Page 27 - Risk Management Bulletin April-June 2022
P. 27
RMAI BULLETIN APRIL - JUNE 2022
Differences in the ERM approach need to make that connection and, more important,
find a way to address it.
Banks perforce emphasize financial risk in their
traditional ERM approach. They take a highly
Where does this leave banks when it comes to
quantitative approach to capital as the balance-sheet
addressing nonfinancial risk? In a tight spot, actually,
resource. The risk profile is usually defined top-down
because risk-and-control self-assessments or capital-
in relation to available capital (after certain buffers), driven risk-appetite frameworks are only meaningful
measured both in regulatory as well as economic terms for nonfinancial risks when the nature of these risks
and then cascaded into the organization.
is well understood. Only then can banks establish
specific business-related views and apply practical
For various reasons, this approach is impractical for
metrics in the same way that the businesses do in the
nonfinancial risks, other than in measuring the first line of defense. Replicating centralized, capital-
potential impact these risks might have on capital as based quantitative approaches that cascade metrics
the last compensating resource. Banks apply capital
across the organization will be of limited use.
models to gain a complete view of the adequacy of
their capitalization levels and then allocate this across Worth noting is that corporates also struggle to apply
different businesses. They know that the ingoing business-linked logic universally within their ERM
assumptions are statistically weak. Nevertheless, the approach. In attempting to make risks comparable,
approach allows analogous steering on a capital basis define risk appetite, and centralize reporting,
aligned to financial risks. corporates have found that their second-line teams
begin to replicate the banking approach. This leads to
The drawbacks are twofold: first, history is not a central functions at corporates hitting the same
reliable predictor for nonfinancial risks, given limitations that banks experience.
continuous business-model changes, process
enhancements, and regulatory changes. The contrast Differences in risk-specific control
with credit and market risks is clear, since
creditworthiness, for example, can be predicted quite approaches
accurately from balance-sheet data, just as market Banks can thus learn from highly sophisticated
volatility can be measured from market data. Second, approaches for managing nonfinancial risk developed
nonfinancial risks have to be evaluated in the context by some corporates for their business models.
of the specific business model and customer Experiences from particular industries can provide
expectations. A more iterative approach to business or helpful guidance to the banking sector (and corporates
consumer software development acknowledges that from other sectors).
bugs must be continuously fixed; the risk appetite is Y Managing process risks. Those financial
very different for risks involving health and safety, such institutions—mainly banks—that develop complex
as for software in nuclear-power plants or even products and business models can learn important
lessons from the auto and pharma industries. In
consumer products such as cars.
automotive, approaches to managing process and
production risks incorporate considerable
Corporates have therefore developed risk-
experience and are highly sophisticated, especially
management approaches rooted in expert data and
performance data for processes and systems. Such in relation to product cost, quality, and safety. The
high level of outsourcing in the auto industry (as
data provide a better basis for steering nonfinancial
risk. Industrial corporates take this approach to quality much as 80 percent) requires continuous
control and the management of most product- and monitoring of suppliers in relation to cost and
quality. In pharma, the management of risks
production-related risks. Banks, on the other hand, related to R&D and (heavily regulated) production
have a more difficult time, as they must address
standards is highly developed.
heterogenous processes and highly complex products
built over time. Some have begun developing process Y Managing software development and deployment
or product-quality frameworks for managing risks. Banks have begun to develop and deploy
nonfinancial risks. Most, however, have not. They still software in rapid cycles, an approach mirroring
25
