Measuring Risk Organizations must be able to manage risk, but in order to do so, companies must be able to measure it. The terminology used to measur

Disclaimer: This is a machine generated PDF of selected content from our products. This functionality is provided solely for your convenience and is in no way intended to replace original scanned PDF. Neither Cengage Learning nor its licensors make any representations or warranties with respect to the machine generated PDF. The PDF is automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. CENGAGE LEARNING AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the machine generated PDF is subject to all use restrictions contained in The Cengage Learning Subscription and License Agreement and/or the Gale General OneFile Terms and Conditions and by using the machine generated PDF functionality you agree to forgo any and all claims against Cengage Learning or its licensors for your use of the machine generated PDF functionality and any output derived therefrom.

THE EVOLUTION OF RISK MANAGEMENT AND THE RISK MANAGERS Author: Fran Garritt Date: Feb. 2018 From: The RMA Journal(Vol. 100, Issue 5) Publisher: The Risk Management Association Document Type: Interview Length: 3,415 words Lexile Measure: 1350L

Full Text: RMA'S MARKET RISK COUNCIL continues to support the future of risk management and the risk managers who sustain its progress. In a recent interview, David Ye, former chief risk officer at State Street Global Markets and global head of market risk, shares his perspectives on the emerging trends in risk management. The interview was conducted by Fran Garritt, RMA's director of market risk and securities lending.

LOOKING BACK AT the evolution of risk management in the financial services industry over the past two decades, we cannot help but marvel at the tremendous growth it's seen in both sophistication as well as importance.

Since the 1990s, there have been many crises–large and small, domestic and international. Each crisis made people more aware of the importance of risk management controls and the need for continued investments in risk infrastructure and human resources. As of now, the risk management function has become firmly embedded in a firm's oversight/control structure, and the Dodd-Frank Act and other regulations have further codified the role of the chief risk officer and risk management into the law of the land.

However, the Trump presidency will likely reset the deeply entrenched regulatory environment. The new administration has already changed both the dynamics of the financial markets and the regulatory and business environments for banking. Given its size, the changes in the U.S. will have global ramifications. Now, perhaps, is the right time to reassess the future landscape for risk management practices.

GARRITT: How do we transition from a regulatory-focused risk function to a more internal and business-focused one?

YE: As the regulatory environment changes, so too will the business environment. It may not happen very quickly, but I think the journey has already started since the start of the Trump administration. The risk management function over the last eight years has been driven primarily by post-crisis regulations, the many risk functions that have been added, and risk infrastructures built to specifically address some of the regulatory requirements such as Dodd-Frank and CCAR.

To make the transition successful, change needs to come from the top because the risk culture and risk appetite define the daily risk management control. The risk appetite strategy has to be driven more by the inherent risks in the business rather than by regulatory mandates only. From the top, it then drills down to middle management as well as the day-today risk control. Day-to-day risk control, or what I like to call the trench of warfare, is where risk managers engage risk takers in business on a daily basis.

I think that one of the most important changes is how risk managers deal with business functions. To do this effectively, we need risk managers who are commercial-sawy with good business and product knowledge.

GARRITT: How can we strike the right balance between risk control and business support?

YE: The journey in the development of an enterprise risk function in banking really started in the early 1990s after a number of credit and market events, including the savings and loan crisis and the Federal Reserve's massive interest rate hike in 1994. Before the financial crisis, risk management had been more focused on supporting sound business growth.

After the crisis, the pendulum swung far to the other side–that is, to focus more on independent risk control and meeting regulatory requirements. This had been driven by a number of regulatory requirements such as Dodd-Frank, which mandates granular risk oversight by the board of directors and executive management.

It is encouraging that the Fed recently released a proposal to streamline firm corporate governance by elevating the board of directors to a more strategic role, without being overwhelmed by those responsibilities best performed by executive management. I believe this is a step in the right direction–to help risk management be more focused on material risks in the business, rather than simply meeting reporting requirements to the board and regulators.

So, in order to strike the right balance going forward, we need to change our mindset–that is, balancing independent risk controls through the support of profitable business growth with an appropriate return.

GARRITT: What are the changes needed in the mindset and approach of the risk management function? Do we have the right type of risk managers in this new environment?

