Page 25 - Risk Management Bulletin April-June 2022
P. 25

RMAI BULLETIN APRIL - JUNE 2022


                 could benefit from studying how risks are    caveats when comparing practices between banks and
                 addressed by other critical-infrastructure sectors,  corporates:
                 including telecommunications, transport, and  Y  When deciding whether risk-management
                 energy.                                         practices are transferable from another industry,

             Y   Regulation. Banking is probably the most heavily  financial institutions have to weigh these practices
                 regulated industry. As a result, it has developed a  within the context of particular business models
                                                                 and risk appetites.
                 highly centralized approach to risk management.
                 Banking is the only industry, for example, with a  Y  Risk management cannot be seen as a collection
                 regulatory obligation to include a chief risk officer  of static practices but must evolve to keep pace
                 (CRO) in its C-suite ranks. For these reasons,  with rapidly changing business models.
                 banking may have the most important risk-
                 management experience in the area of regulatory  It will be worthwhile to explore these two points,
                 risk.                                        comparing operational risk and  enterprise-risk-
                                                              management (ERM) frameworks in banking and
             Nonfinancial companies hold a variety of views on  corporates and then looking at the broader question
             nonfinancial risks and how to approach them,     of resilience over time. The importance of this second
             differences mainly determined by market and sector.  point has grown in recent years and intensified during
             The divergent perspectives relate to each industry’s  the pandemic. Many corporates have begun rethinking
             risk appetite and risk-management practices. McKinsey  their risk-management mindset in light of the present
             explored these perspectives in a 2021 executive survey  disruptive and rapidly changing business environment.
             on corporate resilience.                         We believe that these developments hold potent
                                                              lessons for financial institutions.
             The survey revealed organizations’ varying approaches
             to resilience. A prominent factor is the sector in which Corporate ERM approaches and their
             the organization operates. For instance, in the airline  application to nonfinancial risk
             industry, safety is of paramount importance. Data on
             near accidents are valued so highly that pilots can be  A comparison of the ERM approaches of banks and
                                                              corporates allows us to understand their different
             penalized more severely for not providing this
                                                              backgrounds and evolutionary drivers. An ERM system
             information than for having made actual mistakes. In
                                                              consists of four basic layers (exhibit):
             contrast, software providers thrive on developing
                                                              Y  Governance and organization. This layer covers
             stable products that are improved incrementally over
             time. In telecommunications, cloud providers focus on  the accountability structure (the three lines of
             stability as well. Their services performed so well  defense) addressing how risk ownership, risk
             during the pandemic that many banks and nonfinancial  control, and assurance accountability are assigned,
             companies overcame their doubts about cloud risks.  exercised through risk committees, and formalized
             These reservations were formerly a barrier to the   through policy structure. This layer also includes
             transfer of critical software services. After observing  the underlying risk taxonomy to assign
                                                                 accountabilities and acts as a basis for the policy
             the high security standards maintained by cloud
                                                                 structure.
             providers, organizations came to regard them as safer
             than on-premises data centers. Finally, in the   Y  ERM processes and methodologies. Here, the
             automotive industry, global production is highly    general ERM approach and processes are defined.
             sophisticated, with up to 80 percent outsourcing in the  Different approaches are usually taken for
             supply chain. This allows for product scalability but  financial risks versus nonfinancial risks. Financial-
             creates vulnerabilities from geopolitical risks as well as  risk approaches focus on limit structures, while
             regulatory and technological change. The industry is  approaches for nonfinancial risks focus on severity
             thus engaged in rethinking strategies across supply  and probability matrices mapping inherent and
             chains, software, and product and environmental     residual risks. The risk profile is managed through
             compliance.                                         numerous processes: incident management, risk
                                                                 and control assessments, risk appetite, and
             The lessons from particular industries suggest two  monitoring and reporting processes.


                                                           23
   20   21   22   23   24   25   26   27   28   29   30