reserves, enhance transparency, curb risk appetite, and tighten controls. This had positive as well as negative effects. On the positive side, the regulations provided a basis for forward-looking analysis such as stress testing and scenario modeling. On the downside, however, many companies failed to take these hard-won lessons to heart, focusing exclusively on meeting regulatory requirements without considering ERM in a broader, more strategic context. In addition, many firms effectively overreacted to the economic hardship that followed the crisis. Rather than becoming risk-smart, they became risk-averse. Without risk, of course, there can be no reward, so these companies stumbled on without much of a strategic outlook beyond mere survival.
In all, seven fundamental trends emerged after the financial crisis that together have shaped the practice of risk management for the past decade:
1. Much stricter compliance requirements
2. Increased board-level risk oversight
3. Greater risk management independence
4. Focus on enterprise-wide risk management
5. Improved board and management reporting
6. Creation of objective feedback loops
7. Better incentive compensation systems
Below, we'll take a look at each of these in greater detail.
Much Stricter Compliance Requirements
For better or worse, compliance quickly became a primary driver of risk management. The formalization of heightened regulatory scrutiny in the financial services industry fundamentally increased the scope and responsibility of the risk management function. The same held true in other sectors as well. The insurance industry, for example, implemented the Own Risk and Solvency Assessment (ORSA) in order to determine the ongoing solvency needs of insurance institutions with regard to their specific risk profiles.
Compliance with laws and regulations is an important objective in any risk management program, but we must remember that it is a necessary but insufficient condition for success. Regulations are blunt instruments designed to establish minimum standards for an entire industry, but they don't always represent best practices. For example, banking regulators established Basel II, and more recently Basel III, to link regulatory capital requirements with a bank's risk profile. However, leading banks have developed more sophisticated economic capital models that better represent the risk-return economics of their businesses. Moreover, new regulations often overreact to past problems. The Sarbanes-Oxley Act (SOX), for example, was enacted in the aftermath of accounting frauds at large corporations such as Enron and WorldCom. While accounting controls are important, they are only a subset of operational risk management techniques, and operational risk is itself a subset of enterprise-wide risks. In fact, one can argue that the emphasis on accounting controls in the post-SOX period has been misguided, given that risk is mainly driven by future events, whereas accounting statements reflect past performance. In order to be effective, a risk management program must be forward-looking and driven by the organization's business objectives and risk profile, not by regulatory requirements.13
Increased Board-Level Risk Oversight
These new laws and regulations also shaped risk governance and oversight at the board level. Section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act specifies that “FRB (Federal Reserve Bank) must require each publicly traded bank holding company with $10 billion or more in total consolidated assets…to establish a risk committee [of the board]…Risk committee must…include at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”14
According to PwC's 2014 corporate directors survey, boards are becoming increasingly uncertain that they have a solid grasp on their company's risk appetite, with 51 % saying they understand it “very well” in 2014, down from 62 % in 2012.15 It seems that boards are beginning to recognize that it's not enough to be the “audience” with respect to risk reporting and updates, but they must become active “participants” in providing credible challenges and setting policies and standards. In the past, boards approved risk policies, reviewed risk reports, and viewed PowerPoint presentations designed mainly to assure them risks were well managed. In order to provide effective oversight, however, boards must be active participants in the risk management process. They must debate risk-tolerance levels, challenge management on critical business and financial strategies, and hold management accountable for the risk–return performance of past decisions. To strengthen their oversight, boards should consider establishing a separate risk committee, especially at risk-intensive companies (e.g., banking, insurance, energy). At a minimum, each board and its standing committees must ensure that risk management is allocated sufficient time and attention. Boards should also consider adding risk experts to their ranks.
Greater Risk Management Independence
During the excesses of the pre-crisis environment, where was risk management? Why didn't we hear about chief risk officers going directly to the board, or quitting out of protest given what was going on under their watch? I believe a central issue was the continued lack of true independence of risk management, which companies are only now beginning to address seriously. Since the trading losses suffered by Barings and Kidder, Peabody in the mid-1990s, companies have worked to ensure that the risk management function was independent relative to trading, investment, and other treasury functions. However, companies are finally going further to ensure that risk management remains independent relative to corporate and business-unit management as well. This is similar to the independence that internal audit enjoys, though to a lesser extent because risk management should function both as a business partner and risk overseer. One organizational solution has been to establish a dotted-line reporting relationship between the chief risk officer (and chief compliance officer) and the board or board risk committee. Under extreme circumstances (e.g., CEO/CFO fraud, major reputational or regulatory issues, excessive risk taking), that independent dotted-line reporting relationship can ensure that the chief risk officer can go directly to the board without concern about his or her job security or compensation. Ultimately, risk management must have an independent voice to be effective. A direct communication channel to the board is one way to provide that.
Focus on Enterprise-Wide Risk Management
A key lesson from the latest financial crisis as well as those preceding it is that major risk events are usually the consequence not of one risk, but of a confluence of many interrelated ones. Historically, companies managed risk within silos, with each organizational division handling its own, but, in 2008, it became glaringly obvious that this approach could lead to catastrophic failure. Even as the crisis was unfolding, the Wall Street Journal reported that the risk model used by AIG to manage its credit derivatives business only considered credit-default risk, but not the mark-to-market or liquidity risks associated with the business.16 Companies should implement ERM programs to analyze multi-risk scenarios that may have significant financial impact. For banks, that means integrating analyses of business, credit, market, liquidity, and operational risks. Insurance companies must also assess the correlations between investment, liability, interest-rate, and reinsurance risks. All companies must manage strategic risks and the critical interdependencies across their key risks on an organization-wide basis.
In the United States, the Federal Reserve implemented a series of formal stress-testing requirements for banks to quantify their vulnerability to various risk scenarios. The Fed's Comprehensive Capital Analysis and Review (CCAR) assessment provides independent review of the capital plans for banks and bank holding companies with assets in excess of $50 billion. Additionally, the adoption of Dodd-Frank mandated that all banks with greater than $10 billion in assets must conduct stress testing on an annual basis. The Office of the Comptroller of the Currency (OCC) published final rules in 2014 to meet the stress-testing requirement. Known as DFAST (Dodd-Frank Act Stress Test), the rules require all banking institutions with between $10 billion and $50 billion in assets to conduct and report results of formal stress testing exercises.
Improved