Chief risk officers at the world's financial institutions are unlikely to look back fondly on 2008. Within little more than a year, the international financial system had been brought to the brink of collapse following five years of unprecedented growth. And while there were many actors to blame for the situation—not least a combination of negligent lending, irresponsible borrowing and unrestrained economic expansion—poor management of risk was widely seen as an important culprit.
As financial institutions, regulators, central banks and governments look to the future, there is certain to be a careful reappraisal of the role and responsibilities of risk management. But perhaps a more fundamental question is not whether risk managers were doing their job properly, but whether the financial architecture as a whole enabled and empowered them to do so. Did the profit motive drown out cries for greater restraint and did risk management lack the authority it needed to take decisive and necessary action?
Both institutions and supervisors are asking themselves other, vital questions. Were the tools available to risk managers fit for purpose? Was the approach to risk management based on a historical view of the world that pertained to an unprecedentedly rosy era in markets and the economy? And was there insufficient risk expertise and understanding at the very top of some of the world's largest organisations?
In this research, which is written by the Economist Intelligence Unit and sponsored by ACE, KPMG, SAP and Towers Perrin, we examine the lessons that have been learnt from the current financial crisis, and propose ten practical lessons that could help to address perceived weaknesses in risk identification, assessment and management. Although our research is primarily directed at financial institutions, we also highlight ways in which these lessons could apply to corporates from other industries. The ten lessons, which are listed below in no particular order of priority, can be summarised as follows:
- Risk management must be given greater authority
- Senior executives must lead risk management from the top
- Institutions need to review the level of risk expertise in their organisation, particularly at the highest levels
- Institutions should pay more attention to the data that populate risk models, and must combine this output with human judgment
- Stress testing and scenario planning can arm executives with an appropriate response to events
- Incentive systems must be constructed so that they reward long-term stability, not short-term profit
- Risk factors should be consolidated across all the institution's operations
- Institutions should ensure that they do not rely too heavily on data from external providers
- A careful balance must be struck between the centralisation and decentralisation of risk
- Risk management systems should be adaptive rather than static
The research is based on a programme of in-depth interviews with leading participants from the financial services industry, along with a selection of independent risk experts.
