Here we go again: banking risk

Good practices to consider…

Check that the “financial risk” assessment is up to date.  Now is the right time, while SVB, Credit Suisse and others are fresh in peoples’ minds.  That means looking outside the organisation: what might happen – or what might be happening – that could leave us unexpectedly exposed?

Things to avoid…

Assuming that there’ll be time to sort something out if the external environment changes.  The environment is changing constantly: interest rates, asset prices, prices, exchange rates, market liquidity, market confidence…  And it’s now become very clear that events can have an impact much faster than was once the case.

Good practices to consider…

Making sure the basic questions around treasury risk are asked and answered.  Are your deposits spread across enough banks?  What’s the liquidity position?  Are our emergency lines sufficient and solid?

Things to avoid…

Forgetting the basics.  Some simple questions are worth asking from time to time.  These will vary across every organisation, but it’s a valuable role for the Board to make sure that the fundamentals and common sense haven’t been diluted in the face of business-as-usual pressures.

Good practices to consider…

Make space to stand back and think what could go badly wrong – possibly even be life threatening.  Not necessarily the things on the risk register –you’ve already been looking at those for a long time.  Instead ask “what’s going on around us?”.  That might be shifts in the macroeconomic environment.  Price and cost shifts.  Political uncertainty (or damage – think the UK in October 2022).  War and sanctions.  Bank collapses.  Cyber attacks.  What else?  There are bound to be things that particularly affect your organisation.

Things to avoid…

Just looking at the principal risk list, heat map or risk register.  They will often mainly contain risks that you think you can do something about, rather than ones you should prepare for.  And they don’t lend themselves to thinking outside the box.  Or thinking about the big external changes that could have a major impact.

Good practices to consider…

Think about having a “risk awayday”.  Boards find the strategy equivalent so useful that they are now a standard part of the annual plan.  Why is that?  Because free thinking around big strategic issues is very valuable but needs the sort of time and space that typically isn’t available within the time and dynamics constraints of a normal board meeting.  Exactly the same applies to thinking about the big external risks in troubled times.

Things to avoid…

Keeping to the confines of an audit/risk committee meeting, with the need to get through a long agenda of often pressing issues with deadlines.  Or being suffocated by reports from across the second and third lines of defence.  And that’s possibly before the external auditors do their stuff.  Too often there just isn’t space for thinking.

Good practices to consider…

Ask the CRO (or whatever your Head of Risk Management is called) to put together a “thought paper” to accompany the standard risk report for each meeting.  Tell them to set out what they see happening externally, and to think through what that could mean.  That might involve some speculation and setting out of scenarios but that’s fine if it prompts thinking and discussion at the committee or board meeting.

Things to avoid…

Allowing the CRO to dodge discussion of the unknowns and to fall back on the comfort of the risk register.  They ought to be looking outside and thinking through the possible implications.  So why not share that thinking?  The NEDs or CEO should create a safe space so that the CRO and everybody else can be comfortable with a bit of speculation.

Good practices to consider…

Accept the limitations (and dangers) of the “probability times impact” equation.  Recognise that it might sometimes give a misleading picture.  Question the assumptions and numbers underpinning the outcome.

Things to avoid…

Focussing on “the reds” and relying too much on a methodology that has some usefulness but also has considerable limitations.  It can be misleading: it may not pick up on emerging risks and underlying changes in either probability or impact, and will rely on assumptions or even guesstimates.  A mid-ranking “amber” (or even a “creeping green”) might actually be more of a threat.

Good practices to consider…

Keep an eye on the “gross” (pre-mitigation) versus “net” (post-mitigation) risk.  There can be a big difference, so it’s essential to avoid falling into the easy trap of supposing that putting a risk onto a list is enough to draw its fangs.

Things to avoid…

Relying on the “net” view without understanding the quality of the mitigation.  When circumstances are changing fast, so can the quality of the mitigation – almost always only in one direction…

Good practices to consider…

Make sure everyone is clear what is meant by “risk”.  A lot of work on “operational risk events” is about historical fact, not future uncertainty.  Words like “threat”, “danger” and “uncertainty” will help to keep your discussion focused on future resilience.

Things to avoid…

Letting the risk discussion be dominated by information about and discussion of what went wrong last month, rather than about the future uncertainties.  Yes, it’s important to learn from experience – but not at the expense of understanding the significance of events that are taking place all around you.

Good practices to consider…

Look at how risk management actually works in the organisation.  Does it have an impact on decision-making?  Do people find it useful?  We often come across boards and committees who are starting to question how far risk management is having the intended impact and are caught up in reporting and process.  And executives who are wondering about the return on investment in the risk management framework.  Don’t be afraid to bring this question out into the open – it’s in everyone’s interests to have it answered properly.

Things to avoid…

Assuming that processes and structures that “look right” (and look the same as everybody else’s) actually make a difference to the way people work.  They might help but they might not.  In this area there is a great deal of activity that is done in order to show something’s being done, rather than because it’s a good route to achieving the best outcome.  It is of course much harder to judge outcomes than to observe activity, but a good Board or Risk Committee ought to try.  That might mean taking a fresh look at how to assess the effectiveness of risk management.

Good practices to consider…

Look very hard at the risk culture in the organisation.  No amount of process will do much good if people have the wrong attitude.  So get away from the head office team and listen carefully to people across the firm talking about how they do their jobs and what motivates them.  And take a look back at the big things that have gone wrong over the past years – what do you see when you look at them as a whole?

Things to avoid…

Dismissing apparently unrelated events as one-offs, when the common thread might be the organisation’s risk culture.  If the Board doesn’t make that connection, there’s a danger that others will, as seems to have been the case in many collapses when a long history of “accidents” finally led to a catastrophic loss of confidence.