In order to understand where to focus attention and priorities for risk management, and board risk management oversight, one must start by understanding the external environment of the regulatory landscape, financial markets and indeed the broader society and economy. Then one can hone in on how the firm and the risk management function should address these issues, and where board members should focus their oversight. To provide perspective on risk management priorities, this article draws on over thirty years serving large financial institutions as a risk management advisor, identifies key trends in the external environment impacting risk management over time and in the current environment and identifies the lessons learned during these periods as well as looks forward to where focus should be going forward from the current environment.
Over the past several decades, risk management has gone through distinct periods in response to dramatically changing business conditions and regulatory requirements, this summary shows the lessons learned during these periods to help prepare board members for risk oversight during different environments.
In the years preceding the global financial crisis, financial institutions benefited from generally strong global economic growth and enjoyed significantly higher returns than are available today. There was a broad, although generally unspoken, consensus at the time among the financial services industry and even its regulators that risk management appeared well equipped to identify and mitigate risks affecting individual institutions and, by extension, the financial system as whole. Given this consensus, the extent of risk-focused regulatory requirements was more modest than it would become after the financial crisis. The key risk management lesson learned during this period was the need for a more consistent international regulatory capital regime in Basel II.
Financial crisis period
The global financial crisis led to the need for governments and central banks to provide huge amounts of economic stimulus and additional capital to stabilize the economy and the financial system. Risk management during this period was largely engage in tactical responses needed to maintain orderly operations during the financial crisis with a focus on capital and liquidity. These tactical responses included responding to urgent requests by management, boards of directors, and regulators, and often quickly assessing risk exposures to areas of concern such as specific markets or counterparties. The key risk management lessons learned during this period was the need for more significant capital and liquidity buffers, the need for more timely and granular risk management information for boards, management and others, and the importance of systemic risk.
The financial crisis led to a period of “re-regulation,” with governments and regulatory authorities issuing a wide variety of new or stricter requirements. Among the many regulatory developments were the sweeping implications of the Dodd-Frank Act in the United States; stringent capital stress testing requirements through CCAR revised and ratcheted up capital and liquidity requirements by the Basel Committee including revised approaches for credit, market and operational risk capital under Basel III; and greater focus on risk data quality and data management driven by the Basel Committee on Banking Supervision BCBS 239 Principles. To comply with these and other new regulatory requirements, institutions dramatically expanded their risk management function and budgets. Key risk management lessons learned during this period were the need to increase institution’s capital and liquidity buffers to meet these new regulations as well as the need to significantly increase risk management capabilities to meet the stringent new regulatory
requirements and expectations.
The re-regulatory period continued for close to a decade. However, the pendulum always eventually swings back in the other direction. The political and regulatory climate saw a need to re-calibrate the regulatory agenda, especially to benefit small and mid-size institutions which lead to the 2018 enactment in the United States of bipartisan legislation to raise the thresholds for various Dodd-Frank Act provisions. In addition, the Federal Reserve relaxed certain requirements for stress testing, by eliminating the need for large non-complex banks to comply with the qualitative requirements and also “tailored” its enhanced prudential standards requirements for domestic and foreign banking organizations. Despite these areas of loosening, in some areas, significant regulatory focus continued, notably for non-financial risks such as conduct, anti-money laundering, cyber and third-party risk management. Outside the United States, while there was less emphasis on re-calibration, there was an acknowledgment that the re-regulatory period was largely over towards the close of 2017, as the Basel Committee noted that the post-financial crisis reforms had effectively come to their end (except for some remaining implementation transition periods). Key risk management lessons learned during this period include the need to tailor risk management and related regulations to the size and complexity of institutions and the growing importance of non-financial risks in an organization’s risk management
COVID-19 driven pandemic and recession
The global pandemic brought about by COVID-19 in late 2019 and throughout 2020 was and is first a public health and safety crisis, but the drastic shutdowns required to gain control of the virus spread meant that the pandemic quickly precipitated a massive economic recession as well. The shutdown’s resulting economic effects were highly focused on industries requiring face to face contact, such as the travel, leisure and personal services sectors. Although all industries and business were disrupted, some, such as many areas of financial services, which were able to effectively work from home were much less so. However, their customers, suppliers, employees and many others have been affected.
This global pandemic has driven public policy, regulatory, corporate and risk management agendas. Fundamentally, financial services companies have needed to broaden their view of community and their mission and have taken unprecedented steps to support the community through actions such as participation in government backed lending programs as well as through their own practices such as suspension or renegotiation of payments, foreclosures and late fee penalty requirements. In addition to supporting the community, there is a need to support employees, given the unprecedented need for remote work, and new challenges which have arisen such as the need for greater employee work flexibility and maintaining employee safety, well-being and engagement. From a risk management perspective, the scope of risk management has substantially broadened to encompass business resilience. The rapid transition to work from home through digitalization has also raised the importance of, and changed the nature of existing risk issues such as cyber risk, employee conduct, and third-party risk management. While banks are much better capitalized since the financial crisis, the economic impacts of the pandemic have affected credit quality and called for more focus on credit reserves and capital.
The preeminence of the pandemic has reverberated through all areas of society and the economy and amplified existing challenges. Given the two track or “K-shaped recovery” underway at this writing, there has been a disproportionate effect on some types of business, which has inordinately impacted women and
minorities. The two-track pandemic recovery has occurred while there has been continuing events highlighting racial injustice and companies have in response needed to make public their efforts to address racial and gender-based discrimination. In addition, the very nature of the pandemic and related recession stemming from physical events have highlighted how unanticipated non-financial risk events from the physical world can cascade through the global economy and financial markets, and has served as a preview to the
potential impact of climate risk and other ESG issues.
It is in this difficult economic environment that firms and risk managers operate. While the major post-financial crisis reforms are completed and the regulatory environment has been relatively quiet, firms may look forward to changed regulatory expectations resulting from the pandemic. Areas of focus likely include strengthening all aspects of business resilience, cyber, credit
quality, conduct and a coming greater focus on climate risk management. The broad trend of increased focus on non-financial risks will continue. Given the transition to a new administration and Congress following a divisive election, there may be attempts for much more fundamental changes to strengthen regulatory oversight for banks which due to the deeply polarized and divided political landscape will raise the level of regulatory uncertainty. While the pandemic will eventually be brought under some type of control, the focus on employee well-being and broader firm social impact including climate will continue. Firms will be increasingly held responsible for their contributions and impacts to the broader community.
As a result of these wider expectations, the scope of risk management has broadened more than ever before, and risk management programs and their teams will need to address these needs. As with responding to other transformational events, to be effective, their efforts will require a range of actions. Risk management governance structures will need to be revisited to
deal with a wider range of risks, expectations and issues then before. Risk reporting and the related analytics, systems and data will need to encompass new types of risk and information then before. Risk management organizations and the types of talent they seek will need to address different skill sets as well. How firms respond to this challenge will determine how they are positioned to succeed in this environment and going forward. Boards must provide the focused oversight and ask the right questions to make sure that their organization’s risk management teams are addressing these actions to manage the challenges of this new environment.