YE: We need to reshape the risk management approach, starting with how we look at the risk appetite. This will help drive the change from a risk-control and avoidance culture to a more balanced one where risk and return are appropriately evaluated in the decision- making process. People need to view risk as an integral part of the core business rather than as a barrier preventing sound business growth. 1 believe that we do need more risk managers with strong business and product knowledge and a commercial mindset, rather than simply check-the-box type individuals.

GARRITT: In the eight years since the financial crisis, firms have invested heavily in risk management to meet regulatory requirements. How can we leverage these investments to manage risks better for firms' internal business management needs?

YE: Indeed, in the last eight years, firms have invested heavily in risk management in terms of infrastructure, data, and analytics. A lot of these investments went to address specific regulatory concerns of many MRAs and MRIAs. The question now is, how can we harness the capabilities we have built to help drive better business decisions?

The starting point is to evaluate the extent to which the risk management capabilities such as analytics, data, reporting, and human resources can be leveraged or redeployed to help the front office and other parts of the firm such as the finance and compliance functions. We need to develop stronger partnerships with business and integrate risk analytic capabilities with the front-office systems so that business and risk management evaluate the same data and information. In addition, the healthy debates between business and risk management should be on the appropriate actions that need to be taken based on shared risk information, rather than on whose risk measurements are better.

GARRITT: With new regulations, such as FRTB [Fundamental Review of the Trading Book], how can we build the infrastructures with a broader mindset to improve business risk management capabilities in addition to meeting regulatory requirements?

YE: We should have the mindset for how we can create business value and increase efficiency at the outset. FRTB is a good example. It requires a much closer linkage between systems and infrastructures of various parts of the firm, primarily among risk management, finance, and the front office. This requires stronger leadership in risk management that is able to look beyond the risk management silo to work closely with the business and finance partners, and have an integrated IT team to ensure consistent risk systems and data across the firm instead of just in risk management.

This is challenging for many firms, as most of them traditionally have very siloed infrastructures. It has already happened in many firms, particularly in the area of coordination between the risk and finance functions.

GARRITT: What are the biggest costs in risk management?

YE: Over the last 10 years I think the major costs have shifted more and more to risk infrastructure and data. Human costs are still the largest portion, but infrastructure and data costs have increased much faster. In addition, technology will be playing a greater role in the banking business, and the proportion of IT and data cost will increase over time.

GARRITT: What are some concerns that regulators may have in terms of cost pressures on the risk management function?

YE: I think this is why we need to embark on this journey of technology revolution in risk management. We need to work with regulators to ensure they are comfortable that the quality of risk management will not be sacrificed with the introduction of new technologies such as machine learning, artificial intelligence, robotics, etc.

Firms need to develop a strategic vision for the end-to-end risk management process in a world where computers will play a much bigger role and perform many tasks and make critical decisions that are currently done by humans. There will still be the need for human judgment and oversight, but in what shape and form? It is clear that the number of risk managers will be reduced materially in the next five years due to technology transformation. The real concern is the future role of human risk managers in this brave new world of big data and big machines.

In a typical risk management department, about 80% of the staff works to generate information for the senior-most 20% of people to make decisions. There are potentially huge amounts of cost savings with the proper use of new technologies, particularly for the 80% of the "information generation" part of the risk function. For example, roughly 50% of that 80% (that is, 40% of the total) is related to middle management, who validate and report the critical risk information before it is escalated to senior management for decision making.

I don't think we can take out all the 40% of the total cost, but at minimum, you can save 20% by leveraging technology such as Al/machine learning. Therefore, I'm not talking about the wholesale elimination; rather, we need to really rethink through the risk management operating model. Back in the day, we could manage costs by off shoring positions to low-cost locations like India,

Eastern Europe, and China. But much higher inflation rates in those countries will render the cost arbitrage useless in the not-so- distant future.

GARRITT: What are the key challenges posed by the deglobalization trends?

YE: Indeed, the postwar global economic order created by the West and led by the U.S. is going through drastic changes, which are hastened by current policies across the globe, such as the Trump administration and Brexit, which could be viewed as isolationist. At the same time, China has emerged from its isolation and continued its rise with its own globalization push.

