What is wrong with the current model of risk management?
There are three things wrong. The first is that risk management has become too bureaucratic. It emphasises a controls-based approach, characterised by excessive box-ticking. The second is in the financial arena, where banks and other financial institutions became reliant on value-at-risk models. Those models were dependent on a range of assumptions, not least an implicit assumption about liquidity and the real availability of interbank funding.
In hindsight, we can see there was insensitivity to the limitations of those models. And the third thing to go horribly wrong was focusing on entities in isolation, rather than the relationship between entities. Banks and insurers all used the same risk management model. But they didn’t consider what would happen if they all acted in the same way and how that would create a systemic problem.
How is it possible to be rigorous and systematic, without box-ticking?
That is a fair question. Let’s face it, box-ticking is very functional in many circumstances. When a pilot goes through the process for take-off, you want them to tick the boxes in sequence. The key is to understand the difference between necessary and sufficient. The controls-based approach of risk management was necessary, but not sufficient. And it tends to have its own logic which crowds out other methods. It even crowds out the time people have to think about risk.
Regulators should trust a little more and need evidence a little less
So what’s the answer?
If I knew that I’d be a rich man. Everybody knows this is a pathology of the risk management arena. You can’t get out of it. So part of the solution is down to the regulators. They should trust a little more and need evidence a little less. The second part of the solution is to have courageous leadership in organisations which says, yes, we are going to do the process stuff, but we are also going to make sure risk is part of the organisational conversation.
What practical steps can businesses take to make those changes?
The chief risk officer needs to be the first among equals. This means they get the full trust of the board and chief executive. And businesses need to take a long view of their relationship with clients. We are seeing this in the banking sector, where firms such as Barclays are attempting an ethical renewal.
When businesses derive their philosophy from an understanding of the relationship they want to have with their clients, they can change their risk management profile. But I’m afraid there isn’t a magic bullet. Organisations are experimenting with ways to re-orient their ethical compass to improve the quality of their risk management.
How can firms tell if they are on the right road?
One indicator is how often the risk management function is approached for advice. Some organisations see risk management as a partner and adviser, others as a compliance department. If people aren’t talking to the risk managers often enough, that’s a bad sign. The truth is that change is hard. People feel comfortable with due process. It makes them feel safe. It gives them the illusion of certainty in an uncertain world.