What every Risk Manager should be asking himself

Stanley Epstein - Principal Associate - Citadel Advantage

The whole aspect of Risk Management has taken on a much higher profile over the past few years, driven by many new factors. In the financial industry the crisis that so unpleasantly arrived on our doorstep in 2008 has been a major catalyst while other recent events such as 9/11, the recent Japanese Tsunami linked to the Fukushima atomic incident, hurricane Katrina and more recently hurricane Sandy, have each, in their own way added to the knowledge of and the pressure to be more aware of risk and to take positive steps to better manage these.

One of the most important aspects of risk management lies in the creation the correct culture within the organization. In this short article I pose ten questions aimed specifically at Risk Managers. If you can answer “yes” to all of these you have created the appropriate risk management culture. The more “no’s” you have on your list the more work you need to do.

1. Have you identified the potential business risks to the organization?
The starting point of any risk management program is to obtain a clear understanding of all the potential risks that face the firm. The emphasis is on ALL the risks. Remember operational risks become business risks as well.

2. Have you assessed the likelihood and consequence of the significant risk being realized?
There are risks and there are risks. Once you have established what risks face your organisation the next step is to determine what are the chances of such risks being realised as well as what effect such an occurrence will have on the business or operation.

3. Have you assessed those risks that could:

• Damage your organization’s reputation?
• Affect your organization’s market position?
• Result in prosecution?

We often tend to focus on the financial risks only. However risks are always much wider than just the lost of income or the added expense of replacing a server. You need to give serious thought to the risks that could affect your organisation in the wider scheme of things. Reputation, market position and the threat of prosecution, just to name but three. A current example is the “horse-meat” scandal that is sweeping across Europe.

4. Have you established controls to manage significant business risks?

Of course it is impossible to eliminate all risks that the firm faces. Yet there is a very significant range of risks that your business is exposed to regularly. The starting point in managing these risks is to make certain that the right controls are in place to do just this.

5.  Have you established a positive culture for controlling the risks?

Although risk represents a danger to the firm and a potential loss, risk should be seen in a positive light as an issue that you need to be aware of and that needs to be managed. A positive culture in managing risks is based on ensuring knowledge and understanding of what risk is, its implications and how it is managed or mitigated. This culture is further enhanced by ensuring that ALL the organisation’s staff receive the appropriate training.

6. Have you established a contingency plan to mitigate disaster?

What would you do, if tomorrow morning, you were faced with a situation in which you were unable to open your business? The reason why is largely irrelevant. The real disruption would be that you would be unable to open for business. Contingency planning is exactly how you would overcome this unfortunate situation and be able to continue operations/ serving your customers. Do you have a Business Continuity Management plan that covers everything? Has it really been tested? Will it work?

7. Have you established continuity management control arrangements?

Business continuity management control addresses an organization’s ability to offset interruptions to normal operations. Key elements of this include;

• Business continuity planning – a business continuity strategy based on a business impact analysis.
• Business continuity testing – testing and documentation of business continuity strategy.
• Business continuity maintenance – identifies ownership of business continuity strategy as well as ongoing reassessment and maintenance.

8. Do you regularly audit compliance with control arrangements?

It is one thing to have a comprehensive set of control arrangements to help mitigate the various risks. But this does not mean that you have managed your risks effectively. Are control arrangements being complied with? Compliance auditing will help keep this in check.

9. Do you regularly review these arrangements with respect to their adequacy and effectiveness?

Nothing remains static over time. What was true today need not necessarily be so tomorrow. The same applies to control arrangements. New processes, new operations, new clients all subtly change the risks you face. And with this change comes the need to ensure that the controls that you have put in place remain adequate and effective always.

10. Do you report annually on your risk and control measures?

Is there a higher body that keeps a watching brief over the businesses risks, the risks that you manage and you control measures? Do you report regularly to someone on these issues? You should be …. and you should be doing this at the very least annually.

At the start of this article I wrote that a positive answer to each of the ten questions posed above would indicate that you, as a Risk Manager, have created an appropriate risk management culture. But culture is not enough. That culture has to lead to effective risk management. You do this in the doing, in showing positive results, in bringing down risks faced by the business, in reflecting a positive financial outcome.

Of course this is just the beginning to creating an effective risk management program. Acquiring the knowledge and the expertise is the next step on Risk Management ladder.

Remember – risk management is a journey, not a destination!

The fun stuff is yet to come!

Few Crimes Found in Financial Crisis, Says Ex-JP Morgan Chase Chief Harrison

“Why haven't any bankers gone to jail for the financial crisis? 

