Balance Sheet

How good are banks at managing business risk?

Chris Cooper,
Article information:
To cite this document:
Chris Cooper, (2000) "How good are banks at managing business risk?", Balance Sheet, Vol. 8 Issue: 1, pp.15-19, https://
doi.org/10.1108/09657960010338418
Permanent link to this document:
https://doi.org/10.1108/09657960010338418
Downloaded on: 09 December 2018, At: 04:20 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 2573 times since 2006*
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:20 09 December 2018 (PT)

Users who downloaded this article also downloaded:

(2001),"The risk of risk", Balance Sheet, Vol. 9 Iss 3 pp. 28-33 <a href="https://doi.org/10.1108/09657960110696069">https://
doi.org/10.1108/09657960110696069</a>
(2003),"How to achieve realistic risk management", Balance Sheet, Vol. 11 Iss 4 pp. 44-64 <a href="https://
doi.org/10.1108/09657960310502548">https://doi.org/10.1108/09657960310502548</a>

Access to this document was granted through an Emerald subscription provided by emerald-srm:551360 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 MANAGING BUSINESS RISK

How good are banks at

managing business risk?
Business risk management is now a key senior executive-level concern, yet
not so long ago it was seen as a low-level function and left to internal auditors.
Chris Cooper of PricewaterhouseCoopers discusses why it is so important, the
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:20 09 December 2018 (PT)

best ways of managing risk and highlights likely future developments

NVESTORS, DIRECTORS and recent experiences have led many banks banks, can identify their risk profile and

I regulators continue to ask the ques-

tion: ‘Where is the company
exposed?’ However, perhaps they are
really asking: ‘Where am I exposed?’
Increasing demand for more informa-
tion and help on managing business risk
led the Financial and Management
to recognise that they are exposed to
significant risks outside of the
traditional areas of credit and market
risks and their approach to these types
of risk is now being reassessed and re-
engineered.
Enhancing Shareholder Value by
examines various ways of responding to
risk. A successful risk response depends
upon gaining the commitment of
executives and the board, establishing
the business process including assigning
responsibilities for change, resourcing,
communication and training, and
Accounting Committee of the Better Managing Business Risk, a guide reinforcing a risk culture by means of
International Federation of Accountants to best practice published by IFAC, human resources mechanisms. The
(IFAC) to commission the Global Risk explains how organisations, including guide also looks ahead to future
Management Solutions group within
PricewaterhouseCoopers to prepare new
guidance in this
emerging area.
PricewaterhouseCoopers defines
risks as uncertain future events that
could influence the achievement of an
organisation’s strategic, operational
and financial objectives, and stresses
that risk should no longer be
viewed only as a downside or hazard but
also must be seen as clearly linked to
opportunity and upside. Applying these
concepts in the context of a banking
organisation is beginning to have a
profound effect on the way banks
around the globe are approaching risk
management. Banks are finding that
managing risk is an integral part of
generating sustainable growth in share-
holder value.
While some commentators believe
that most self-respecting banks have a
sophisticated and well-structured
approach to risk management, others
argue that banks still have a lot to learn,
particularly when it comes to managing
the wider risks in their business. Indeed,

