Across financial services there has been a greater focus by regulators in recent years on risk management frameworks. This focus is evidenced in regulations including Solvency II, MIFID and AIFMD as it is consistent across insurance, banking and investment funds sectors. This focus of regulators has in turn ensured that Boards of Directors’ attentions are drawn to the Risk frameworks under their responsibility.
However, Risk should not just be seen as a regulatory issue as it is in the interests of all businesses to have a robust risk management framework in place that is consistent with each firm’s strategic goals. The notion of balancing risk with reward has been well documented since the year dot. Indeed, it is generally accepted that a certain level of risk is necessary to achieve a satisfactory level of reward (profit). Essentially all businesses should have an appropriate risk appetite tailored to their ambitions/ requirements. It should be noted that risk is not bad but is necessary to realise profits and does need to be managed efficiently and effectively. It is vital from a business perspective that a robust risk management framework is embedded in a firm’s culture from the Board through the organisation so that there is “buy in” from all stakeholders and business units personnel. The risk management function must not be seen as some type of “fat controller” that business units defend themselves against but as part of the team that assist in optimising a firm’s opportunities. There should be continuous interaction between the Risk Management unit and other business units so that risk is effectively identified, measured, monitored and managed across the organisation.
In regard to a risk management framework, a firm needs to be clear on limits and tolerance levels both quantitative and qualitative. Thought needs to be given as to what drives decisions on risk taking and for example is there an appropriate remuneration policy that does not encourage bad behaviour. Risks need to be identified along with their probability of occurrence and impact and note any mitigants and controls. A Risk Register should be seen as a dynamic tool and can be used to communicate across all business units so that there is a full understanding of risks throughout the organisation with two way interaction between business units and the risk management function. All identified risks need to be measured and monitored so that the risks are managed effectively and efficiently with all aspects reviewed continuously.
AP , 30 October 2015