Report to the Chief Risk Officer of Ulster Bank Ireland DAC on how the risk management framework outlined in Kaplan & Mikes can be used to manage the Basel risk in Ulster Bank Ireland DAC.
Introduction
In 2007, global telecommunications giant Nokia, was earning more than fifty per cent of all the profits in the mobile-phone industry, and most of those profits were not coming from smartphones. To invest significant resources into the high end, low volume smartphone business was seen as too risky. Nokia believed their brand was bigger and that they could join the smartphone phenomenon at their own pace. At the same time Apple and Android were developing at such a pace that they crushed Nokia. (The New Yorker, 2013).
In June 2012 Robert Kaplan and Anette Mikes published a paper in the Harvard Business Review entitled ‘Managing Risks: A New Framework’. In this paper they discuss how all too often risk management is treated as a compliance issue that can be managed and mitigated with rules, policies and procedures. Whilst such an approach can influence employee behaviour and mitigate some risk, this approach on its own is unlikely to reduce the impact of all risks or the likelihood of a risk event occurring.
Kaplan & Mikes’ risk management framework introduces three distinct categorisations of risk (Preventable, Strategic and External) to determine how best these risks can be managed. Some risks can be managed with the traditional rules based method and some require an alternate approach. Whatever the approach, Kaplan & Mikes advocate discourse and debate to understand the risks and counteract natural cognitive biases that may exist such as overconfidence, anchoring or silo thinking.
Nokia’s failure resulted from a reluctance to change and embrace the examples of risk that Kaplan & Mikes wrote about which would not have been considered under the traditional compliance/rule based approach. In this report we will look at how Kaplan & Mikes can be used to manage risk in a Banking context referencing the Nokia example along the way.
We will now discuss the three categories in more detail:
The Kaplan & Mikes risk framework
Preventable Risks
Preventable Risks are best described as in house risks that are found in the internal workings of organisations. They are controllable and should be eliminated or avoided at a minimum in a cost effective manner. Examples of preventable risks include illegal, unauthorised, unethical and inappropriate actions taken by employees and the failure of normal operational processes.
The Enron scandal is a famous example of preventable risk. The Texas-based energy company ‘reached the dramatic heights of success only to face a dizzy collapse’. The Enron case, described as ‘The Fall of a Wall Street Darling’, came after company executives used accounting mechanisms and special purpose entities to mask business failures. Investors lost billions, thousands of employees lost their jobs and pensions, accounting firm and Enron’s auditor Arthur Andersen ceased to trade and ultimately Enron collapsed. (The Economist, 2002).
Kaplan & Mikes suggest that there may be acceptable levels of tolerance for such actions that would not cause severe damage to an organisation. However the best approach to dealing with preventable risks is through active prevention, where organisations provide guidelines clarifying the organisation’s goals, values and boundaries of acceptable behaviour. Such guidelines are contained within the organisation’s mission statement and code of conduct, defining its corporate culture of what is permissible and what is not.
An example of such tolerance in Banking is the monetary level set for monitoring large monetary transactions to combat money laundering (a preventable risk). Transactions below a certain monetary value are not investigated as to do so would be costly in both time and resources when weighed against the potential loss or impact associated with a transaction of a low monetary value being processed.
Senior management must lead by example acting as role models in this area supported by a strong independent internal audit team. The internal audit function should focus not only on reducing misbehaviour but the temptation also and continually check compliance to deter employees from breaching policies and procedures.
Strategic Risks
Strategic Risks are described as risks that a firm willingly takes on to drive superior strategic advantage or returns. Strategic risks therefore differ from preventable risks in that they are not inherently undesirable. Kaplan & Mikes outline how Strategic Risks cannot be managed through a rules based approach and need a system to reduce the chance that such risks will occur and improve the organisation’s ability to manage the risk if it occurs.
Kaplan & Mikes outline three distinct approaches to managing strategic risks depending on the context in which an organisation’s risk function operates:
1. Independent experts – The key here is that these individuals have the specific industry knowledge and experience to challenge any assumptions or strategies adopted by the company.
2. Facilitators – The rational for facilitators is to avoid risks from individuals or groups working in silos. Facilitators gather information from across the organisation and bring it together making all areas aware of the risks being taken on thus allowing for informed decisions to be made regarding the organisations risk profile.
3. Embedded experts – These are risk managers operating in the business on the front line who can question strategies directly as they happen playing the role of devils advocate asking the what if questions. A challenge is that the embedded expert maintains their impartiality and independence from the business and don’t find themselves becoming the dealmaker rather than the challenger.