I could see in the next decade that the whole financial infrastructure around the world is going to be subject to seismic changes, where the U.S. is going to retreat and Europe is going to have to find its own place, but in a much different way given Brexit. China and other emerging-market countries will continue to play a much bigger role.

For large global firms, the key challenge will be managing firm-wide risk, capital, and liquidity positions across different jurisdictions and national boundaries. We really need to understand different and, at times, contradictory regulatory rules across different regions over the same global business.

The rule on swaps and derivatives is a prime example, where swap trading, margin, and documentations as required by the CFTC are different from those required by the European rules in many critical aspects, which have created complexities and challenges for global trading operations.

GARRITT: How should a global risk organization be structured to meet both local and home country regulation?

YE: The global risk function needs to de-globalize further relative to the current structure, where headquarters control everything and make all of these decisions. For example, SMR [Senior Management Regime] in the U.K. is just one requirement that forces critical decisions to be made locally by an accountable person because he or she is personally liable for the activities on the ground.

While the global functional heads continue to manage risk globally, they may not have the final decision on certain key risk and business decisions in the regions. Risk organizations will need to be much more decentralized and matrix oriented, with significant decision authorities being transferred to regional heads over regional activities. Organizations have to optimize their structure in order to manage the organizational conflicts. We all know that a matrix organization has its benefits and also has its challenges. It is not an easy thing to accomplish this change, but it is critical in getting it right in today's deglobalized world.

GARRITT: What are the new risks given the rise of emerging-market [EM] countries like China that will increasingly shift major drivers away from the West's developed markets?

YE: If you look at firms' risk management approach, their aggregated risk exposures are primarily in the U.S., Europe, or other developed markets. While emerging-market exposures are growing, they are still somewhat small on a relative term. With the continued economic growth in emerging markets led by China, the EM exposures of firms will likely grow significantly. There could be a lot more potential negative surprises along the way. What happens in China already drives the world markets as well as money and capital flows.

But the challenge is that firms do not have enough risk people with deep knowledge in those emerging markets. Therefore, I think we just don't have enough talent to understand that part of the world, as most current risk managers have been trained in the developed markets like the U.S. and Europe.

The other thing is that we should look at our core risk methodology and risk management approach with a new lens that reflects informed emerging-market perspectives. Will our risk methodology still be appropriate in the next five to 10 years as emerging markets continue to grow? With regard to stress testing, for example, we generally look back in history to find appropriate market stress events for risk modeling purposes. But maybe history will be less relevant in the future as we are going through a paradigm change, and the next 10 years are going to be very different from the past 10 years.

We need to think about what this new brave world looks like and what could drive some of the major market shifts and exposures with regard to the methodology in our stress testing. This is going to have implications for the development of our infrastructure and our staff development as well.

One of the difficult tasks for firms is to develop and retain risk talent. As the older generation of risk managers retires, a new breed of risk manager needs to be developed–one that is technologically savvy, business focused, and familiar with emerging markets like China and India. The real challenge is in choosing the right kind of risk leader for the next five to 10 years because the world's changing. Unfortunately, in the last 10 years many institutions have not had the luxury of time for this, as we have been too busy meeting the regulatory requirements.

Therefore, we need to take a step back to reassess the risk management function in terms of risk framework, infrastructures, and talents with a view of how the world will evolve in the next five to 10 years.

GARRITT: What are the drivers for increasing specialization of risk disciplines?

YE: We're seeing a very interesting trend. The picture that comes to my mind is one where we have many cars without clearly defined traffic rules. These cars move in different directions at different speeds, each representing a particular risk discipline mandated by a particular regulatory rule or concern.

In the rush to address lessons learned from the financial crisis, many regulatory rules were established in response to a particular issue or concern at the time. Firms had to react to them by embarking on new projects and programs, which ultimately led to business-as-usual, standalone risk disciplines. This is the case with liquidity risk, vendor risk, conduct risk, cyber risk, etc. The challenge that we face is in how to integrate all the new risk disciplines and avoid duplications. Otherwise, we run the risk of creating confusion and weakening the effectiveness of controls, in addition to cost inefficiency.

GARRITT: What do you see as some of the challenges in developing a holistic view of risks across all disciplines?

