How risk management can evolve to become the coveted business ally

Post financial crisis, regulators have forced the increased relevance of risk organizations and demanded a seat at the table.

Insurance and banking business models have continued to grow in complexity over the past 50 years – from simple and local risk exposures to the current environment of complex and global exposures. Risk management has evolved along with the business model changes, from individual, transaction‑based decisions based on a combination of judgment and underwriting criteria to looking at aggregated portfolios of risk enabled by more robust analytical tools. While the tools and techniques available to risk professionals have continued to evolve, the interaction model between risk and the business has largely remained the same – an “us versus them” dynamic. In the past, risk was present to say “yes or no” to business leaders based on what was seen to be risk’s perspective and desired profile, often leading to escalation with business leaders and revenue generators having a distinct advantage.

For today’s risk organization

The challenge is clear:

How to have an impactful seat at the table without turning into a “check the box” regulatory exercise.

The next step in the evolution of risk management:

To reframe the debate and the role of Risk within an organization from being a control and compliance function to being a valued business ally.

The goal: to move from “us versus them” to “just us”

The entire organization driving toward common enterprise objectives. If structured right, the risk management organization can be involved in the pursuit of business objectives and the optimization of outcomes across all relevant constraints and lenses.

Articulating the appetite

First, consider establishing broad expressions of risk appetite that account for the desired balance between risks and resources across all relevant economic, regulatory and accounting frameworks. The expressions should take into account that the balance might change when subjected to a variety of stresses over various time frames. Factors at play are the evolution of assets and liabilities through time, with varying severities.

Examples of such expressions include the following:

• The organization wishes to preserve its ability to participate in markets in a moderate stress environment.
• The organization seeks to remain solvent in a severe economic downturn.
• Under normal market deviations, the organization seeks to limit earnings volatility

The final pieces of the puzzle

1. Agree on what level of stress is articulated in the expression. Again, collaboration, transparency and inclusion of all stakeholder views must be part of the development of these scenarios, as they will define and constrain risk profiles and business activities. They must be designed so that they probe sensitivities of assets and liabilities across all relevant risks, yet do so in a way that aligns with external and internal views of a reasonable definition.
2. Once the metrics and definitions of stress have been determined, the measurement can begin. The manifestation of risks can be complicated by the financial reporting rules, and it is important to have reliable processes with transparency into potential limitations and simplifications. For an organization to embrace the Risk Appetite Framework and use it to inform difficult business decisions, there must be credibility of, and confidence in, the models, scenarios, assumptions and output.
3. Translation of the desired risk profile of the organization into meaningful limits on key risk-taking activities. This is where the broad macro and strategic expressions become operational. The objective is to align limits such that there is a comfortable likelihood that the actual outcomes in stress scenarios will be in line with expected outcomes. This doesn’t mean that all limits need to academically tie to the expressions. However, they should be set such that the business-as-usual risk-taking activities won’t materially change the shape or dimension of the risk profile.
4. Once the Risk Appetite Framework is in place, it can be incorporated into business and capital planning – however with a twist on the traditional risk and business dynamic. No longer will there be an “us versus them” discussion, with Risk having the ability to say yes or no at their discretion. Rather, Risk will now provide transparency into the impact of business decisions on the commonly agreed-upon limits and constraints facilitating an open dialogue. It is no longer Risk’s role to make the “yes or no” decision, but rather the organization’s, with Risk providing full transparency into the impact on the commonly agreed-upon expressions. The framework provides a basis for evaluating the levers available to any organization — changing the risk profile, changing risk capacity, or changing risk appetite statement. The common evaluation of when and where to pull these levers will be grounded in the Risk Appetite Framework and transparent to all parties.