A company may follow one or a combination of all three approaches on a best-fit basis. In establishing a successful strategy risk across all three approaches, it is crucial to create a culture of challenge both to existing assumptions and to established human biases.
In banking, credit risk is an example of strategy risk undertaken by our organisation in an attempt to position itself ahead of our competitors. It is about the balance of risk and reward. How much risk are we willing to accept in return for the interest / non-interest income accruing to the Bank otherwise referred to as Risk Adjusted Return on Equity (RAROE). The risk profile of a borrower and their proposal will determine the return.
What if Nokia had implemented one or a combination of the above approaches? Would their strategy have been different? Would they now be a challenger in the smartphone market?
External Risks
Kaplan & Mikes describe external risks as risks that originate from outside of an organisation and are outside of its control. Given an organisation cannot prevent the occurrence of an external risk event the risk management approach should be to identify the potential risk, estimate its impact and highlight how best to mitigate any negative effects.
KPMG categorise external risks as economic (boom or bust), political and legal (government or legislative changes), social-cultural, technology and competition. These risks can have immediate, medium or long-term impacts on an organisation. (KPMG, 2013).
Organisations must tailor their risk management processes to each category. While a traditional compliance based approach is suitable for managing preventable risks, such an approach is not suitable for external risk, which requires an analytical approach based on open discourse and debate. Human nature however is such that cognitive bias gets in the way and discourages thinking about the what-if scenario and discussing the associated risk until it is too late.
Management tools used to plan for such external risks include scenario planning, war-gaming and stress testing. Such testing allows for various scenarios to be played out and contingency planning to take place.
In our industry example Nokia were impacted as a result of sudden emerging competitive threats resulting from disruptive technologies that crushed the business.
In the banking context the greatest known unknown is BREXIT and is an example of an external risk being faced by the Irish banks. The ESRI in their November 2016 working paper comment that ‘there is almost a complete consensus that BREXIT will have a negative effect on the UK economy both in the short-term (via uncertainty) and over the medium-to-long term (via trade, FDI etc,). The UK is one of Ireland’s closest economic partners and, as such, Ireland will be very exposed to the effects of the UK leaving the EU’. The long-term impact is unknown however the decision and ongoing debate on both sides of the Irish Sea has generated significant uncertainty for all trade partners with the UK. (ESRI, 2016).
So how can we apply the Kaplan & Mikes risk framework to manage Basel risk in Ulster Bank Ireland DAC?
The Bank for international settlements defines Basel (now referred to as Basel III) as ‘a comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the Banking sector’. The key risks identified from a Banking perspective are Credit, Market, Operational and Liquidity Risk.
I will now discuss each of the Basel risks under the Kaplan & Mikes categorisations.
Credit Risk – the potential that a borrower will fail to meet their obligations in accordance with agreed terms and conditions.
• Preventable Credit Risk – the Bank should formulate specific policies and procedures with regular auditing and compliance checks to ensure adherence. In Ulster Bank a key risk pillar is ‘Tone from the top’. This ensures everyone understands our risk processes and feel confident to challenge how we do things. Such action will prevent the likes of another John Rusnak in AIB or Nick Lesson in Barings Bank happening again.
• Strategic Credit Risk – Open discourse and debate around Bank risk appetite to highlight and challenge any perceived risks which need exploring. Regular credit reviews with independent experts e.g. Ernest & Young, KPMG & Deloitte, engaging our operational risk team to act as facilitators and embed risk support managers to support the front line.
• External credit risk – Awareness of external events and conditions developing outside of the Bank and how such events or conditions could affect the performance of borrowers and consequently the Bank itself.
Market Risk – the risk of losses in on or off balance sheet positions that arise from movement in market prices.
• Preventable Market Risk – A successful risk function in a Bank will ensure it reviews and monitors market risk positions and regularly updates policies and procedures and communicates such updates to all staff. The Bank needs to monitor the setting of market caps for the different sectors in which it operates. The bank will regularly review its loan book to ensure it remains comfortable with the level of exposure it has to a particular sector to ensure a concentration risk does not arise
• Strategic Market Risk – Market risk is about deciding where Ulster Bank wants to do business, what type of business we want to do and how much of it we are prepared to do balancing risk and reward at all times. Ross McEwen, RBS CEO led the change in RBS Market Risk strategy when he took over as CEO exiting investment banking and reducing our international exposure. ’Let me spell it out very clearly: the days when RBS sought to be the biggest bank in the world — are well and truly over, Our ambition is to be a bank for UK & Irish customers” (Ross McEwan, 2014).
