One of the lessons from my post on the objective of risk management was that there are number of perspectives about it. I asked a number of leading industry experts to share their perspective.
Today, I am sharing the second part of Jim Suttcliffe’s contribution reflecting a Board perspective as Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group. Jim explains how the concept of risk cycles can be used to implement the use test. (The first part on the use-test is here.)
Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.
****************************
Implementing the use-test: risk cycles
Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman
BaxterBruce (UK)
There are a number of risk cycles in use at the big consultancies, but I
find that few have the ring of reality about them. We can all recite Identify,
Assess, Monitor, Maintain, Report etc, but this kind of cycle, at least from
the perspective of a non-executive is likely to the use test not being complied
with.
For me, the first step in the process is a number of actions that are
all to do with "Understanding" your risks and their shape and
texture. The difference between identifying and assessing is often academic -
it's the process of assessing that leads to the identification, or at least the
recognition of importance. Stress tests, reverse stress tests and scenario
tests are all part of understanding, and from a non-executive perspective,
making sure that the executive understands, as much as ensuring the board
understands.
Some risks are easily measured, others have pretend-accurate models
around them, and discussion need to recognize these differences, and not bury
them under pseudo-science.
But once you've understood your risks, the next step for the Risk
Committee is to get them into the context of the strategy, and set up the
necessary "Policy". This will include risk appetite statements, risk
targets, limits on activity, statements of desired and unwanted risks, control
activities and a number of similar items, all aimed at ensuring the risk reward
balance in the business is what is required. From a Non-Executive perspective,
this is the crucial step. Once these policies are in place, you hand over to
the executive, and say, "operate within these bounds", and tell me
when you step out, and how you are going to rectify it.
The next useful thing to do, is to check that "Management
Action" is building the sub-blocks that are high reward/low risk and
shrinking the other blocks. This is of course a hard problem, but that's why
management is paid a lot. This then can also help lead you to understand she
the incentives are and whether they are working properly, as well as be very
informative. It will also tell you whether your Use Test is being met.
After that, check "Compliance". This should be a big dashboard
maintained by the CRO and his/her team. And as with any dashboard, you should
expect a lot of green, and pay attention to any reds that appear. The rules
should be very firm. If you breach, report, and no exceptions or stories that
it didn't matter or is about to be fixed. Report all breaches!
And lastly you are in a position to "Report". You have
all the facts, your Principal risks come out of Understanding, your
Going Concern Statements come from there too. You can report on the
policies you have in places and the actions taken to improve the business, and
you can show the use test in action.
It's a far simpler cycle, and much more realistic.
****************************
If you work in financial services, I would be keen to hear your
thoughts about this perspective on the objective of risk management. If
you don’t, I would be keen to know if these lessons resonate with your
experience.
You can subscribe to
future posts here.