Discipline—risk management’s essential glue

In my prior blog post I discussed Communication, one of the essential attributes of a strong risk culture, which include: 

• Vigilance—Being alert to emerging threats and opportunities.

• Agility—Deciding and acting in time.

• Collaboration—Being able to work together effectively on risk issues.

• Communication—Sharing information and ideas about risks.

• Discipline—Knowing and doing what is right from a risk perspective

• Talent—Attracting and motivating people who have the necessary risk knowledge and skills.

• Leadership—Inspiring, supporting, practicing, and rewarding good risk management.

This time I will discuss Discipline—embedding smart risk-taking into the way that the bank makes decisions every day, from the board room to the trading floor.

Signs of weak risk culture

In banks with weak risk cultures, risk management is viewed as a specialized compliance function that exists to constrain excessive risk-taking by the businesses and as window dressing to appease regulators and rating agencies.

In this view, risk management functions are separate and remote from the bank’s businesses and their purpose is mainly to set risk limits and to occasionally say “no.” 

Such risk functions issue incomprehensible reports in arcane language that sit on the shelf until the examiners show up. Their understanding of pragmatic business realities is tenuous at best—after all, they have little opportunity or incentive to learn much about them.

In banks with weak risk cultures, people running the businesses view corporate risk staffers as adversaries who can impede or block profitable business.

So, they try to keep the risk function in the dark, sharing only what they are required to share—and at the last possible moment.

Fruits of a weak risk culture

That’s how you spot a weak risk culture, and here’s how life in a weak risk culture proceeds.

When they think about risk, business people living in a weak risk culture rarely rely on objective evidence or sound analytics to inform their beliefs. They rely too often on war stories, industry folklore, and anecdotes—all cherry-picked to support their viewpoint.

Amazingly, despite their lack of hard data, in such organizations, business people usually win arguments about risk because they are “revenue producers.” That gives them the most clout in the organization.

Consequently, banks with weak risk cultures are prone to make bad decisions about risk. They fail to simultaneously balance risk against potential return to achieve healthy, sustainable growth. They may succumb to extremes: excessive caution or unwarranted enthusiasm.

A better way

Good risk decisions require that sound, realistic risk/return assessments be made at every point in the decision cycle—from inception to maturity—and at every level—from  tactical decisions on the trading floor to strategic decisions in the boardroom.

This cannot be done without risk discipline.

Banks with strong risk cultures instill risk discipline by dogged reinforcement of three attributes:

1. Shared values about risk-taking that guide behavior.

These are the bedrock principles of risk-taking that everyone in the organization agrees to follow when they confront a decision that involves trading off risk against return. There is a common language and analytical framework for determining which risks are worth taking and which are not.

There are accepted norms for how the decision-making process should work and who should be included.

Shared values encourage self-regulation through personal responsibility backed up by peer pressure.

2. Risk-based controls.

Authorities and responsibilities for taking and managing specific risks are clearly assigned to someone who will be accountable for the results of taking those risks. As examples, the treasury function is responsible for managing interest rate risk and the lending function is responsible for managing credit risk.  The P&Ls of both Treasury and the lending function capture the results of taking the specific risks that they are assigned to manage.

Risk limits are tied to risk measures, not just volume or size measures. For example, trading limits embody market volatility assessments for each instrument that is traded. These risk measures are subject to objective external validation.

3. Risk-based incentives.

In the disciplined financial organization, compensation and career advancement are materially affected by risk-taking behaviors and their results.

Business unit profit is adjusted for the risks taken to generate that profit, including risks that may materialize over the longer run.

Bad behavior, such as concealing or misrepresenting risk, is punished.

Good behavior, such as productive collaboration on risk issues, is rewarded.

Instilling risk discipline is not a quick or easy process, because it depends on constant reinforcement over time and the organization’s eventual acceptance, based on results, that this is a better way to do business.