One of the lessons from my post on the objective of risk management was that there are number of perspectives about it. I asked a number of leading industry experts to share their perspective.
Today, I am sharing the second part of Jim Suttcliffe’s contribution reflecting a Board perspective as Chairman of Sun Life Financial (Canada) and Chairman of BaxterBruce (UK) and former CEO of Old Mutual Group. Jim explains how the concept of risk cycles can be used to implement the use test. (The first part on the use-test is here.)
Previous posts on this series shared the views of James Tufts, Group CRO of Guardian Financial Services (here) and Carlos Montalvo Rebuelta, Executive Director of EIOPA (here). I will continue sharing these perspectives in the next few weeks.
Implementing the use-test: risk cycles
Jim Suttcliffe, Chairman of Sun Life Financial (Canada), and Chairman BaxterBruce (UK)
There are a number of risk cycles in use at the big consultancies, but I find that few have the ring of reality about them. We can all recite Identify, Assess, Monitor, Maintain, Report etc, but this kind of cycle, at least from the perspective of a non-executive is likely to the use test not being complied with.
For me, the first step in the process is a number of actions that are all to do with "Understanding" your risks and their shape and texture. The difference between identifying and assessing is often academic - it's the process of assessing that leads to the identification, or at least the recognition of importance. Stress tests, reverse stress tests and scenario tests are all part of understanding, and from a non-executive perspective, making sure that the executive understands, as much as ensuring the board understands.
Some risks are easily measured, others have pretend-accurate models around them, and discussion need to recognize these differences, and not bury them under pseudo-science.
But once you've understood your risks, the next step for the Risk Committee is to get them into the context of the strategy, and set up the necessary "Policy". This will include risk appetite statements, risk targets, limits on activity, statements of desired and unwanted risks, control activities and a number of similar items, all aimed at ensuring the risk reward balance in the business is what is required. From a Non-Executive perspective, this is the crucial step. Once these policies are in place, you hand over to the executive, and say, "operate within these bounds", and tell me when you step out, and how you are going to rectify it.
The next useful thing to do, is to check that "Management Action" is building the sub-blocks that are high reward/low risk and shrinking the other blocks. This is of course a hard problem, but that's why management is paid a lot. This then can also help lead you to understand she the incentives are and whether they are working properly, as well as be very informative. It will also tell you whether your Use Test is being met.
After that, check "Compliance". This should be a big dashboard maintained by the CRO and his/her team. And as with any dashboard, you should expect a lot of green, and pay attention to any reds that appear. The rules should be very firm. If you breach, report, and no exceptions or stories that it didn't matter or is about to be fixed. Report all breaches!
And lastly you are in a position to "Report". You have all the facts, your Principal risks come out of Understanding, your Going Concern Statements come from there too. You can report on the policies you have in places and the actions taken to improve the business, and you can show the use test in action.
It's a far simpler cycle, and much more realistic.
If you work in financial services, I would be keen to hear your thoughts about this perspective on the objective of risk management. If you don’t, I would be keen to know if these lessons resonate with your experience.
You can subscribe to future posts here