Senior management is ultimately responsible for every activity within an organization. Their involvement is thus essential for risk management to succeed. The process of setting overall policies and standards in risk management is called risk governance.
Risk governance involves choices of governance structure, infrastructure, reporting, and methodology. The quality of risk governance can be judged by its transparency, accountability, effectiveness (achieving objectives), and efficiency (economy in the use of resources to achieve objectives).
Risk governance begins with choices concerning governance structure. Organizations must determine whether they wish their risk management efforts to be centralized or decentralized. Under a centralized risk management system, a company has a single risk management group that monitors and ultimately controls all of the organization's risk-taking activities. By contrast, a decentralized system places risk management responsibility on individual business unit managers. In a decentralized approach, each unit calculates and reports its exposures independently. Decentralization has the advantage of allowing the people closer to the actual risk taking to more directly manage it. Centralization permits economies of scale and allows a company to recognize the offsetting nature of distinct exposures that an enterprise might assume in its day-to-day operations. For example, suppose one subsidiary of a company buys from Japan and another subsidiary sells to Japan, with both engaged in yen-denominated transactions. Each subsidiary would perceive some foreign exchange exposure. From a centralized viewpoint, however, these risks have offsetting effects, thereby reducing the overall need to hedge.
Moreover, even when exposures to a single risk factor do not directly offset one another, enterprise-level risk estimates may be lower than those derived from individual units because of the risk-mitigating benefits of diversification. For example, one corporate division may borrow U.S. dollars at five-year maturities, and another division may fund its operation by issuing 90-day commercial paper. In theory, the corporation's overall sensitivity to rising interest rates may be less than the sum of that reported by each division, because the five-year and 90-day rate patterns are less than perfectly correlated.
In addition, centralized risk management puts the responsibility on a level closer to senior management, where we have argued it belongs. It gives an overall picture of the company's risk position, and ultimately, the overall picture is what counts. This centralized type of risk management is now called enterprise risk management (ERM) or sometimes firmwide risk management because its distinguishing feature is a firmwide or across-enterprise perspective ( proportional reinsuranceypes ).
In ERM, an organization must consider each risk factor to which it is exposed—both in isolation and in terms of any interplay among them.
Risk governance is an element of corporate governance (the system of internal controls and procedures used to manage individual companies). As risk management's role in corporate governance has become better appreciated, the importance of ERM has risen proportionately. Indeed, for risk-taking entities (this means nearly the entire economic universe), it is contradictory to suggest that an organization has sound corporate governance without maintaining a clear and continuously updated understanding ofits exposures at the enterprise level. Senior managers who have an adequate understanding of these factors are in a superior governance position to those who do not, and over time this advantage is almost certain to accrue to the bottom line. Therefore, the risk management system of a company that chooses a decentralized risk management approach requires a mechanism by which senior managers can inform themselves about the enterprise's overall risk exposures.
At the enterprise level, companies should control not only the sensitivity of their earnings to fluctuations in the stock market, interest rates, foreign exchange rates, and commodity prices, but also their exposures to credit spreads and default risk, to gaps in the timing match of their assets and liabilities, and to operational/systems failures, financial fraud, and other factors that can affect corporate profitability and even survival.
EXAMPLE 9-1 Some Risk Governance Concerns of Investment Firms
Regardless of the risk governance approach chosen, effective risk governance for investment firms demands that the trading function be separated from the risk management function. An individual or group that is independent of the trading function must monitor the positions taken by the traders or risk takers and price them independently. The risk manager has the responsibility for monitoring risk levels for all portfolio positions (as well as for portfolios as a whole) and executing any strategies necessary to control the level of risk. To do this, the risk manager must have timely and accurate information, authority, and independence from the trading function. That is not to say that the trading function will not need its own risk management expertise in order to allocate capital in an optimal fashion and maximize risk-adjusted profit. Ideally, the risk manager will work with the trading desks in the development of risk management specifications, such that everyone in the organization is working from a common point of reference in terms of measuring and controlling exposures.
Effective risk governance for an investment firm also requires that the back office be fully independent from the front office, so as to provide a check on the accuracy of information and to forestall collusion. (The back office is concerned with transaction processing, record keeping, regulatory compliance, and other administrative functions; the front office is concerned with trading and sales.) Besides being independent, the back office of an investment firm must have a high level of competence, training, and knowledge because failed trades, errors, and oversights can lead to significant losses that may be amplified by leverage. The back office must effectively coordinate with external service suppliers, such as the firm's global custodian. The global custodian
effects trade settlement (completion of a trade wherein purchased financial instruments are transferred to the buyer and the buyer transfers money to the seller), safekeeping of assets, and the allocation of trades to individual custody accounts. Increasingly, financial institutions are seeking risk reduction with cost efficiencies through straight-through processing (STP) systems that obviate manual and/or duplicative intervention in the process from trade placement to settlement.
An effective ERM system typically incorporates the following steps:
1. Identify each risk factor to which the company is exposed.
2. Quantify each exposure's size in money terms.
3. Map these inputs into a risk estimation calculation.4
4. Identify overall risk exposures as well as the contribution to overall risk deriving from each risk factor.
5. Set up a process to report on these risks periodically to senior management, who will set up a committee of division heads and executives to determine capital allocations, risk limits, and risk management policies.
6. Monitor compliance with policies and risk limits.
Steps 5 and 6 help enormously in allowing an organization to quantify the magnitude and distribution of its exposures and in enabling it to use the ERM system's output to more actively align its risk profile with its opportunities and constraints on a routine, periodic basis.
As a final note, effective ERM systems always feature centralized data warehouses, where a company stores all pertinent risk information, including position and market data, in a technologically efficient manner. Depending on the organization's size and complexity, developing and maintaining a high-quality data warehouse can require a significant and continuing investment. In particular, the process of identifying and correcting errors in a technologically efficient manner can be enormously resource intensive—especially when the effort requires storing historical information on complex financial instruments. It is equally clear, however, that the return on such an investment can be significant.