The development of enterprise risk management (ERM) over the last two decades has brought forward the role of Chief Risk Officer (CRO) in the forefront. The various crisis such as the Enron scandal in 2001 led to the strengthening of corporate governance and the passing of the Sarbanes-Oxley Act in 2002. This helped improve ERM. The importance of the CRO role gained more prominence along with the accelerated development of ERM post-2008 economic crisis. Also, the application of risk-based capital in different developed markets led to an increased focus on ERM because ERM helps in optimizing the use of capital.

The prevailing COVID 19 pandemic has increased claims many folds under both the life and non-life insurance sector. Such increased claims have wiped out the profits of many reinsurance companies for the last many years. The banking sector is equally impacted on the recovery of their loans due to the various government-led initiatives to help the borrowers who could not repay the loan due to failure in business or loss in jobs.

Such economic and demographic turmoil have reinforced the importance of risk management and the role of CRO. This has made CROs more conscious of both existing and emerging risks.

The purpose of this article is to highlight the importance of a risk management information system for CRO to address any gaps in the risk information that can be catastrophic for the survival of the financial institutions. If hidden risks or correlated risks are not spotted at an appropriate time, then emerging risks may crystalize leading to an insolvency situation which has been seen during the 2008 economic crisis. Therefore, there is a need for CRO to use advanced technology to have automated risk information management including the predictive capability to take mitigating action.

CRO’s Challenges

The CRO in the organization is the custodian of all risks whereas the front-line managers are focusing on business development where risks are secondary in nature to them. This brings a great responsibility of risk management on the shoulders of CRO. None of the risks can be missed and hidden risks should be brought out in light along with the deducing correlation of risks. The classic example of COVID 19 caught many organizations napping during the initial period of December 2019 and early January 2020 when COVID was restricted to China. At that time risks were highly underestimated, and foresight was missing, many of the correlated risks were missed out.

Risk identification is the first step in the direction of the risk management process and subsequent steps cannot take place without a proper risk identification system. In most crises such as the 2008 global economic crisis, risk identification was missed out. One of the challenges in risk identification is it is based on a manual process having a risk of human interpretation. There are two ways to address this problem is either by improving the risk culture or bringing automation. Organizations are catching up with enhancing the risk culture, but the process is slow, and the first line of defence is not fully prepared to take the role of risk managers. Therefore, there is a need to have an automated system that correlates and bring forward the risks for CROs to take immediate action. The velocity of the risk is very crucial because it can beat the human thinking process to act leading to delays and massive losses. A threshold for the risk action taking must be defined that should popup risk like a sprinkler system to detect smoke for fire risk.

Many risks function faces the challenges of scattered data or data not available for the purpose of risk assessment. Such lack of data or not one view of risk data can lead to either missing some of the key risks or not drawing meaningful conclusions about risks in conjunction with other risks. For example, during the COVID 19 non-life claims, many insurance companies were dependent on the exclusion clause in the policy bond about the loss in the business event due to pandemic is not being covered. However, different governments and regulators ordered to pay such claims leading to many court cases. When such claims are paid which were not priced is a straight loss. So, the exclusion clause that was sitting in the policy bond was the hidden risk no one thought about.

Correlation of risks is another area that requires CRO’s attention. A big shock in a system sends ripples in different economic areas which have a direct impact on the financial institution. For example, in 2011, Japan’s Tsunami led to a 20% fall in prices in Tokyo’s Stock Market in the first two days of operation and a 30bps fall in Japan’s Sovereign Credit default swap. Also, the international equity market was equally impacted leading to falling in their prices and bond yields. Such shocks impact interest rate, inflation and liquidity concerning financial institutions’ cash flows and capital requirement. CRO need to re-assess the Company’s risk profile due to such events and raise the risks to the management and the Board for corrective action. Such re-assessment of risks is possible when CRO have an automated system that can re-calculate the risks in wake of such events.

The availability of an integrated risk information system in one place is very important for CRO to assess the risks, draw correlations and take real-time risk-based decisions. To assess whether a risk team have consolidated risk information in one place or not; the following questions were asked in a social media survey (LinkedIn)

Does your company have an integrated risk management system in one place?

Total 55 votes were polled with the following results

There is a clear inference that only 36% of voters polled had integrated risk management dashboard and the rest 74% have either scattered or semi-integrated risk dashboard. This indicates the need for an integrated risk dashboard for CRO’s easy to access all risk information for a comprehensive risk assessment.

CRO’s needs

To address existing, emerging hidden or correlated risks, one of the most important tools for CRO is to have an integrated risk information system that can provide all risk information at his or her fingertips. Here the CRO can slice and dice the risks for further analysis to understand the existing materiality and correlation of the risks

Such a risk information system helps in identifying some of the key sources of risks which is a breeding ground of various risks. For example, adverse economic activity is a source of interest rate risk so a good information system on regular monitoring of the economic activity can help in advance spotting the interest rate risk. This can help the company in performing proper assets and liability management or changing the product portfolio towards less interest-sensitive products.

