system can ensure that these controls and assumptions are tested and can provide model results that include a 'level of confidence' based upon the quality of the control environment.

A second area of concern is that the assumptions underlying many models have not been clearly understood by those relying on the results. In order to mitigate this risk it is important that the assumptions are constantly revisited and scenarios in which these variables are stressed are regularly reviewed. ER&G systems are the only place that full scenarios can be run to test these assumptions in a systematic, repeatable and auditable fashion.

A final concern about risk model governance surrounds the output results and how they are used. In many cases it was found that results were ignored or just not followed up. ER&G systems can define what happens upon a risk exceeding its limit and can report on the status of the associated action.

Gaps and relationships

A key failure of institutions' risk frameworks has been a lack of understanding of the causal relationships between different risk types. It is now understood that many risks are interrelated and models that do not take this into account are fatally flawed. Increasingly we see that control failures, risk events, policies, risk models and management issues are all part of a 'fluid network' of risk that changes as the business changes. Each node in this network must be understood in the context of the other nodes surrounding it. For example, when reviewing a credit loss it is important to know whether any controls were breached, if there have been similar losses in the past, was the credit issued within the banks' policy, did the loss breach any assumptions in the risk model, was it due to a market risk loss on the underlying security, etc. ER&G systems can enable risk managers to start mapping these relationships so that they can be understood even if they cannot yet be accurately modelled.
 
Proof

Due to the crisis of confidence in risk management caused by the financial meltdown, all of the above actions must be taken in such a manner that they are open to scrutiny by any interested parties. As is demonstrated by plans for new regulations such as Solvency II and Basel III, regulators, investors and senior management are all now very interested in risk management processes and approaches and will no longer allow 'black box' techniques that cannot be inspected and reviewed. There needs to be a clear audit trail of all the parts of a risk framework, be they calculation models or manual processes.

Only by implementing an enterprise risk and governance solution can you ensure that your risk processes and calculations are open to scrutiny and peer review.

About

Richard Pike, Wolters Kluwer ARC Logics, has more than 15 years' experience in risk management and has analysed, designed and managed the development of core risk management systems for large international financial institutions. He was recently chosen as one of the 50 most influential people in operational risk by Operational Risk & Compliance magazine.