VOL 8 NO 1 | BALANCE SHEET | 15

 MANAGING BUSINESS RISK
developments in risk management,
such as new tools and techniques for
measuring risk and value.
Why is there such interest in risk
management?
The work done over the last decade on
‘control frameworks’ has built a plat-
form from which enlightened manage-
ment can now see the full perspective of
risk. Business risk management estab-
lishes, calibrates and realigns the rela-
tionship between risk, growth and
return.
The central thesis of the new IFAC
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:20 09 December 2018 (PT)
guide is that sustainable growth in
shareholder value is inextricably linked
to risk, which requires response, which
in turn drives value; it is an interactive
process.
While the management of risk is
nothing new to most financial institu-
tions, recent changes in the business
environment have brought risk manage-
ment to the forefront of senior manage-
ment concerns. Factors that have con-
tributed to this heightened interest
include the following:
■ increasing reliance on technology;
■ continuing trend towards litigious-
ness;
■ increasing complexity of financial
products and services;
■ tightening margins (less room for
error);
■ increasing globalisation (greater dis-
persion of operations);
■ growth exceeding availability of
qualified personnel;
■ magnitude and frequency of recent
control failures;
■ regulatory attention;
■ an increasing need to measure
performance;
■ increasing understanding that opera-
tional risk has been the root cause of
some of the industry’s greatest losses;
The importance of linking
the management of risk
to shareholder value should
not be underestimated
16 | BALANCE SHEET | VOL 8 NO 1
The commercial drivers for risk management
Figure 1
■ mergers and acquisitions constantly
driving organisational changes.
While credit and market risk are still
perceived to account for the majority of
risks inherent in financial institutions,
estimates of 25% and higher are attrib-
uted to the broader business risks (as a
percentage of total risk capital).
This commercial imperative is dri-
ving a fundamental change in the finan-
cial services industry’s approach to risk
management, particularly in the area
of operational risk management.
Innovative new practices and techniques
are being introduced, and many organi-
sations are gaining noticeable value
from their use. Solutions vary depending
on the organisation’s complexity and
culture, and the objectives of the risk
management.
Risk-adjusted performance
improvement
The link that risk management has to
improving performance, and thus share-
holder value, highlights the fundamental
objective of managing business risks.
Fred L Cohen and Jonathan M Peacock
(in their article in the December 1997
PWReview ‘Managing risk to increase
shareholder value: new concepts and
tools’) expand on the issues: ‘Taking and
managing risk is at the heart of share-
holder value creation. Yet current
approaches to shareholder value
creation often emphasise growth and
return while paying little attention to the
specific risks inherent in implementing
profitable growth strategies. Where risk
is identified, many companies continue
to rely on static financial risk mitigation
strategies such as foreign exchange and
capital structure practices formulated
when the organisation’s size and finan-
cial structure were vastly different.
While the stock market has been
rewarding companies for their success in
creating shareholder value, new
approaches are necessary to sustain cur-
rent levels of growth. A handful of lead-
ing companies are demonstrating that a
more dynamic approach to risk manage-
ment is critical to delivering superior,
sustainable returns to shareholders.
‘To this end, management must be
willing to expand its approach to share-
holder value by integrating a dynamic
concept of risk into its existing focus on
growth and return.’
The importance of linking the
management of risk to shareholder value
should not be underestimated. As man-
agement becomes more aware of
the importance of risk there is a progres-
sion along a broad risk spectrum
towards greater sophistication in risk
 management and appreciation of its
linkage to shareholder value. This can be The business risk continuum
seen in Figure 1, which is drawn from a
recent global survey.

Understanding your business

risk profile?
Shareholders understand that equity
investments carry risk. Shareholders and
lenders entrust their capital to compa-
nies and their boards because they seek
a higher return than they could achieve
from a risk-free investment in, say, gov-
ernment securities. This implies that
they expect boards and management to
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:20 09 December 2018 (PT)

