Essay: Use of Kaplan & Mikes risk management framework on the Basel Risks in Irish Bank plc

In this report I intend to explain how Irish Bank plc can use the risk management framework outlined in Kaplan and Mikes article ‘Managing Risks: A New Framework’, 2012. I will first explain the framework, then give recommendations of how it can be used by the Risk Department of Irish Bank plc to manage the Basel risks. I will focus on credit and operational risks.
In the article Kaplan and Mikes (2012) describe:

a new categorization of risk that allows executives to tell which risks can be managed through a rules based model and which require alternative approaches.

They suggest we first need to understand the distinctions between the three types of risks organisations face; preventable risks, strategy risks and external risks.
Preventable Risks – internal risks that are controllable and avoidable. Kaplan and Mikes (2012) examples include risks from employees actions and risks from breakdowns in routine operational processes. Other examples include an advisor lending outside of bank policy or giving a client more favourable terms such as a better exchange rate.
Preventable risk is best managed through active prevention by monitoring operational processes and guiding behaviours through branch procedures. Kaplan and Mikes (2012) suggest these risks should be avoided as there is no strategic benefit.
Strategy Risks – A company voluntarily accepts some risks in order to make a return. Unlike preventable risks they are not inherently undesirable. Kaplan and Mikes (2012) state:
When strategic risks are fully understood they help leaders assess which opportunities will give them the most long term value, and which are no longer worth pursuing.
A strategy risk for Irish Bank plc would be lending to a business or providing a mortgage. Arnold (2014) describes giving credit is a risk as the customer might default however if repaid as agreed it will bring in revenue. Kaplan and Mikes (2012) discuss that strategy risk cannot be managed through a rules based approach. A risk management system is designed to reduce the probability that risks might occur and to manage or contain the risk should it occur.
External Risks – these arise from outside the company and are beyond its influence or control. Sources of external risk include obdurate natural or economic risks, geopolitical or environmental risks and competitive sources. Examples include the recent wintry weather which led to branch closures and delays in the clearing system. A geopolitical risk would be onset of Brexit.
An example of a competitive source would be FinTech industries and open banking. Bodi et al, (2017) in their article on Global Payments feel that though Fintechs are unlikely to disrupt bank payment divisions as they are still fragmented they expect that:
collaboration, rather than head to head competition will define banking FinTech relationships over the next several years. Banks that quickly digitalize their core operations and lock up promising partnerships will have a competitive advantage over those that are slower to act.
The article details how external risks must be managed by early identification and mitigation of their impact.
Companies should tailor risk management processes to these three categories. While compliance based approach is effective for preventable risks it is inadequate for strategy and external risks, which require an approach based on open and explicit risk discussion. However, this can be difficult, research shows individuals have strong cognitive biases that discourage them from thinking about the risk until it is too late.
People can overestimate their ability to influence events, we can be overconfident about the accuracy of our forecasts, anchor our estimates, compound the problem with confirmation bias which favours information supporting our own position. We can escalate commitment even when things are failing. Together these biases explain why companies overlook threats, firms compound risk through the normalization or deviance, they accept minor failures as false alarms rather than warning signals.
Effective risk management processes must counteract biases. Harle et al (2016) in their article The Future of Bank Risk Management suggest:

banks are also likely to deploy techniques to remove bias from decision making, including analytical measures that provide decision makers with more fact based inputs, debate techniques that help remove biases from conversations and decisions, and organizational measures that embed new ways of decision making.

