Organisations should work on aligning their risk functions to effectively support enhanced business decision making, and this can happen by making business leaders better risk managers, said Bank Negara Malaysia (BNM) Deputy Governor Puan Jessica Chew Cheng Lian at the recent Malaysian Association of Risk and Insurance Management (MARIM) Conference 2018.
Ms Chew was delivering the opening address on the need for innovative risk management in a business environment with new emerging risks.
She noted that while there is increasing involvement of risk managers in business decisions, there continues to be poor alignment between these functions and one common cause is the absence of or a poorly defined risk appetite framework. As it is unrealistic to expect risk managers to be always better at identifying risks in new business ventures than the individuals on the ground leading them, the solution is to have these business leaders be better at risk management.
Change in role of risk managers
“The role of risk managers in turn should evolve from directly supporting individual business decisions, to continuously pushing for more clearly defined risk appetite frameworks through engagements with the board, senior management and business leaders; by ensuring that management guidance is consistent with the risk appetite; and communicating the risk appetite in precise and specific terms across the organisation,” she said.
By encouraging a strong focus on providing as much clarity as possible in setting the risk appetite for the organisation, it will set the tone and internal conditions for ongoing improvements in risk culture, said Ms Chew.
This provides better alignment between business decisions and a firm’s risk tolerance; and ultimately, “delivers a better balance between taking on too much risks and inhibiting the kind of innovation that we depend on to build successful businesses and economies,” she said.
Beyond risk measures to risk narratives
Ms Chew highlighted two other critical shifts that would underpin innovative risk management practices going forward. The second is to be aware that conventional risk measures, such as traditional financial models, have their limits and must be supplemented with the ability to develop and maintain a richer risk narrative that is perhaps less precise, but much more informative. This would require strong discipline and higher levels of competence among business and risk managers.
“Where there are no bright lines, effective risk responses will depend on firms setting up a process that can bring together diverse perspectives and data sets; encourage rigorous debate and dialogue on risk developments; and build an informed consensus on how much risk an organisation should be willing and able to take to achieve its business goals,” she said.
“Such a process is undeniably messier, less predictable and possibly harder to explain in a consistent way. But it is also precisely these very characteristics that make it much more relevant in the world that we live in today.”
Ms Chew said that the central bank’s balance of regulation and risk culture supports such an evolution. For example, the innovation sandbox allows financial institutions greater regulatory room to test innovations within a controlled environment and learn from emerging experience.
BNM is also examining options to better tailor the regulatory framework to the size and complexity of financial institutions and focusing more on an institution’s prevailing risk culture to determine the degree of supervisory intensity applied on an individual basis.
The third important shift Ms Chew highlighted was the importance of building resilience, in addition to mere averting or reducing risks. This could be seen in the area of network security, where organisations are increasingly adopting an “assume breach” paradigm, operating on the basis that a risk event has already occurred, and in the financial sector, where reverse stress testing is being incorporated into risk management approaches to identify the scenarios that would break an institution.
Such approaches acknowledge the practical limitations of risk mitigation when there is little clarity on risk triggers or their impact.
“The push to move beyond a cursory treatment of business recovery and resolution plans is worth heeding. The idea of innovative risk management would ring hollow if everything came to a screeching halt because an organisation had failed to correctly anticipate a risk incident, and business continuity plans failed to support the organisation’s rapid and effective recovery from the incident,” she said. The likelihood of such a case is far from trivial in a more uncertain world.
Business recovery and resolution plans have generated little attention in most organisations beyond the operations of recovery centres, she noted, which misses a valuable opportunity for organisations to design operations in a way to help them reinvent themselves with changing circumstances, to achieve wider options for recovery during business disruption.
“At its most basic level, building resilience is about helping organisations better understand their operational and financial interdependencies and how this can affect their ability to recover and respond to disruption and change. This not only assures an organisation’s own survival, but enhances its prospects for creating value,” she concluded.
The MARIM Conference 2018 took place from 17-18 July in Kuala Lumpur.