Risk Governance in Banking

Published on 17th January 2012

Dealing with risk                                        Courtesy
It is only at the beginning of the past decade that the Mauritian corporate sector showed real interest in the concept of corporate governance. Practically at the same time, awareness about risk management started making a breakthrough in the banking industry in Mauritius.

In September 2001, the Mauritian government set up a Committee on Corporate Governance for Mauritius. The Committee was given the task of raising the level of corporate governance in the country so that it would align with international best practices. Merwvyn King, an authority on corporate governance, was commissioned by the government to conduct a review of corporate governance practices in Mauritius.

Corporate governance has become an increasingly critical issue following a series of corporate scandals that broke all over the world. Its specific role in the stability of financial intermediaries was highlighted by the severe crisis which hit the financial markets from the mid-2007. The collapse or nationalisation of high-profile banks and the hundreds of billions of dollars of write-downs on structured credit products were all signs that the banking system had gone terribly wrong.

Risk is an essential element of every organisation, but it must be managed effectively if the enterprise is to succeed. In banking business, risk is a disturbance variable and cannot be avoided. Banks are tempted to take big risks without calculation, as the returns from such risks are usually outstanding if successful, but devastating if unsuccessful.

An enterprise-wide, holistic approach to risk management

At the beginning was risk control.  The Greeks and Phoenicians around 700 BC designed risk control measures to mitigate the risk exposures of a creditor engaging in risk financing (called bottomry). The latter involved a trader obtaining a loan to the value of goods to be shipped to a point of sale. The trader would be required to repay the loan only if and when the goods arrived safely.

Aristotle in book 1 of Politics recounts the story of Thales the Philosopher. Using his exceptional skills in reading the stars, he predicted a bumper harvest of olives. Being an excellent risk manager, he obtained an option from the owners of olive presses to the first use of the presses. There was actually a bumper harvest and Thales made money selling off his options. The story illustrates risk management in action in around 200 BC. Risk management is not only about losses, it is also about gains.

The use of the term ‘risk management’ to denote a particular aspect of the management function, first emerged in the United States in the 1950s and largely grew out of the insurance-buying function. With its origins in insurable risk, early risk management practice tended to deal with physical risks, such as fire, employee injury and damage to machinery. The emphasis was on identifying and controlling risks which would result in physical damage and financial loss.

During the 1990s, this remit started to widen as many risk managers attempted to take more business-oriented risks from a holistic approach. Today, the focus is firmly on an enterprise-wide, holistic approach to managing all of the risks to which the business may be exposed. They include failures of governance, breaches of corporate social responsibility and unethical behaviour, all of which may tarnish the organisation’s reputation, lower stakeholder confidence, bring about financial losses and, ultimately, result in corporate collapse.

Risk management is predicated on the prevention, or minimisation, of threats to the enterprise. It is not about eliminating risk altogether. It is concerned with assisting the organisation to make the best decisions it can, when faced with a highly uncertain, and potentially volatile, future. In this way, risk management can be viewed as nothing less than good management. Managers seek strategies which would help them manage corporate risks, rather than simply finance the risks following a loss-making event.

As business involves the undertaking of risk for reward, managing risks is inseparable from a company’s strategic and business processes. Risk management is the practice of identifying and analysing the risks associated with business, and taking adequate actions to manage these risks. It is all pervasive and not just a reporting process to satisfy governance requirements.

Combining risk management with corporate governance

The Code of Corporate Governance for Mauritius recommends that due consideration be given to risk management. Particularly in the banking industry, risk management is at the heart of corporate governance. There is increasing awareness that risk management failure is no more than governance failure, which leads to bank failure. In Mauritius though, both risk management and corporate governance are concepts that have only recently been formally practised by banks.

The daily job of the banker is risk management, but this was given less prominence than it might have been lately. At best, risk officers were playing low profile and were nothing more than compliance officers. Also, banks were paying little attention to corporate governance. They did not see the invisible benefits of subscribing to the principles of good corporate governance.

