Why is Enterprise Risk Management Important Today?
by Andrew Smart
In light of the litany of firms that have failed due to poor risk management practices, the number of which has grown since the 2008 financial crisis and the increasing pressure from regulators and boards that followed it, Enterprise Risk Management continues to be a priority for many executive teams and firms.
The three main drivers for why Enterprise Risk Management is particularly important to firms today are:
1. To reduce cost and complexity within risk management
2. To effectively and efficiently respond to regulatory pressure
3. To create shareholder value in uncertain times
Since the financial crisis significant cost and complexity has been built into firms as they reactively develop and evolve their risk management capabilities.
In the years immediately after the financial crisis, the growth of risk management within firms went into overdrive as firms struggled to keep up with the tsunami of regulatory change and additional demands post 2008.
For example, in 2013 it was reported that JPMorgan Chase & Co were preparing to spend an additional $4 billion and commit 5,000 extra employees to fix their risk and compliance problems after a spike in investigations issued by regulatory authorities.
Similarly, in 2014, former chief executive of HSBC Stuart Gulliver commented that despite cost cutting elsewhere, the bank planned to increase their spend on risk and compliance by $150m-$200m from the previous year and further increases the following year.
However, it wasn’t only large firms looking to build out their risk and compliance functions; smaller challenger banks were also significantly increasing their headcount. One such firm’s risk and compliance function consisted of two people up until 2011, however between 2011 – 2014 the bank grew its risk and compliance headcount to over thirty people and established separate risk management and compliance functions.
This growth in headcount alongside systems expenditure and the implementation of formal risk management organisations came at a time when business volumes were in decline, interest rates were at record low levels, margins had been squeezed across the board, and many firms were struggling to generate returns to cover their cost of capital.
Ten years on, with the economic cycle looking set to turn, firms must carefully look at all areas of cost and complexity, including risk and compliance. Inefficiencies and ineffectiveness must be identified and cut from the firm, including headcount.
Since the financial crisis we have seen unprecedented growth in regulatory obligations, speed of regulatory change, and an eye watering level of regulatory fines imposed.
Research from the Boston Consulting Group (BCG) calculates that since 2008 the number of regulatory fines issued to financial services firms has exceeded $300billion whilst Thomson Reuters state that there was a 492% increase in regulatory fines between 2008 and 2015.
Thankfully, firms and regulators are now recognising that taking a reactive, siloed approach to this change is not sustainable.
In March 2019, the FCA released a major research paper on Cyber Security and the industry insights into Cyber Risk Management best practice, which made the following recommendation,
“Put cyber risk on the executive agenda. Use an enterprise risk management approach to articulate and share cyber risk related to business operations, customers and reputation. This will help executives place cyber risk within the appropriate context, and consider it when running their businesses.”
Likewise, in April 2019, the CFTC proposed amendments to the Derivatives Clearing Obligations (DCO) Core Principle Regulations under the Dodd-Frank Wall Street Reform and Consumer Protection Act. Significantly, the amendments set out new requirements for DCO’s Enterprise Risk Management functions and reporting obligations.
“DCO’s will be required to implement an Enterprise Risk Management framework that continuously measures, monitors and manages identified sources of risk and to test the effectiveness of any mitigating controls to reduce risks. A DCO would also be required to establish and maintain an enterprise risk management framework, approved by its board or a board committee and reviewed annually and to appoint an enterprise risk officer.”
These regulatory changes demonstrate the regulatory pressure on firms to implement an Enterprise Risk Management approach, whilst creating an opportunity for firms to consolidate and integrate their risk management processes, systems, data and people, thus driving value for the firm.
Due to the current market conditions, low-interest rates, reductions in trading volumes and significant political uncertainty, many firms are experiencing difficulties in delivering levels of profitability returns to shareholders. This creates a need for firms to look at all options to create value, one such way is to improve Enterprise Risk Management functions.
In one of the largest and most detailed studies of its kind, involving insurers in the US and Europe, academics found firms who have deployed Enterprise Risk Management functions experience a 20% value premium over firms that have not.
Similarly, a recent study by McKinsey and Company found that “a well-executed, end-to-end risk function transformation can decrease costs by up to 20% while improving transparency, accountabilities and employee and customer experience”.
History shows that inefficiencies in risk management are often a major contributory factor to a firm’s failure. We have witnessed over a decade of regulatory growth and change in the wake of the 2008 financial crisis, and with many firms still struggling to generate returns that cover their cost of capital, Enterprise Risk Management is significantly important to reduce the cost and complexity of risk management, effectively and efficiently respond to regulatory pressure and create shareholder value in uncertain times.