demonstrate entrepreneurship and

dynamism; that is, to take risks. They
expect that the risks will be well consid-
ered and well managed and that the risk
profile of the enterprise will be widely
understood.
Basle’s 1998 Framework For
Internal Control Systems in Banking
Organisations has the following guid-
ance in relation to risk identification:
‘An effective internal control system
requires that the material risks that
could adversely affect the achievement
of the bank’s goals are being recognised
and continually assessed. This assess-
ment should cover all risks facing the
bank and the consolidated banking
organisation (that is, credit risk, country
and transfer risk, market risk, interest
rate risk, liquidity risk, operational risk,
legal risk and reputational risk).
Internal controls may need to be revised
to appropriately address any new or pre-
viously uncontrolled risks.’
This may seem like sound advice,
but in practice the process is not that
simple. For a start the word ‘risk’ means
different things to different people. The
first step toward clarity is to recognise
that ‘risk’ is most often used in several
distinct senses: risk as opportunity,
risk as hazard or threat, or risk as
uncertainty.
Risk as opportunity is implicit in the
concept that a relationship exists
between risk and return. The greater the
risk, the greater the potential return and,
necessarily, the greater the potential for
loss. In this context, managing risk
means using techniques to maximise the
upside within the constraints of the
organisation’s operating environment,
Figure 2
given any limitations through having to
minimise the downside.
Risk as hazard or threat is what
managers most often mean by the term.
They are referring to potential negative
events such as financial loss, fraud, theft,
damage to reputation, injury or death,
systems failure, or a lawsuit: the down-
side. In this context managing risk
means installing management tech-
niques to reduce the probability of the
negative event without incurring exces-
sive costs or paralysing the organisation.
A useful third view embraces the
more academic notion of risk as uncer-
tainty. This refers to the distribution of
all possible outcomes, both positive and
negative. In this context, risk manage-
ment seeks to reduce the variance
between anticipated outcomes and
actual results.
Each element of the three-part
definition of risk above broadly con-
nects with one or more functions within
companies. Although functional empha-
sis and management boundaries are
inherently flexible, risk as hazard typi-
cally represents the perspective of man-
Managing the different
elements of business risk is a
shared responsibility
agers responsible for asset protection
activities – specifically, the controller,
internal audit group, and insurance
administrators. Risk as uncertainty is a
governing perspective of the chief finan-
cial officer and line management respon-
sible for operations. Risk as opportunity
often reflects the outlook of senior man-
agement and the planning staff, who
largely address the upside element of
risk. These concepts underpin an
organisation’s risk profile and can be
illustrated in terms of a business risk
continuum (see Figure 2).
Among financial institutions, there
are a number of leading organisations
that have successfully broadened their
risk management perspective to include
opportunity. This shift in perspective
changes the approach of the institution
to risk management.
Adopting an integrated approach
Many organisations have realised that
the full spectrum of risks cannot be
assessed intuitively or in isolation and
have developed proactive risk manage-
VOL 8 NO 1 | BALANCE SHEET | 17
 MANAGING BUSINESS RISK

readily applied to other units.

Case study of a risk management framework Integration does not just happen. It is
The Royal Bank Financial Group has a three-tiered framework to identify and analyse the invariably the result of deliberate man-
risk facing the organisation as a whole. Each unit and branch uses the framework to agement strategy;
identify and assess risks. ■ a highly dispersed approach to risk
Level 1 risks: Systemic risks are the political, economic, social and financial risks over management that lets each functional or
which an organisation has very little control. These create the environment within which business unit create its own language for
the organisation must operate. Management must be aware of these factors and how risk management and its own tools and
they affect different areas of the organisation. techniques. No structured effort is made
Level 2 risks: These are factors that the organisation cannot control but can influence. to examine organisational risk in the
The Royal Bank Financial Group identifies several level 2 risks, including competitive, aggregate or to share practices across
reputational and regulatory. units. The dispersed approach is
Level 3 risks: These risks vary with each industry but can be generally viewed as risks typically used when risk factors vary
that an organisation can have a great deal of influence over. The Royal Bank Financial substantially across functional and
business units and/or when functional
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:20 09 December 2018 (PT)

Group identifies level 3 risks as credit, market, operating, people, technology and
liquidity. and business units operate quite
independently. While management
might deliberately adopt a dispersed
approach, in practice it often arises from
corporate inertia. This approach still
requires management to allocate organi-
sation resources across the many
demands for capital.
The integrated approach appears to
be more proactive and is representative
of emerging best practice. The case study
described in Figure 3 illustrates how
these concepts can be brought together
in the context of a banking group.

Key elements of an effective risk

Figure 3 architecture
ment programmes to help them pursue tional and business units, when func- As an organisation faces change, the risk
their business objectives with confi- tional and business units are highly management framework must adapt.
dence. These frameworks represent interdependent, and when tools and World-class management has a positive
current world-class business risk techniques developed in one unit can be and dynamic approach to change and its
management.
Managing the different elements of Figure 4
business risk is a shared responsibility.
Senior management faces several The risk architecture ‘8-point plan’
pressing needs. First, it must choose
tools and techniques appropriate for
particular risk elements. Second, and
more challenging, management must
decide how integrated or dispersed its
approach to risk should be. This
involves designing and implementing
organisational structures, systems and
processes to manage risk, such as:
■ a highly integrated approach to risk
management that uses a common lan-
guage, shared tools and techniques, and
periodic assessments of the total risk
profile for the entire organisation (as
described above). An integrated
approach is particularly effective when
risk factors are common across func-

