Risk management: a new strategic issue

Digitalisation, climate change, the increasing complexity of globalisation and cross-border business… Risk factors for financial services have multiplied, many endangering the long-term survival of companies. The ability to detect and protect against them is now the task of independent risk management units that regulation has finally imposed.

Michael Derwael, Global Independent Risk Officer, Massachusetts Financial Services

In a report published at the end of May, the Stockholm International Peace Research Institute expressed concern about the lack of preparedness of world leaders in the face of “a new era of complex and often unpredictable risks to peace as profound environmental and security crises converge and intensify”.

Risk is potentially everywhere for the financial services sector. In addition to global threats there are other dangers that affect economic and financial activity in particular: increasingly volatile and frequent financial crises, an exponential rise in cyber-attacks, and rising geopolitical tensions to name but a few. Until the beginning of this century, risk was an integral part of business and the uncertainties of the economic environment seemed manageable. However, over the past twenty years, as financial activities have become interconnected and complex, managers have been given more specific control tasks.

In Luxembourg, the first entities entirely dedicated to risk management appeared in the banking sector around 2001 and in investment funds around 2007-2008. Before that, risk management activities were generally integrated into the operational entities,” observes Michael Derwael, Global Independent Risk Officer for the American fund manager Massachusetts Financial Services. The global financial crisis of 2008 clearly highlighted the limits of risk-taking and the regulations that have since been implemented globally have sought to better control activities that could jeopardise investors’ savings and the sustainability of key actors of the financial sector. In particular, they formalised and imposed the function of risk manager within the management structure.

In the insurance sector, risk management has also become increasingly important in recent years. “It is only since the entry into force of the Solvency 2 Directive in 2016 that the risk management function has been imposed in the insurance sector. Moreover, at the beginning, it was mainly seen as a necessity to meet a regulatory constraint. The task of a risk manager was often limited to developing a map of the risks inherent in the company and producing reports,” says Annick Felten, Chief Risk Officer for insurance group Foyer. Since then, she believes that professionals in this sector take an increasingly active role in the entities in which they operate.

quote

Our role is to support business and operational teams, to challenge them and to dare to say that we do not agree with a choice, and the regulator regularly reminds us of this role.

Caroline Motte Dubois, Operational Risk Manager at ING Luxembourg

Regulatory developments have made the role of the risk manager more permanent,” confirms Derwael. Successive crises since 2008 have helped to institutionalise risk management as a function that must be able to claim its independence and be provided with sufficient and qualified staff. Independence is crucial for the function. In Derwael’s case it is often marked by a direct relationship with the boards of the various funds and the management company. “Our role is to support business and operational teams, to challenge them and to dare to say that we do not agree with a choice, and the regulator regularly reminds us of this role,” insists Caroline Motte Dubois, Operational Risk Manager at ING Luxembourg.

Caroline Motte Dubois, Operational Risk Manager, ING Luxembourg

Initially, the function focused on operations purely related to the activity of the financial sector. In recent years, however, controlling credit, liquidity and market risks have become only part of the responsibility of risk managers. Every institution must now protect its data, address the implications of climate change on its business and, ultimately, protect its reputation. “The role of a risk manager is to accompany the transformations that his or her company must face by helping to anticipate and identify risks and find the best strategies to respond to them,” summarises Motte Dubois.

Each risk management entity develops its own way of looking at the limits of its role. But in the language of regulators, risk managers represent a ‘second line of defense’, the first being the operational entities and the third the internal auditors. They do not intervene in the actual development of new products, services or procedures, but rather monitor all the choices made, taking advantage of a certain hindsight and focusing solely on the danger they could represent for the company’s survival.

quote

I closely interact with our business experts, senior management and the board of directors. My role is to look at the risks that may arise from the choices they make.

Annick Felten, Chief Risk Officer for insurance group Foyer

I am involved in the strategic projects of our insurance group,” highlights Annick Felten. “I participate in the discussions to identify the risks related to new activities or products, from a compliance, reputational, financial or operational point of view. I closely interact with our business experts, senior management and the board of directors. My role is to look at the risks that may arise from the choices they make.

The risk manager obviously cannot foresee everything, but their aim is to ensure that the company is as well protected as it can be when a problem arises. The COVID-19 pandemic and its consequences could not be detected six months in advance. But a paralysis of the economy is something that should be modelled and addressed by a business continuity plan. And on the whole, the financial sector has done very well.

quote

“No one expected a war between Ukraine and Russia either, but most financial players were prepared for the consequences of the conflict on their business.

Michael Derwael, Global Independent Risk Officer for the American fund manager Massachusetts Financial Services

No one expected a war between Ukraine and Russia either, but most financial players were prepared for the consequences of the conflict on their business,” explains Derwael. In the face of often unique situations, we need to be able to learn from the past and support the company in preparing for potentially extreme but plausible situations. Taking the recent cases of the health crisis and the war in Ukraine and their consequences in the fund industry – liquidity and valuation issues – he sees similarities with the financial crisis in 2008, as well as the Russian debt default and the Asian financial crisis, both of which were significant events in the late 1990s.

Nor are all the potential dangers to the viability of the business unforeseeable. Since the success of every business is linked to a certain amount of risk, each company must define its own limits. In finance, the red lines are now drawn by the regulators. “Taking into account the regulatory framework, risk management must define the company’s degree of risk appetite and have it validated by the board of directors,” explains Motte Dubois. We also have to work on forecasting the cost of risk – its impact on capital – and finally embed a risk culture in all employees. This is an important awareness-raising exercise that helps to ensure a certain level of vigilance on the part of staff and to avoid inappropriate actions in order to prevent the entire business from being disrupted.

Annick Felten, Chief Risk Officer, Foyer

The interconnectedness of risk in the global environment, the increase in regulatory requirements and the growing complexity of the financial sector have forced companies to strengthen their teams, despite the increasing use of technological tools to analyse data flows. The profiles sought require both experience in the field in order to be able to anticipate and react and, often, specific skills (interpersonal skills, data analysis, being able to take a high-level view, economic and mathematical background), as is the case in particular in cybersecurity where the danger will only increase while professionals remain scarce. The shortage is therefore threatening the sector and management schools will quickly have to take an interest in a profession which, by its nature, has always remained out of the spotlight.