• External Market Risk – Monitoring of market conditions and external events to ensure that the impact of political, economic or social change on the Bank’s exposure to financial markets is kept to a minimum. The impact of BREXIT on both the Bank and out customers is point and example. As advocated by Kaplan & Mikes scenario planning is under way with internal teams working on actual and emerging risks. Policy has been updated requiring Brexit impact commentary on all credit submissions ensuring due consideration is given to the potential impact.
Operational Risk – the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
• Preventable Operational Risk – Implement automation programmes where possible and where not possible instil a right first time culture to embed clearly communicated standard operating procedures. This will help with avoiding further fines like the €3.3m fine received by Ulster Bank in 2017 owing to unacceptable weaknesses in our anti money laundering processes. The Ulster Bank motivation risk culture pillar ensures our people are developed and supported recognising and rewarding them for proactively managing risk. (Ulster Bank, 2018).
• Strategic Operational Risk – The decision to provide 100% mortgages and relax central bank mortgage lending rules was driven by winning market share at the expense of prudent credit risk management. Patrick Honohan put the blame firmly with Bank leaders when he said “the major responsibility lies with the directors and senior management of the banks that got in trouble’ (Honohan, 2010). The use of independent experts, facilitators and embedded experts as recommended by Kaplan & Mikes should assist with controlling this risk. Our risk culture pillars of accountability, communication and challenge encourage discourse and debate and reduce the chance of an Irish Nationwide or Anglo reoccurring.
• External Operational Risk – Such risks are outside the control of Ulster Bank however we need to identify the risks and mitigate the potential impact. Inadequate contingency planning when RBS/Ulster Bank suffered a major IT failure in 2012 ended up costing the Bank millions in compensation. In contrast, when the Bank’s processing function suffered severe flooding in 2016 a suitable business continuity plan was in place and operations were transferred to Delhi ensuring minimal operational disruption until Chennai re-opened.
Liquidity Risk (the possibility that over a specific period of time the Bank will be unable to meet its immediate obligations)
• Preventable Liquidity Risk – Ongoing monitoring of all call and short term deposits levels across the Bank to include retail, SME Banking and Corporate deposits to ensure effective and prudent liquidity management meeting Central Bank liquidity requirements. Northern Rock failed to hold satisfactory liquidity levels and needed to borrow on international markets. When the economic crisis hit America they could borrow no more which resulted in a run on Northern Rock ultimately resulting in its collapse.
• Strategic Liquidity Risk – Implement initiatives to encourage movement of current account credit balances or short-term institutional funds to longer-term deposits. In taking such action this will improve the capital required to be held by Ulster Bank to support such short term liquid funds and reduce overall costs for the Bank.
• External Liquidity risk – Like all the external categorisations for Basel risks ongoing monitoring of market conditions scenario planning is key ensure Ulster Bank is prepared in the event of a shock. We need to ensure enough High Quality Liquid Assets (HQLA) are held to survive a significant stress event as measured by the liquidity coverage ratio as per the Bank for International Settlements.
CONCLUSION & RECOMMENDATION
Ulster Bank like all institutions faces an array of risks every day we open our doors. Since the collapse of Lehman Brothers in 2008 the world has changed and risk has become front and centre for everyone. The blending of the Basel risks with the categorisations of Kaplan & Mikes creates a more focused approach to looking at risk. In reviewing the blend of the Basel risks with the categorisations of Kaplan & Mikes, I make the following recommendations for review by you and your risk team:
1. Enhance our existing risk culture model to support operational risk management across the categorisations. We need to build, develop and maintain a robust risk culture to ensure the successful management of risk into the future. This is everyone’s responsibility from the CEO to the cashier in the local branch and is key to achieving strength and sustainability across our Bank. (McKinsey, 2015)
2. Enhanced collaboration between risk and the frontline business functions will support the development of strategic credit risk. Like Kaplan & Mikes, I believe there is a need for a credit underwriter/embedded expert to be based within the business. They will continue to face the challenges of independence and impartiality. On the other side they will engage first hand with the front line and their customers, get to see real life hands on cases and experience the issues credit and non credit related. Sooner or later a banks credit function will become a closer collaborator within the business than what we see currently.
3. I believe we need to test traditional risk models against the Kaplan & Mikes analytic approaches i.e. tail risk stress tests, scenario planning, and war gaming. This will determine whether or not the recommended analytical approaches of Kaplan & Mikes will be fit for purpose in Ulster Bank. This will improve our contingency planning and allow us to have the right plans in place to deal with an incident should it occur. Nobody wants to see another IT incident like that of 2012 however carrying out such analysis will enhance our readiness in the unlikely event of such a reoccurrence.