Page 26 - Risk Management Bulletin April-June 2022
P. 26

RMAI BULLETIN APRIL - JUNE 2022


             Y   Risk-specific control processes. This layer entails all  For corporates, the risk-management function mainly
                 mechanisms for managing specific risk types.  identifies and reports on risks. It also manages a few
                 Nonfinancial risks are managed through risk-  frameworks for commercial compliance in such areas
                 specific controls, often called key controls, as they  as business-partner due diligence, capital markets and
                 are formally governed by the ERM approach.   M&A compliance, antibribery and corruption risks, and
                 These can be controls for reconciliations for  export risks. Most nonfinancial risk management, as it
                 financial disclosures, the “four eyes” principle for  relates to the corporate operating model, will be
                 business partnership approvals, or systems-  embedded in the businesses.
                 embedded controls often used for managing
                 cyberrisks.                                  The differences become evident when we look at how

             Y   Risk and integrity culture. This final layer refers to  risk issues are addressed in banks versus corporates.
                 managing norms and behaviors around risk,    At banks, the CRO usually becomes involved,
                                                              answering to the regulator about incidents and the
                 including the incentive structure, the tone set by
                 top management, the consistency of formal risk  remedial programs applied to address underlying
                                                              issues. In corporates, the businesses in which the risks
                 governance with actual behavior, and the
                 approach used to discover and balance risk issues  are materializing are usually responsible for identifying
                 and conflicts throughout the organization (such as  them and applying solutions to resolve them. Central
                                                              risk and compliance functions often play supporting
                 P&L performance targets and adherence to a
                 company’s risk and integrity norms).         and coordinating roles (except  for commercial-
                                                              compliance issues, for which the response is

             These ERM layers and their components commonly   centralized).
             exist in banking and corporates. Their maturity and
             development, however, can differ significantly. There  Many banks augment frontline ownership of risk with
             are, for example, significant application differences, as  divisional control offices. This allows banks to address
                                                              the root causes of issues more effectively and
             risk management in banking is heavily regulated,
             whereas  corporate ERM practices are driven by   permanently. For corporates, central risk and
                                                              compliance functions generally would not be
             industry standards, such as those related to the
             Committee of Sponsoring Organizations of the     responsible for certifying compliance for risks arising
             Treadway Commission (COSO).                      in the businesses—such as health and safety risks in
                                                              mining, network security for telecommunications
             Differences in organization and                  companies, or software risks for autonomous vehicles
                                                              in the auto industry.
             governance

             A striking difference between corporates and banks  Corporates have, however, overcome the artificial first-
             can be seen in their respective risk-governance  and second-line delineation that banks often apply. For
             structures and the extent to which they are formalized.  banks, the division can create a wall between an
             As much as 10 percent of bank staff might be situated  independent  control function and a center of
             in central risk functions (risk, compliance); in large  competence. Interestingly, the term “independent
             corporates, the corresponding share is often less than  control” has recently been eliminated from the COSO’s
             one-tenth of 1 percent. The reason for the difference  organizational standards with respect to the second
             is that banks need heavier central risk functions to  line, whereas in banking, the term is still used in all
             meet more stringent regulatory requirements. These  regulations.
             include a mandate to have a CRO as a distinct second-
             line executive. Corporates, on the other hand, focus  Banks manage financial risk through various
             more on embedding risk management into their     quantitative means and balance-sheet analyses with a
             operational processes within the front line. They  more centralized approach than the business-
             usually assign risk and compliance functions to the  embedded risk approach taken by  corporates.
             CFO; rarely will a nonfinancial company have a   Corporates can consider whether they might benefit
             dedicated risk chief executive.                  from more a centralized ERM in certain areas.


                                                           24
   21   22   23   24   25   26   27   28   29   30   31