To manage preventable risks guidelines should be provided clarifying the companies goals and values. A Mission statement articulates fundamental purpose of organisation and should be communicated to and understood by all employees. A Value statement should be articulated detailing the values that guide employees behaviour toward principle stakeholders. The value statement should help employees avoid violating the companies standards and putting its reputation and assets at risk. Boundaries are documented to guide all employees, a strong corporate culture clarifies what is not allowed which is an effective way to control actions.
Top managers must serve as role models. Strong internal control systems with segregation of duties and a whistle-blowing program must be put in place. A capable and independent audit department will check compliance with internal controls and standard operating processes.
Kaplan and Mikes (2012) suggest there are three approaches to managing strategy risks which encourage employees to challenge existing assumptions and debate risk information.
Independent Experts – some organisations have risk review boards of independent experts that will meet with project employees periodically. The experts will act as a devils advocate, challenging design, risk assessment and risk mitigation decisions. The meetings are not meant to inhibit ambition but to counterbalance engineers natural overconfidence helping to avoid escalation of commitments to projects that are too risky. They have influence over budgeting time and money spent and can cancel a project if sufficient funds are unavailable.
Facilitators – are used in organisations that operate in a stable technological market environment, with relatively stable customer demand. A central risk management collects information from the organisation by taking a survey of employees who then rank risk on how much they would impact the business, how likely they are to happen and strength of existing controls. The business can then target each major risk, recommend action plans and designate an owner improving risk planning.
Embedded experts – are useful in financial service industries due to volatile risk profiles. The experts work alongside decision makers to influence the business risk profile. The expert is required to challenge assumptions and decisions before they are made. A danger is that the embedded expert could “go native”, they are required to stay impartial and focused on questioning the risks. Preventing this danger is the Credit Risk Officer and ultimately the CEO.
For external risks companies can use different analytical approaches:
Tail Risk Stress Tests – to stress test a company would choose one or two specific variables that directly affect their business, such as how a large swing in interest rates would impact. The benefits from stress testing depend upon unbiased and accurate assumptions.
Scenario Planning – works for long range analysis five to ten years ahead. The team would decide which political, economic, social or other drivers might affect the business most in the future, typically four. They will estimate maximum and minimum values over five to ten years for each driver leading to sixteen scenarios, half are considered plausible and are used to assess the firms strategy. If managers see that their strategy is contingent on an optimistic view it can be modified to accommodate pessimistic scenarios or develop plan on how to amend the strategy should early indicators show events turning against it.
War gaming – assesses firms vulnerabilities to disruptive technologies and changes in competitors strategies. The company will assign teams to think of plausible near term strategies or actions that competitors might adapt during next one to two years. The process helps overcome bias of leaders to ignore evidence that counteracts their own beliefs. Managers can take specific actions to mitigate the impact of external risk events such as taking out insurance or investing early to prevent higher costs later i.e. building a contingency site for the clearing department.
I will now discuss how Kaplan and Mikes framework can be used to manage the Basel risks, Credit Risk and Operational Risk in Irish Bank plc.
Credit Risk is defined by the Basel Committee (2000) as the:

potential that a bank borrower or counterparty will fail to meet its obligations.

Credit risk is a preventable risk and by having guidelines and procedures employees can be clear on what is considered acceptable by Irish Bank plc. It is important for us to promote a clear mission statement, our core values and set boundaries. Our mission should define who we are as a company and what our purpose is, for example, on the Danske Bank website(2018) their mission is to be the “most trusted financial partner”. Our value statement should guide employees behaviour to help employees avoid damaging the banks reputation. Boundaries are defined in our internal branch procedures and should specify on who we can lend to and for what purpose.
Our advisors require thorough credit training by experienced advisors and clear procedures and processes to follow. The Credit Department and CRO must continually check compliance and the Credit Department be readily available to our staff if any clarification is required on procedures or to discuss complex or unusual cases. The importance of compliance is shown in the video The Turnaround Game, (2017). The HBOS manager found guilty of fraud on customers, Lynden Scourfield would lend to businesses and then bribe them to use a turn around firm who would then strip the business of its assets. The report stated:
a series of control weaknesses are evident in bank systems and procedures which allowed limits to be processed in the Reading office without the necessary credit approval.
Credit risk can also be managed as a strategy risk. I would recommend the continued use of embedded experts which in our case would be the Credit Department. Embedded experts are required to continuously monitor and influence the banks business profile, working with line managers to generate new ideas, innovation and risks. Our CEO will work with the Credit Department to decide our attitude to lending, for example, what appetite do we have to lend to small business? After the credit crisis many banks were left with non performing loans to small businesses. The Macro Financial Review (2017) reports that one fifth of non performing loans in 2017Q3 were to SMEs.
It is important for Irish Bank plc and our Credit Department to set in place in what circumstances we can lend to SMEs, are there certain sectors that should be avoided? ie. construction. The Credit Department should work together with our business teams and risk departments so information and expertise are shared.
It is vital that the Credit Department themselves are reviewed to ensure that they have not become too close to customer advisors who are submitting the credit applications. Over time relationships are built between departments and it could lead to the team becoming impartial.
Operational Risk is defined by the Basel Committee (2011) as:

