To analyze some of the ways companies are responding, the Wharton Risk Management and Decision Process Center held a conference recently that featured panel members from three top financial services companies: William Egan, global head, financial institutions group corporate and investment banking at Bank of America-Merrill Lynch; Keishi Hotsuki, chief risk officer at Morgan Stanley, and Ellen Richey, chief enterprise risk officer at Visa. The conference, “Catastrophic Risk Leadership and Governance among Large U.S. Corporations,” was moderated by Erwann Michel-Kerjan, managing director of the center.
The discussion focused first on the various risk-management processes companies have been adopting in response to these recent disasters. Egan began by noting that “pretty significant risk controls have been imposed over the past five years.” At BoA-ML, “the risk reporting we have to do, the risk meetings we have to do … [are] much more significant than the days when Merrill Lynch had a different balance sheet [from BoA.]”
At Morgan Stanley, Hotsuki noted, “we [now] have much more stringent risk testing and analysis.” Before the financial crisis, the chief risk management executive at many Wall Street firms mostly had reported to the CFO. Now, however, “the majority report to the CEO. In my case, I report to both the CEO and the board, and we spend between 25 and 30 hours with the board per year focusing on risk management. That’s a lot of time.”
The past five or six years, Hotsuki added, have been marked by three major developments at his firm. “The first was to rebuild our defense, post-financial crisis…. Obviously, the industry has lost some credibility around risk management, so we had to rebuild the defense of knowing where the risk is and how to monitor it, and making sure there are no surprises.” The second trend involved going on the offense, which meant developing “a platform that recognizes that risk capital is one of the scarcest resources…. We have to maximize our return on equity…. Risk has started to be used as an optimization tool” to improve the firm’s return on capital.
Before the financial crisis, the chief risk management executive at many Wall Street firms mostly reported to the CFO. Now, “the majority report to the CEO.”–Keishi Hotsuki
The third theme, which has emerged more recently, is a greater focus on enterprise risk management. Hotsuki said that the challenge facing the financial sector now is gradually changing from financial-market risks toward reputational risks, including “technology, cyber security and many types of more qualitative risk management.”
Visa’s Richey noted that the firm faces a very different set of disaster risks. “Visa is probably one of the least understood, well-known brands” because many people – including millions of Visa cardholders — mistakenly think of Visa as a credit-card company. “We do the processing for the technologies of Visa but we are not a credit card company.” Nevertheless, she added, “We are a very young company with a lot of risks. From a risk perception, we have such an incredibly valuable brand, and highly concentrated processing risk. We are not a bank; [but] we were previously owned by banks, and so Visa inherited a lot of risk assessment practices from the banks” before it became independent six years ago.
What kind of nightmarish scenario keeps Visa executives up most at night? The company, noted Richey, pays a lot of attention to avoiding “system down time.” In such a scenario, “people would go to use their Visa card, and if it suddenly didn’t work for a period of time, we would consider that a big blow…. Reliability is part of Visa’s value proposition and brand promise…. We worry a lot about system down time, and we manage to very, very high standards.” Those concerns have paid off: Visa has suffered only two minutes of total system down-time over the last 10 years. “We worry about it, so we have this very elaborate system of controls,” Richey said.
At Morgan Stanley, noted Hotsuki, a key risk-management lesson from the economic crisis has been “the importance of the cumulative factor. When Lehman [Brothers] went down [in 2008], many of the banks felt, ‘I’m okay,’ because their direct exposure to Lehman was very manageable. But what all of us underestimated was the indirect second- or third-order effect.”
The under-assessed complexity of the financial system created a “cascade effect that could bring everyone down.” That came as a surprise, and the situation got worse every hour, every day, according to Hotsuki. “That cumulative factor and complex-system issues are definitely something that we need to focus much, much more on. The historical cases of [this sort] are not frequent, and therefore we need to think” a great deal about the lessons these cases offer for risk-management specialists.
While keeping an eye on the rear-view mirror, risk management specialists also realize that they may be pursuing a moving target. Egan said that the growing role of government regulators after the financial crisis has spawned further uncertainty about the emergence of new kinds of risk. “Suddenly, the government could put you out of business because of something you did not see coming.”
“Suddenly, the government could put you out of business because of something you did not see coming.”–William Egan
Hotsuki warned that while “a lot of good processes are being developed and the system is much safer than before,” there is an ever-present challenge that “the risk will move somewhere else” beyond those targets that executives have identified as priorities.
The Evolving Role of the Board
Are board members in these companies approaching risk management executives in search of solutions? Are the strategies for addressing these risks being developed or fine-tuned in partnership with the boards? These were some of the questions posed to the panelists. Visa’s Richey said that her company’s board members “want us to be able to articulate for them in, say, a maximum of a one-hour period a problem that they can engage with us in partnership to resolve.”
Visa’s “board has become a bit more interested in delving into the specifics of risk management, which creates a significant challenge,” Richey added. This process can involve what she called a “translation challenge,” when senior management and the board get together to discuss issues of cyber-security risk. “We are very concerned about losing the data entrusted by two billion cardholders around the world,” and “we are a very big target for that kind of attack.”
A key challenge, Richey explained, is that Visa staff reporting to the board “were unable to express to them [the board] everything that we could possibly do” to mitigate cyber-security risk. “They couldn’t say ‘nothing’ [could be done] in terms of being able to quantify a risk, [nor could they] accurately describe to business executives whether or not we should invest in three-tier architecture” and/or other technical complexities. As a result, “We actually designed a system to translate that kind of risk into meaningful increments” so that people can make informed decisions about where to invest their budget for risk management.
The overall challenge is to “get the right level of information to the senior executives at the right time, and out to the rest of the organization.”–Ellen Richey
Beyond that, added Richey, “The other kind of risk that we discuss a lot is even harder to grapple with: The risk of disruptive competition and regulatory intervention. The board is interested in the possibility of forecasting political and economic events, and we’ve been trying to gather information from all the countries we have offices and operations in. [We’re looking into] where we’ve been seeing any [common] trend toward government intervention” in several countries. In such cases, the board’s discussion focuses on such issues as: “Do we need to put together a team and do something about this [trend]? That is in its infancy, so I am very interested in that topic.”
The overall challenge, she said, is to “get the right level of information to the senior executives at the right time, and out to the rest of the organization.”
At Morgan Stanley, the board has a different perspective. Noted Hotsuki, “The board is very engaged because our management is not just engaged in issues of how much they could lose [as a result of risk] but [because] in the investment banking world, risk is a source of income. It is not just about how much we could lose, but also what kind of risk we are taking to make money.”
What role should the board play in evaluating the technicalities of risk management? At Bank of America-Merrill Lynch, said Egan, board members sometimes lack the technical knowledge required to understand the growing complexities of global risk management. “When the CIO (chief information officer) tries to explain [such complexities], the board may need [to have someone with] more expertise” so that it can properly evaluate key decisions.
Hotsuki argued that when it comes to cyber security, a board could have much more value to the firm if there were at least one member who could ask informed questions about the highly complex issues of vital concern for managing operational or reputational risk.
Yet, maintained Richey, “You don’t want to have just one person who is a technical person interpreting [technical issues] to the board. We want to make sure that they are not overly reliant on [just] one expert.”
No hay comentarios.:
Publicar un comentario