Improving risk management: process and culture.

• Author: Schild, Peter
• Position: Members speak out

In its January proposal on enhancements to the Basel II framework, the Basel Committee clearly stated that bank boards of directors and managements must address the flaws in risk-management practices revealed by the financial crisis. Improving firm-wide governance will be necessary to satisfy regulatory supervision.

The committee asked boards and managements to ensure that risk-management frameworks establish limits consistent with defined risk appetite. In other words, make sure the risk taken is equivalent to the risk intended.

Boards and managements should now ask themselves a few questions: If change is truly required, what new steps must be taken to identify and implement improvements? How will we know we're getting a comprehensive enough look?

Regardless of how a board sees the veracity of its existing approach, fundamental change in how risk is managed is necessary to restore the system to good working order. A helpful first step is to ask the broader questions: Why did banks underestimate their risk and how did regulators fail to see it?

Inadequate Execution

The short answer is: basic practices of identifying, understanding and accepting risk were inadequately executed.

Corporate governance has been called the strategic response to risk, and the changes mandated by events are not simply tactical. Risk management practices must be assimilated into strategic objectives in new and better ways.

Because a corporation is more than a collection of individual activities subject to the separate interests of its components, it's important to see risk management as a pursuit of cooperative spirit, and not as a series of isolated controls. Efficient processes that boost coordination and enable leverage across risk, finance, compliance, audit and lines of business are reasonable and consistent expectations.

A thorough undertaking of risk identification begins with analyzing strategic objectives, cataloging the major processes set up in their pursuit and then asking what can go wrong with each of those processes.

Control activities should be designed to recognize these mutually dependent functions, and detection of strategic shortcomings should come from the integral parts--say finance or operations--before they are cited by oversight roles, like compliance or internal audit.

Beyond understanding risk, capital must be assigned to it. Did banks assign exclusive economic capital to each credit default swap to determine overall capital adequacy...