As part of the risk and control oversight function for the Wholesale Banking division of a local financial institution, Raj Kumar Ganaser ensures the effective execution of the firm’s risk management framework. His job sees him collaborating with a host of people at all levels, helping them manage their operational risks. Every day sees him identifying and assessing operational risks that may impact the business and bringing them to the attention of those responsible for mitigating them. His job doesn’t end there; he continues monitoring them to ensure that they remain adequately managed and remain within the firm’s risk appetite.
The firm’s risk management framework and governance structure are aligned, allowing it to appropriately consider the different risks across its diversified business activities, and there are policies in place that drive operations and procedures which are relevant to operational, market and credit risks. Control is tight to ensure that the risk management frameworks are effectively and continuously maintained, and the Board always has access to the information it needs for decision-making. Raj is helped by a team of about 100 people across the whole firm; some have an operational risk background while others more or less “grew” into their respective roles.
But for Raj, the lack of specific operational risk training, qualifications or experience is not a barrier to being a good operational risk manager. “These do help but I would rather have someone who genuinely wants to do the right thing,” he said. “They should be constantly looking out for improvements while being able to effectively balance the needs of the business against the needs of the stakeholders.” In this interview, he talks about the training needs, challenges and takeaways of ERM:
What kind of training do you think is necessary for an organisation wanting to apply ERM?
One of the foundational building blocks for effective ERM practices is a supportive organizational risk culture. With the right risk culture in place, it becomes much easier to educate staff and stakeholders, and make them more aware of ERM tools and processes. The benefits of ERM activities tend to be less transparent at the lower levels of the organization. The first LOD are the front liners who undertake risks in their day-to-day responsibilities. They need to be able to manage it in compliance with regulatory requirements etc. That being said, ERM is not usually developed evenly at all levels, which means that there are still many areas that need improvement.
How would you go about developing a risk culture?
The most important area to begin with is the very top since it is the Board that determines the acceptable and unacceptable behaviours within the organization, and an organisation’s risk culture is influenced by its leaders and managers at all levels. The Board needs to be clear about the importance of risk management and should demonstrate its commitment through its actions and behaviour. It should encourage open communication and establish appropriate governance structures which facilitate timely receipt and communication of information.
How do you deal with confidential or sensitive information?
Confidential or sensitive information is disclosed only to employees who need to be aware/in the know of such information to effectively perform their duties. They are frequently reminded of the expectation placed upon them to maintain confidentiality along with the consequences of non-compliance. In addition, the staff is also briefed and guided on the relevant controls which have already been established within the organisation.
What are the barriers to the development of a risk culture, in your opinion?
The biggest hurdle in the development of an effective risk culture is the organisation’s members who may be unwilling to accept change. People tend to be very resistant to change even when there isclear evidence that it will benefit the organisation. Most of the time, they become more receptive only after a large operational risk loss event – after witnessing the failure of their previous beliefs (or rather, disbeliefs) and assumptions. Organisations also frequently underestimate the effort required to sustain an effective risk culture. They announce large branded change programs to enhance their risk culture but as soon as the infrastructural “solutions” are in place (i.e. framework/policy/systems), they simply stop or assume that the work is done. Efforts to engage the staff and inculcate the desired behaviour tend to cease even before the goals are achieved. A more realistic approach would be to strengthen risk culture incrementally through marginal improvements. When it comes to risk, the risk activities are frequently considered as more of a cost of doing business.
What are the greatest challenges in your risk management work?
The regulators are stepping up their game as a result of rapid emerging technologies, volatile economic environments as well as constantly changing political landscapes! They are keeping abreast of the significant shifts that are currently underway. They have intensified their oversight activities and are now more demanding than they have ever been before. Organisations are finding it increasingly difficult to satisfy those regulatory demands/changes and subsequently have been dedicating more and more of their efforts and resources to meet those expectations.
In your opinion, what are the most valuable takeaways of ERM?
ERM provides tremendous value through its holistic approach; it considers all risks confronting the organisation in its pursuit of returns. Risk tends to be viewed from a very silo-ed perspective and is often seen to be externally driven (i.e. it is done because the regulator requires it). But by adopting the ERM perspective, risk activities are more accurately viewed as enablers which add value to the business.