the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

Examples of internal operational risk at Irish Bank would be maintaining ATMS with BOE notes over the Easter holidays or not following account opening procedures for new customers. In both cases we need procedures in place for employees. They should state the maximum amount of sterling allowed in an ATM and branch staff should have training on ordering cash to ensure they are kept in service over the holiday period. When ATMs are out of service it will cause inconvenience to our customers and reputational damage to the bank.
If a new customer who is not from Ireland wants to open an account, additional authentication is required to prevent fraud. We need to ensure that customers are tax compliant and complete a FATCA form if they are US citizens. Our anti money laundering procedures and team are in place to give guidance. Training should be required for new advisors so the risk of opening accounts for fraudulent customers is avoided.
To manage external risk we can use scenario planning, I suggest to use it to investigate the impact of Brexit on Irish Bank plc. A team from different departments can discuss the political, economic and regulatory forces and select four drivers that would have the biggest impact on the company. Could include uncertainty on exchange rates, changes in regulations, effects on dependency on the UK market, provision of credit to UK borrowers. For each driver the team could estimate maximum and minimum values over the five to ten years leading to sixteen scenarios. Of the plausible scenarios the team can then assess what our future strategy will be.
In their article Strategic Risk Management in Banking, Mok and Saha, 2016 discuss how:

Scenario planning can provide a useful means to organise thinking around these (and other critical) uncertainties providing a way to explore plausible futures, identify risks and opportunities and determine strategic choices.

I would recommend war gaming to look at the effect of FinTech industries on Irish Bank plc.
Investopedia (2018) defines FinTech as:

any technological innovation in the financial sector, including innovations in financial literacy and education, retail banking, investment and even crypto currencies like bitcoin.

Three teams would be assigned to devise strategies or actions that FinTechs could adopt in the next one to two years. The teams would then come together to examine how the competitors could attack our strategy and also look at how we can learn from the new industry. Could it be advantageous to collaborate with the company? Bodi et al (2017) suggest in their article Global Payments how:

Banks need to prepare for the future now to avoid being left out when digital wallets reach widespread adoption. Partnering should be the first step since most banks lack an established customer and merchant base.

Conclusion

I have found that Kaplan and Mikes (2012) provides a useful framework for the categorisation of risk and provides techniques for managing risk. Throughout my report I have demonstrated how the framework can be utilised within Irish Bank plc and I would like to make three recommendations that could prove beneficial.
Firstly, I would like to recommend that we continue to focus on the importance of our internal branch procedures. The procedures must be kept up to date and promoted to our employees as they are one of the most important tools we have to prevent and manage risk. Secondly, I would recommend the use of scenario planning for the impact of Brexit. I feel it is vital that we have a strategy in place for any risks that could occur due to this external risk. Finally, I would recommend war gaming the future impact of FinTech industries. The resulting discussions could provide not only strategies to mitigate risk from competitors but also how we could benefit from a possible partnership.
Overall, I hope I have provided insight on how we can use Kaplan and Mikes framework to manage the Basel risks in Irish Bank plc and look forward to further discussions with you on this topic.

BIBLIOGRAPHY

• Arnold, G. (2014) Financial Times Guide: Banking. Harlow: Pearson
• Badi, M. Dab, S. Paoli, P. Peeters, M. Roongta, P. Sampieri, O. Senant, Y. (2017) Global Payments Deepening the Customer Relationship [Internet], (page) Available from https://www.bcg.com/publications/2017/transaction-banking-financial-institutions-global-payments-2017-deepening-customer-relationship.aspx
• Basel Committee (2000) Principles for the Management on Banking Supervision Credit Risk. Available at https://www.bis.org/publ/bcbs75.pdf
• Basel Committee (2011) Principles for the Sound Management of Operational Risk. Available at: https://www.bis.org/publ/bcbs195.pdf
• Danske Bank Limited (2018). Danske Bank Limited: Available at: https://danskebank.com/about-us/our-essence [accessed 9 April 2018]
• Harle, P. Havas, A. Samandari, H. (2016) ‘The future of bank risk management’ [Internet]. Available from https://www.mckinsey.com/business-functions/risk/our-insights/the-future-of-bank-risk-management
• Kaplan, R. And Mikes, A. (2012) ‘Managing Risks: A New Framework’. Harvard Business Review (pg )
• Investopedia. 2018 Fintech. [Online] Available at: https://www.investopdia.com/terms/f/fintech.asp. [accessed 9 April 2018]
• Ireland, Central Bank of Ireland Macro-Financial Review (2017.II) Dublin. Available at: https://www.centralbank.ie/docs/default-source/publications/macro-financial-review/macro-financial-review-2017-ii.pdf?sfvrsn=7
• Mok, A. And Sacha, R. (2016) ‘Strategic Risk Management in Banking’ Inside Magazine, 2017 (14) [Internet]. Available from: https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/financial-services/Banking/lu_inside_issue14_strategic_risk_management.pdf
• The Turnaround Game (2017) File on Four [webisode] UK:BBC Radio 4.

9.4.2018

...(download the rest of the essay above)