Know Your Exposure. Be Prepared.
Do you know where your firm’s risk is concentrated? In this blog we examine how can you better make your risk culture understood from the top down and reported accurately from the bottom up.
Firstly, at an operational level, do all of your business units have a consistent view of the combined risks concentrated in their area? Do operational teams provide the input in to the Risk Register in a simple to use business application? Does your risk assessment tool allow for expert judgement to be captured for the qualitative risk assessment? Is each business unit a key participant in the risk management workflow?
Secondly, at a supervisory level, is there a holistic view across business units? How does the risk heat map look for the business? When should capacity and resources be assigned to risk control? What should be reported up to board level for escalation? Do you have a configurable tool that matches your firm’s business operating model?
And ultimately, at a board level, is the board aware of the risk concentrations that may impact the firm’s business reputation and core strategy? Are capital expenditure, mitigation, effectiveness and continuity plans acceptable? Does the board have assurance that risk is managed beyond superficial reporting? Is adequate information available to the board to facilitate knowledgeable discussions and highlight the top three ‘big bets’ and ‘key exposures’?
At aqmetrics we’ve a five step best practice approach to risk aggregation:
1. Consistency: At present, you may have one team capturing risk one way, and another team doing it another way. That won’t work. How can you aggregate risk at a firm level if there is no consistency in the risk capture at the business unit level?
You need to capture and assess all risks in a consistent manner. Disparate risk systems lead to data inconsistency that impacts your overall organisations risk assessments.
2. Concentration: Pooling risk assessment and creating a heat map gives you a full picture of where your vulnerabilities lie. There is a trend among risk professionals, regulators and compliance staff alike to assess risk concentration in line with current and emerging regulations.
3. Accountability: The solution involves integrating your company’s mitigation and action plans using a workflow model aligned to your business. Each business unit should be accountable for risk management in a non-superficial way.
Individual risks may not escalate to board level. However, when risks are pooled and organisational impact as a whole is assessed and managed via an auditable workflow, we move from passive risk management to active risk control. Board communications then become streamlined, simplified and above all accurate.
4. Appropriateness: Risk tools should support qualitative analysis in a predictable manner, while also providing quantitative analysis where required. They should be proficient in using statistical analysis to support both capital and strategic expenditure decision making. Qualitative analysis should be clear, understood and transparent, but quantitative should be used with caution and only for specific subset of risks.
5. Assurance: Any solution should have the capability to call, recreate and produce a full audit trail in the event of an internal or regulatory inspection. This is a necessity.
There is no escaping the fact that regulation and compliance touches every part of your firm. Yet regulations can be increasingly complex and overlapping. Consequently, asset managers having a growing need for a systematic approach to aggregate risk within evolving regulations (EU AML Directive V, MiFID II) and emerging regulations (Cybersecurity, GDPR, IT resilience).
The combined business impact of these regulations must be measured and managed in a consistent, transparent manner with accurate and timely reporting at an operational, supervisory and board level.
After-the-fact ‘black-swan’ assessments will no longer be acceptable.