The combined impact of credit and market risk needs to be looked at, to provide for and protect capital.
We have accepted for quite some time that change is the only constant, and now ‘uncertainty’ also seems to have been added to the list of variables, observes Mr K. Shyamsundar, Consultant, Risk Practice, TCS, Chennai. “Risk management is essentially about managing uncertainty. Risk is embedded into the basic business operations across industries and it is at the core of the financial services industry,” he adds, during a recent interaction with Business Line.
Excerpts from the interview in which Shyamsundar shares his personal views on the subject of risk practice.
First, an overview of where risk practice fits in GRC.
‘Governance, risk and compliance’ (GRC) relates to having in place a self-motivated mechanism for the introspection of primary business objectives, strategies, policies, procedures, combined with an effective oversight and control monitoring component, which will have an efficient risk management function as well as ensure meeting all compliance requirements.
Risk management is the key component in the overall GRC spectrum whose stakeholders include investors, board members, risk managers, governance and compliance officers, regulators, customers, suppliers, and the society at large.
What are the common issues that arise in risk practice?
Disintegrated/fragmented risk practices, processes and systems are the fundamental challenge. For example, credit and market risk used to be considered separate; only recently it is recognised that their combined impact needs to be looked at in order to provide for and protect capital.
Operational risk integration is still in its initial stages. Compliance requirements across the globe are increasingly complex and dynamic and compliance cost has therefore been on the rise.
A very significant challenge is of data governance and processes, and technology integration. Data governance and management aspects include data quality and accuracy, consistency, and reduced reconciliation effort. The technology architecture of organisations has evolved over time, with multiple legacy applications, and non-standard interfaces which make them rigid.
For example, a large investment bank found that a minor change in a regulatory reporting requirement had a huge cost impact on its risk platform. Many financial institutions are going through risk and finance transformational programmes which attempt to resolve the challenges. Further, leveraging the compliance investments in technology and processes is a significant challenge to ensure adequate RoI (return on investment).
How different are the contemporary issues, compared with the earlier ones?
Increased complexity in business operations due to market and customer behaviour, technology innovations that have forced institutions to change their approaches to create and maintain customers, globalisation and disintermediation, and creative financial products with the avowed claim of reducing risks, are some of the key changes.
Risk management concepts and practices have tried to keep pace with the expansion, though concepts such as Value at Risk (VAR) matured decades ago. In recent times, when risk-taking combined with unbridled greed, the entire financial ecosystem collapsed, to the surprise of the stakeholders such as the regulators, rating agencies, and auditors.
Governments are still trying to do their best, with political challenges adding to the lack of consensus-building on financial remedial measures.
Traditionally, credit and market risk management were the focus areas. Increased complexity, catalysed by the failure of control over processes, and the executives becoming more avaricious and adopting fraudulent methods sowed the seeds for operational risk to become a separate risk component.
Liquidity risk cannot be termed new as a concept, but the failure of the existing risk mechanisms has forced it to assume significance.
When the impact of these failures crossed the banking borders in Wall Street to a sheep farmer in New Zealand it became systemic; and ‘systemic risk’ and ‘sustainability risk’ emerged. One may, therefore, say that the only thing constant is that more risk components can be expected in future.
When regulators were more reactionary than taking preventive action, public faith eroded; and ‘governance and its deficit’ became the mother of all buzzwords. Unfortunately, the buzz is the reality. Like history, regulators also keep repeating their approaches from Glass-Steagall to Volcker in separating investment (high risk) and commercial (traditional/low risk) banking.
Examples of how enterprises approach these issues.
Organisations have been approaching the challenges in different ways. They range from evaluating the existing oversight/assurance process, to identifying key fragmentation causes which result in silos, and integrating disparate technologies. For instance, a large Wall Street bank has considered operational risk as the key focus area and controls assessment as a subset. A big European investment bank is looking to integrate its risk and finance functions which have been built over several decades. One of the leading Indian banks is preparing itself aggressively to adopt advanced approaches of Basel guidelines by investing considerably in architecting an integrated enterprise-wide risk architecture.
A few dos and don’ts in risk management.
• Ensure executive management (the board, CxO) commitment on a longer time horizon.
• Closely mesh GRC and business sustainability.
• Have an effective oversight/assurance component firmly in place.
• Identify root causes of fragmentation and overlaps in processes, policies, systems which create silos, and close the gaps.
• Adopt technology in the right manner with a focus on an integrated enterprise-wide architecture.
• Communicate effectively across the organisation.
• Aiming at ‘quick wins’ and getting the low-hanging fruits from an RoI perspective.
• Considering GRC as an overhead expense alone rather than leveraging the investment to gain business benefits.
• Having a reactionary culture and waiting for things to happen; sometimes a series of small events happening in different silos can cause damage to the whole enterprise and to the financial ecosystem.
• Accepting past mistakes and trying to justify them.
• Pushing to the background basic ethical and human aspects in business priorities while evolving the GRC pillars.