With the failure of Barings Bank, which deals with a single employee bankrupting a 200-year old bank, bank boards have come to grasp the importance of a proper structure of corporate governance. The onslaught of the 2008 worldwide financial crisis has been a wake-up call for banks that were focused only on short term earnings to outpace the industry. Many acknowledge that a lack of discipline in risk management was a contributory factor in the credit crisis. Since the world is today a global village, inadequate management of risk in any country can cause a disaster that spreads to other economies.

Risk managers have not been listened to on strategy, governance and culture. Otherwise, banks have outsourced risk management to a large degree, relying on the expertise and approval from outside parties such as auditors, regulators and credit ratings agencies. Today banks are beefing up risk management, being more conservative about their lending policies and laying emphasis on risk culture and corporate governance. The governance system is all the more important for financial intermediaries not only because they ar basically in the business of risk acceptance, but also due to their special role within the economy in the transfer of financial resources.

To re-establish risk management as being central to the DNA of the organisation, banks must see integrated risk management as part of their corporate strategy. They should rely less on third parties and better know the risks they are taking. Risk management should be a continuous and developing process that runs throughout the organisation. It ought to translate the corporate strategy into tactical and operational objectives, assigning responsibility across the organisation with each employee being made responsible for managing a component of risk.

When risk management is combined with corporate governance, this gives rise to risk governance, which states the relationships between risk managers, executives and directors. The balance of power is now shifting from risk-takers to officers who police risks internally. Nonetheless, chief risk officers are yet to define clearly their limiting authority with respect to chief executive officers who themselves have to be accountable to directors. It is a power struggle in which performance counts at the end of the day.

Risk management is not control

In a banking organisation, the job of the chief executive officer (CEO) is mainly about risk management. He needs a little tension (asking questions) to make the best decisions. He must walk the talk with risk officers and encourage his staff to speak up.

It is important for a bank to have a chief risk officer (CRO) with a risk management policy. The CRO should exercise his independence from the CEO. Relations between CRO and CEO are always tense but need not be conflicting. The job of the risk officer is to identify, assess and mitigate risks. He needs to understand cash flow and to assess it by reconciling the balance sheet analysis with the profit and loss analysis. He must be able to analyse data according to well-established industry benchmarks, and to present them in a format that everybody understands.

Ability to service debt is a critical thing. There are various parameters to assess a borrower. Is the borrowing company appropriately managed? What is its debt-equity ratio? What are the sources of its cash flow? How does the company manage its operating cash flow? Does it have assets to generate cash? There is overlapping between risk management, internal audit and compliance: the three processes are connected with control. The difference is that risk management looks at potential threats whereas internal audit intervenes after the occurrence of the risk event. The internal auditor investigates any incident, addresses any procedure gap and detects any fraud.

Risk management is not control but relates to it. If structured properly, risk management needs not hinder the growth of the business. The framework should not be too hierarchical such as to create a fear to ask difficult questions. Instead, a constructive dialogue is important between risk officers and credit officers. There is nothing black or white in risk management, but shades of grey. Management is risk management, and it concerns every employee from the officers at the counter to the top management. The company must promote a risk culture. As pointed out by The Economist on 13 February 2010, “there is more to establishing a solid risk culture than empowering risk officers. Culture is a slippery concept, but it matters.” Corporate governance demands that the process of risk management is monitored as to its appropriateness and effectiveness, and that it is embedded throughout the organisation.

Such embedding may require some cultural change. Although risk management is undoubtedly part of the job function of every employee, this message needs to be communicated and, furthermore, accepted by the staff. To aid this process, bureaucracy needs to be kept to a minimum. If risk management becomes a box-ticking exercise, then there is little potential for real management of risk.

Legislation, regulation and codes of corporate governance may reduce risk but cannot eliminate it entirely. The organisation itself must ensure that adequate controls are in place to prevent fraud and corruption. Such controls should not act as a curb on entrepreneurial initiatives, but should aim to keep them within legal boundaries. Developing an ethos in which ethical behaviour is actively encouraged, along with systems for the early identification of governance breakdowns, will help prevent the reputation damage – both personal and corporate – that follows the collapse of an enterprise. Effectively managing risks is key to corporate survival. Failure to do so can extract a very heavy price.