18 | BALANCE SHEET | VOL 8 NO 1

 affect on the risk management architec-
ture, which can be depicted as an
integrated ‘8-point plan’ as shown in
Figure 4.
Implementing a risk architecture is
not a response to risk but rather an
organisational paradigm shift, involving
changes in the way an enterprise:
■ organises itself – it gives a new view
of the organisation and the way the
organisation manages internal and
external change;
■ assigns accountability – it aligns
objectives throughout the organisation
(linking strategic objectives with tactical
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:20 09 December 2018 (PT)
objectives and process objectives);
■ builds risk management as a core
competency – it creates a foundation to
analyse hazard, uncertainty and oppor-
tunities relevant to each business objec-
tive and assess and develop holistic con-
trols to mitigate these risks;
■ implements continuous, real-time
risk management – the organisation is
continually practising and evolving its
risk management methods and is always
looking for the next
generation of tools and
techniques to improve its Work still has to be done on
risk management (for
example, by risk quantifi- the relationship between the
cation). Risk management
is embedded into the company risk profile and the
organisation and pro-
motes operational effi- common industry risk profile
ciency, not more bureau-
cracy, with full regard to
the cost/benefit of the risk responses.
Measurement – the way forward
In relation to risk measurement, the
tools used to measure risk are becoming
more sophisticated. While some institu-
tions still believe risks other than credit
market risks are unmeasurable and
therefore do not bother, others believe
that risk management without measure-
ment is not feasible and are striving to
create appropriate models to measure all
types of risk on a consistent basis.
Capital approaches that were very top-
down based on overall results are now
evolving into bottom-up approaches
based on extensive databases of losses
and actuarial or extreme value theory of
quantification. Databases of operational
risk losses are now becoming available
Evolution of management’s view of risk
From back room …
Risk monitoring is a low-level function
of the internal auditors
Risk as a negative opportunity to be
controlled
Risk managed separately in
organisational silos
Responsibility for risk management is
delegated to lower levels
Risk measurement is subjective
Unstructured and divergent risk
management functions
Figure 5
that enable the more quantitative
approaches to move from theory to
practice. The net result is a value-at-risk
measure for operational (as well as
market and credit) risk, measuring the
potential volatility of earnings.
Quantitative methods are comple-
mented by detailed operational analysis,
quantifiable risk indicators and
comprehensive business self-assessment
procedures. All of these trends are still in
the early stages of development and it is
difficult to define ‘best practice’. For
example, self-assessment programmes
mean different things to different
people. They are executed with varying
levels of detail, with or without
automated tools, at varying frequencies,
and co-ordinated by different people in
the organisation.
The determination of shareholder
value by Shareholder Value Analysis
(SVA) methodologies is quite well devel-
oped already and helps focus the risk
management process on the value
drivers that are key to managing threats
and opportunities.
Shareholder value models already
include ways of quantifying hazard,
… to board room
Risk monitoring is the CEO’s job (with
board oversight)
Risk as an opportunity
Risk managed in an integrated,
enterprise-wide fashion
Risk management is responsibility of
senior/line management
Quantification of risk
Risk management is built into all
corporate management systems
opportunities and uncertainty in the way
they quantify shareholder value.
Shareholder value determination uses
assumptions on business risks, most
commonly the risk premiums in calcu-
lating net present value dependent on
the industry.
However, the area of managing risk
is dealing with the company-specific risk
profile and is often not
well understood by share-
holders and investors.
Work still has to be done
on the relationship
between the company risk
profile and the common
industry risk profile. In
summary, developments
in risk management
may be characterised as
shown in Figure 5. ■
This article is a high level summary of
Enhancing Shareholder Value by Better
Managing Business Risk. The IFAC
publication sets out guidance towards
best practice in this rapidly evolving
area in detail. Copies of the full report
are available on www.ifac.org or can
be obtained from the IFAC secretariat
in New York by faxing +1 212 286
9570.
Chris Cooper is a partner
for Global Risk
Management Solutions at
PricewaterhouseCoopers
Australia.
VOL 8 NO 1 | BALANCE SHEET | 19
 This article has been cited by:

1. Tuba Bozaykut-BükGiving Risk Management Culture a Role in Strategic Planning 311-321. [CrossRef]
Downloaded by UNIVERSITAS TRISAKTI, User Trisakti At 04:20 09 December 2018 (PT)