An essential element of successful enterprise risk management is a risk oversight function that protects the bank from excessive risks without crippling the bank's ability to make money by taking smart, well-calculated risks.
By now, most banks beyond the smallest community institutions have a risk control unit of some kind reporting to a Chief Risk Officer. But few such CRO positions were created by an enthusiastic management. Most were created in response to compliance pressures from regulators, rating agencies, and other watchdogs.
These watchdogs expect the CRO to have the capability and clout to detect and prevent excessive risk-taking by the bank's businesses.
But a risk unit created and structured solely to appease the compliance watchdogs is likely to fail.
An effective risk unit not only must know when to say NO, it must know how to help generate attractive opportunities to say YES.
Blending independence and cooperation
To be effective, a risk unit must achieve the right combination of independence from the business units and partnership with the business units.
Independence from the business units means that the risk unit must:
• Report directly to the CEO or CFO and have independent access to board members.
• Have the authority to intervene, if necessary, to curtail excessive risk-taking.
• Have unrestricted access to any and all information relevant to assessing and monitoring risks.
• Be the driver of enterprise risk policies.
• Be the driver of risk assessment methodologies.
Partnership with the business units means that the risk unit must:
• Be plugged into day-to-day business flows so that the risk unit knows how the business units make money.
• Collaborate with the business units to raise and resolve issues quickly, before they get out of hand.
• Readily share information and ideas with the business units. Identify opportunities for smarter risk management. Be open to constructive criticism and suggestions from the business units.
• Engage in open and honest debate with the business units based on mutual respect.
Ways the recipe may come out
The way management combines independence and partnership will result in one of three models for the risk unit:
1. Bureaucracy results from High Independence and Low Partnership.
A purely independent risk unit is likely to be excessively risk averse, be remote from the business units, and have a poor understanding of the businesses it is trying to control.
It will slow decision-making and limit the growth of healthy business that embodies sound risk/return tradeoffs.
And--ironically--it may miss dangerous risks hidden from its limited view.
2. Captive results from Low Independence.
The captive risk unit simply cannot be objective about the risks being taken by the businesses. The result is likely to be excessive risk-taking.
3. Hybrid results from High Independence and High Partnership.
The hybrid risk unit promotes smarter risk-taking and healthy growth. It has the knowledge and the clout to curb excessive risks but it also knows the business and is in a position to weigh the downside against the upside.
Making Hybrid happen
It's obvious that Hybrid is the right model, but can you achieve both high independence and high partnership?
Like most good things in life, it is not easy, but it can be done if top management:
• Attracts and rewards talented risk people that can earn the respect of the business units.
• Commits to building the information and analytics capabilities required for well-reasoned and timely risk decisions.
• Includes risk people in the day-to-day process of making important business decisions.
• Gives risk people the authority they need to do their jobs.
• Makes it clear to the organization that good risk management is a vital part of compensation and promotion decisions.
By following the Hybrid model for the risk unit, management can both protect the bank and enable healthy growth.