YE: As we all know, especially in times of crisis, many types of risks are intertwined–for example, credit risk and market risk. Generally, you don't see material counterparty credit risk arise unless you have a huge market event. By the same token, operational risk loss is dependent on market or credit events. As such, it is critical to have a holistic view of risk across the board. The challenges are a lack of integrated risk infrastructures and of people with broader cross-functional experiences and knowledge.

The increased specialization of risk disciplines as mentioned above has made a holistic view of risks more difficult to develop, however. While building robust and integrated risk infrastructures takes time, the organization should develop a new set of people with broader backgrounds to address risk in this increasingly complex world where risks are highly interrelated.

GARRITT: What are the implications for risk management resources and talents?

YE: Firms need to develop a long-term plan for risk infrastructure and human capital in risk management. To think clearly about the next generation of people, you need to take into account the rapidly changing technology and dynamic geopolitical landscape. People need to understand the emerging markets, have different language skills, consider how to leverage existing offshoring locations, and potentially raise future leaders from those locations.

We typically think people in low-cost locations do very low-level work. We should turn our thinking upside down and view the low-cost location as a place where we can develop emerging talent and move them back home. This is what I like to call the "back-to-base" talent strategy. In addition, we need future risk managers to be technologically savvy and quantitatively trained to work with machine learning and artificial intelligence. We need to sync up with the business strategists as well.

This is the way that risk management can become more relevant and influence the firm's business strategy as well. It is imperative for the future of risk management to do this well, and we cannot simply justify our existence by regulatory mandates and rules.

GARRITT: Do you see a danger that risk management may be trying to "boil the ocean" with too wide of a scope?

YE: Definitely, and I see that risk every day. Many, not all, senior risk officers focus too much on expanding the scope of their roles, putting out too many fires, and reacting too quickly to one-off problems, with no time to think strategically about which risks are lurking around the corner that could potentially and negatively impact the firm.

We need to take a step back to think about how to redefine and refocus the role of risk management. We need to think about how to optimize the scope of our work in partnership with legal and compliance, technology, finance, and business. We cannot be all over the place.

Many risk managers want to do more to increase their influence with good intention. However, in the process, they actually undermine their effectiveness. Therefore, the risk management function needs to have a new strategy going forward that clearly articulates our core competence and mission, and leverages resources in other parts of the firm, if possible. We need to recrystallize our role and see our functions rather than be territorial.

GARRITT: How closely should risk management work with other corporate control functions, such as legal, compliance, and finance, to avoid duplications and overlaps?

YE: Every firm needs to have what I call a risk convergent strategy–a strategy that includes all control functions (for example, front- line control, legal, compliance, risk, SOX, audit, etc.). There has been a huge amount of build out in a firm's control processes in all areas due to regulatory pressures and many genuine control gaps. Many of these efforts have been carried out under very short timelines without proper coordination. As such, it is understandable that there are a lot of duplications among these newly built control structures.

This amount of duplication creates inefficiency as well as a potential weakening of controls because of a lack of clarity in who is held accountable. We certainly do have the too-many-cooks-in-the-kitchen problem, and it is high time to create a risk convergence strategy to rationalize these controls.

Our job in risk management should be to focus on working with all of our key stakeholders with the goal of making risks transparent and making sure they are within the approved risk appetite. Take conduct risk, for example. While it is part of operational risk, the expertise and knowledge reside with the legal and compliance functions, and they should drive the initiative even though the risk function has a role to play, which is to make the risk transparent through timely reporting and appropriate aggregation.

Please Note: Illustration(s) are not available due to copyright restrictions.

Copyright: COPYRIGHT 2018 The Risk Management Association http://www.rmahq.org

Source Citation (MLA 9th Edition) Garritt, Fran. "THE EVOLUTION OF RISK MANAGEMENT AND THE RISK MANAGERS." The RMA Journal, vol. 100, no. 5, Feb.

2018, pp. 50+. Gale General OneFile, link.gale.com/apps/doc/A527621023/ITOF?u=oran95108&sid=bookmark- ITOF&xid=289c66b2. Accessed 8 Apr. 2022.

Gale Document Number: GALE|A527621023