"Maybe they didn't commit a crime. … 

There's a difference between committing a crime and using bad judgment," says William Harrison, the former Chairman and Chief Executive of JPMorgan Chase (JPM). Harrison weighed in on the renewed debate over whether banks and their employees are "too big to jail," arguing that "the notion that just because banks lost money, somebody committed a crime, is disappointing to me."

watch video>>    

Enhancing financial stability

The sweeping overhaul of the US’s financial regulatory system that was signed into law in July last, will touch virtually every aspect of American financial markets. The October issue of the “Chicago Fed Letter” focuses on the various provisions in the “Dodd–Frank Wall Street Reform and Consumer Protection Act” that affect “financial market utilities,” critical behind-the-scenes institutions and arrangements that will ensure the smooth functioning of financial markets. Anna L. Paulson, vice president and senior financial economist, and Kirstin E. Wells, lead technical expert both from theat the Chicago Fed have authored this informative article.

Download this article HERE.

Remittances, Africa and the effects of the Financial Crisis

In a recently published Working Paper “The Global Financial Crisis and Workers’ Remittances to Africa: What’s the Damage?” Adolfo Barajas, Ralph Chami, Connel Fullenkamp, and Anjali Garg estimate the impact of the global economic crisis on African GDP via the remittance channel during 2009-2010. The data and it’s interpretation forecasts remittance declines into African countries of between 3 and 14 percentage points, with migrants to Europe hardest hit while migrants within Africa relatively unaffected by the crisis. The estimated impact on GDP for relatively remittance-dependent countries is 2 percent for 2009, but will likely be short-lived, as host country income is projected to rise in 2010.

The paper is available for download at http://www.imf.org/external/pubs/ft/wp/2010/wp1024.pdf

Risk Management in a Post-Financial Crisis World

By Stanley Epstein – Principal Associate at Citadel Advantage


One thing that the financial meltdown has show in crystal clear relief is that among the many contributing factors, there can be no doubt that Risk Management didn’t adequately manage risk. Why this was so is going to be the subject of much debate in the coming months and years. Were Risk Managers constrained by the executive suite who wouldn’t hear the warnings, or were Risk Managers not answering or not even able to answer the basic questions of their trade? Whatever the reason the profession of Risk Management has some deep soul-searching to do.

Now, all of a sudden, that the economies of many countries, not to mention the banking industry, is in tatters, we have dozens of articles and blogs all bemoaning the state of risk management and what we need to do to get everything right again; as if there is some elixir, or some magic wand that will put it all right.

All these blogs and articles are pounding away on the same old drum; all are documenting how badly everyone has done in managing risk and all are extolling bank boards, senior management, regulators and rating agencies to do better next time.

Where were all these authors and bloggers in the good times? Where were they in the heady days prior to the summer of 2007 when the banks and the rest of the financial industry was gaily acting if the only way forward was “up”; when the “old” economy had been declared dead as a dodo and the mantra of the “new economy” was “profits”, “bonuses” and “innovation”. Like the “old economy”, “risk” in all its forms had, by the invocation of all the new hedging and derivative strategies been declared dead too.

True there were some (all too few) who sounded dire warnings of where this was going to end – but who wants a Jonah in their midst when there is a never-ending beach party on the go?

As a professional risk management practitioner and trainer I really feel aggrieved with all the soul searching and hand wringing going on at the moment. Tell me please where all these new risk averse converts have come from? Where were they when they were really needed?

Now that the party is finally over it is time to do things properly. Risk management in the first decade of the 21st century failed miserably. The tone at the top was rotten, whether in the banks or the regulatory agencies or the risk raters themselves. And this rot permeated all the way down to the bottom of the pile.

What were the failures?

The failure to measure risk – risk models were misused, misspecified and most of all misunderstood.

The failure in training – bank boards and regulators were not adequately instructed in what “risk” really meant. Bank staff was only trained in the three P’s – Product, Performance and Profit. Issues like risk concentration, scenario planning, operational failures were only concepts that made one sound intelligent. Worst of all – risk management costs money and of course “unjustified costs” are the bane of every diligent (but not prudent) banker.

The failure to mitigate risk – without understanding risk it cannot truly be measured and without measurement it cannot be mitigated. These factors are interconnected. The one leads to the other.

Enough of this hand wringing! We all know where the blame lies. What is needed now is some courageous risk managers who will roll up their sleeves and get the job done – properly this time.