Power struggle at the top

A key ingredient of banking, good corporate governance shows where to draw the line between different departments and between management and board, and this is a prerequisite of risk management. Corporate governance dictates the structures to be put into place. It is crucial for a bank as it rests on control and accountability. Lack of oversight will ensue from absence of corporate governance, leading to mismanagement of risks.

There exists a strong link between risk management and corporate governance. Without good risk management, the board cannot identify the risks that are associated with the business of the bank. Conversely, without the support of the board, the bank cannot have effective risk management. The ethos at the top, i.e. at the board level, is very important as strategy comes from that level. Directors cannot be complacent but have to put the CEO to task. However, conflict between the board and the CEO should be minimal.

A small bank, which we may define as one whose assets size is less than 2 billion US dollars, may not need a corporate governance committee. It may not require a diversified board too. However, diversity of board directors constitutes an advantage for a bank as it brings in expertise from different areas. Directors who come from non-banking sectors or who do not have qualifications in banking can contribute to the decision-making process of the board as long as they understand the financial accounts of the bank.

A power struggle generally goes on between board and management. The risks of duplication of powers and responsibilities are real. Every manager and every director are very sensitive to this power game. Even independent directors have some interests in the company. Their interests may be financial in that they receive fees of an amount sufficient to put them off. Doors are open to directors within the company. And being a bank director carries prestige.

Board decisions are often taken before the effective holding of the board meeting, i.e. between board meetings. The important issues are discussed and agreed upon outside meetings. The problem is that directors rely on board papers prepared by management to take decisions, and they cannot check the accuracy of the information submitted to them. The introduction of new legislation and of more strict codes of conduct has led to a greater awareness, at board level, of the need to manage the broad range of threats to the success and continuity of business operation. However, regulation is insufficient in itself without an ethos of risk governance. Commitment from the top is essential for a corporation to ensure that all its directors and employees operate in an ethical manner, and that its structures deliver good governance.

Market credibility precedes profitability

There are two views about banking. One is to say that banking is foremost about strategic vision. Banking starts with the front line facing the clients. There is no business without clients. Banks have to beat competitors that have a niche market. A different view is that since banking carries a lot of risks, it is the business of risk. Therefore, banking is all about risk management. And risk management is all about corporate culture.

Maybe the opposition between the two points of view is due to the fact that separation between credit appraisal and risk assessment is possible only in big banks. In a small bank, the credit officer may be called upon to carry out both the credit appraisal and the risk assessment.

When a bank is too aggressive in approving loans, when it does not have proper procedures, when governance at the top is weak, when there is no attention to the details, when the analytical approach is not rigorous, this spells trouble for the bank. A well-run company is one that puts in place a risk management system that is closely aligned with good corporate governance principles. What fundamentally caused the financial crash of 2008 was poor risk management leading to an uncontrollable level of unpaid loans. The financial meltdown was purely the result of a mismanagement of risk. In the race towards profits, banks relaxed their lending norms. They were scrambling to provide loans to subprime borrowers, people with lower credit ratings and having a larger-than-average risk of defaulting on their loan. Notwithstanding credit scores and other mechanisms to check creditworthiness, loans were extended to borrowers with poor credit histories. And loans were repackaged into hedge funds unseen.

Risk management has a direct impact on performance. A bank needs to be both profitable and well risk-managed. Its level of profitability matters as much to the public as its profile of risk management. However, profitability cannot be equated with stability. There is no guarantee that a profit-making bank would not default. Retail depositors are not cognizant of the level of profitability of their bank. They rather look at its image and reputation. On the other hand, institutional investors, being more aware of the financial situation of banks, consider a mix of profitability and risk management.

Market credibility is paramount in the business of banking. In times of crisis, depositors prefer institutions that are least likely to fail thanks to good risk management practices. A well-managed bank with low profitability is more sustainable and more consistent whereas a badly managed bank with high profitability can collapse under strong risk appetite.

The essence of any business is about risk management. For banks, there is a balance between looking for business to generate income and being conservative on risk. But the wrong way to look at risk management is to think that it is a hindrance to getting business.

By Eric Ng Ping Cheun

Adapted from a chapter in his upcoming book: Alice in Dodoland: Looking to the Mauritian Economy.

This article has been read 3,524 times