A while ago I wrote that Risk and
Technology are the same thing with the theme that both need the bank’s line
of business leaders to be on board. Then, last week, I spent a few days at a
risk management conference and what astounded me is how many people work in risk
management, and how many varieties of risk there are.
A bit Heinz’s 57 varieties of baked bean, risk has got all sorts of
classifications: environmental, regulatory, external, reputational, without even
mentioning credit, market and operational risk. The result is that I found a
huge number of areas to consider including:
- Should the risk management be decision taking or decision advising the
- What levels of delegated authority should the function have?
- How integrated should risk management be with the audit and compliance
- Banks are normally risk averse, so how can they also be innovative?
- If risk was really that good, how come SIVs got through?
- How easy is it to steal someone’s identity and how much should banks spend
to avoid this risk?
So on and so forth. So I thought I’d spend this week exploring this subject
in depth by tackling these questions.
In the first little thought, I think I’ll tackle the subject of risk
management being the decision maker versus the decision influencer.
Now some banks I talk to have risk management as the final decision-maker in
any investment or exposure greater than €20 million. This is to ensure the
risks are fully understood and the bank avoids any major exposures.
I bet the former Chairman and CEO’s of Northern Rock, Citi and Merrill Lynch
wish they’d been in that bank … or maybe not as these banks would not have
enjoyed success or growth or double-digit shareholder returns if had taken that
approach (which, by the way, may be a good thing!).
It’s all about risk versus reward. The more risk the greater the reward …
and the greater the losses if they don’t come off.
In the case of this bank, risk management being decision makers meant that
they rarely took on any business of any substance. Growth was incremental and
slow. The culture was not very dynamic, although they were known and innovative
in their core businesses. Their ROI was acceptable and their cost-income ratio
was incredibly high.
There has to be a balance.
So what’s the alternative? Let the business bully everything through?
No. I remember another bank that had a fantastic sales and marketing
organisation. They had business flowing through the door. Then credit risk
threw out half of it and, after all the expense of client onboarding, another
quarter disappeared within the first year dissatisfied. In other words, risk
management was there but over-ruled by sales who brought in bad business or
Risk is a balance.
As a result, I agree with another bank who tell me that risk should advise
the business but not be the final decision-maker. They should be fully involved
in understanding and dissecting every business opportunity and exposure. They
should provide their analysis and view. They should make clear the
ramifications and implications of the exposures created by these opportunities
and give the business a clear view of their decision.
This should be recorded and then a decision made by the decision-maker. And
the decision-maker should be the management team, inclusive of risk management’s
leaders, with a final vote in the case of a split decision by the CEO or
Too often, banks have an extreme. An extremely sales-oriented CEO or
business head, or an extremely risk-averse CEO or business head, or risk
management as final decision-makers.In my view, all of these approaches are
Risk is a balance. Risk versus reward is a balance. And that balance has to
suit the risk appetite of the executive team to deliver their measures of
effectiveness. Unfortunately, too often, those measures of effectiveness are
set incorrectly to suit the wallet of the executives involved as Chuck Prince
and Stan O’Neal discovered.
Anyways, tomorrow I’ll tell you how easy it is to steal your identity and
show you how … how reckless can I be?