It is important for CRO to have a robust risk information system not only from his or her internal sources but also from external sources as well such as market development, competitive landscape, economic and demographic trend, political developments, international conflicts etc. These external sources of risks can hasten up some of the risks leading to less time for CRO to act. Therefore, the risk information system should have a wider spectrum covering many different areas to spot risk early. Such a wider risk information system can give early warning signals which may otherwise be missed. Early warning risk spotting helps in averting the financial and reputational damage.

Along with the integrated risk information system, the CRO also need to have a predictive risk capability to assess the risks for the future using data science and machine learning algorithms. Advanced algorithms have the capability to spot the trend and using the current inputs, such machine learning tools have been able to give the prediction by around 70% to 80% accuracy. The volume of data is the key in spotting hidden trends using regression and other models.

The CRO also need to use advanced technologies together with big data sitting in their information system to extract meaningful information about customers’ need. The need-based selling helps in developing long term relationships with the customers.

The automated data feed system in a dashboard can help CRO in taking real-time risk decisions which become crucial when risks are fast changing. This particularly happens when risks are about to crystalize, and events are fast changing. In such a situation, different risks start interacting and assessment of single risks are less meaningful. Technology in such a situation can prove to be very handy.

Therefore, an integrated risk dashboard can prove to be a very helpful tool for CRO to have a comprehensive risk information system for all decision making.

Risk Information Solutions

The integrated risk information system should bring together all the risks in the form of the dashboard for CRO’s easy at one place access. This should have trend analysis, analysis of all existing risks, emerging risk along with the predictive capability etc.

The features of the risk dashboard could have data on the cloud depending on the organization’s requirement, ease of navigation for comparing results, capturing historic trends for insight information, harmonized look and feel, taking notes and raising questions within the system for better decision making etc. The dashboard should also have a background data feed template to see revised trends.

The risk information system should have templatized data input system from the risk repository either from the company’s risk register or to create a risk dump for inputting all risks. This risk repository must have inputs of all risks including companywide risks, economic, demographic, climate, international market, competitive trends etc. to get an output trend to assess the emerging risk profile of the company.

The advantage of a structured data template is to use the previously captured data to compare the results from the current results and maintain the database. Some of the important sources of information for risk analysis are product risks, business plans, third party risks, strategic risks, operational risks, IT, cyber risks etc. Such risks information can be easily pulled together into an integrated system to slice and dice the data to unearth some of the hidden risks and correlated risks.

For example, people risk as an independent risk may not sound daunting, but when looked at in conjunction with meeting the sales targets may throw challenges in meeting the annual profits. Such risks can be unearthed when complete risk information is available.

The risks in the integrated system could have the following risks at a high level and then can be broken down further.

Enterprise risk
Strategic risk
Financial risk
Operational risk
External risks

Enterprise Risk Management

The CRO should have a good idea about the entire architecture of the risk management across organizations in terms of implementation of risk management policies, changing dynamics of risk culture, whether the three lines of defence model is working properly or not etc. Any gaps in the enterprise risk management will throw challenges in the implementation of each of the risks. It has been found many CROs struggle with improving the risk culture and embedding of three lines of defence model.

Strategic Risk

Organizations can identify financial, operational, and other risks, however, when it comes to strategic risk, they somehow ignore this risk because of the long-term nature of its impact. Failure to identify strategic risks is one of the key causes of the downfall of many big brands such as Kodak and Nokia.

An integrated risk dashboard can give CROs an early indicator against strategic targets and major developments, which will support them in taking remedial actions

Financial Risk

Financial risks include uncertainties and untapped opportunities in the effective and efficient utilization of financial resources. In addition, risks in the areas of interest rate, concentration risk, liquidity and funding, capital management, credit default etc. are addressed as part of financial risks

CROs will have trend analysis and futuristic view with a better understanding of financial risks, which will help them in better product strategy and asset allocation

Operational risk

Operational risks are losses arising due to failed people, processes, systems, or events. The operational risks are managed through the maintenance of the risk register which is used for the purpose of Risk Control Self-Assessment. This risk assessment should be plugged into the integrated risk dashboard to flow all key risks and draw attention about the correlation of risks. Some of the risks such as reputational risks are hard to measure, however, it is mostly because of bursting other risks.

The CRO must pay attention to the risks that do not impact the external stakeholders such as customers, regulators, government agencies and keep reputational risk under check.

External risk

External risks include uncertainties and untapped opportunities arising due to changes in the regulation, global economy, disruptive business models, climate change etc. CROs will have a better global view of risk which can be leveraged for risk assessment.

Conclusion

The article discusses the challenges of CRO that an organization faces in the management of risk due to manual processes, scattered data, or data not available for the purpose of risk assessment. Such lack of data or not one view of risk data can lead to either missing some of the key risks or not drawing meaningful conclusions about risks in conjunction with other risks

The article advocates the need to have an automated system that correlates and bring forward the risks for CROs to take immediate action. The velocity of the risk is very crucial because it can beat the human thinking process to act leading to delays and massive losses.

Courtesy- https://analyticsindiamag.com/integrated-risk-information-system-for-chief-risk-officers/