About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

The Fallacy of Managing Big Risks: Why Enterprise Risk Management (ERM) Often Fails to Deliver to Boards and What to Do About It

Subscribe to our newsletter

By Andrew Smart, Head of Enterprise Risk Management at KRM22.

Anyone who has served on the executive team or board of a regulated capital markets firm will have at least a passing familiarity with Enterprise Risk Management (ERM). Many have probably experienced it first hand, perhaps sitting through a presentation of the firm’s latest ‘Top 20’ risks. The usual suspects will likely have included market, credit, liquidity, counterparty, technology, cyber, third party / outsource, people, and conduct risk.

Enterprise Risk Management is a holistic, integrated, portfolio approach to risk management that focuses on consistently managing risks, regardless of type across the enterprise. The purpose of Enterprise Risk Management is to improve the firms’ ability to deliver its objectives and sustainably create shareholder value. One of the key outputs from the ERM process is an integrated view of the firm’s overall risk profile and how it is changing overtime. Risk exposures are typically consolidated through a risk taxonomy or hierarchy, thus enabling the reporting of ‘the big risks’. (Figure 1)

Figure 1 – Typical view of risk management 

An often-overlooked benefit of ERM is its use as a framework to understand the relationships and interactions between risk types as well as individual risks within these categories. Viewing risks through an ERM lens also highlights how individual risks rarely fit within a single risk type, as shown in figure 2.

The real value of ERM is the generation of insights that are not possible to uncover within the traditional risk type silos. These insights are the drivers behind better risk management and business decision-making.

Figure 2 – Understanding the relationships and interactions within risk types

Therefore, ERM delivers two core capabilities:

  1. The ability to consolidate risk exposures through risk types to provide a holistic, enterprise view of risk
  2. The ability to understand the relationships and interactions between risk types and individual risks to generate powerful insights that support better-informed business decision-making

Firms that leverage ERM platforms often focus on the first of these core capabilities, i.e. ‘the big risks’, leading them to miss out on the benefits that can be derived from the holistic view of relationships between different risks.

Typically, this means that for many executive teams and boards the implementation of an ERM approach results in a series of colour-coded dashboards which identify their ‘big risks’, but fail to provide an in-depth analysis to enable them to ask the right questions, challenge the right topics and drive the right conversations for better strategic and operational decisions.

Too often, those risk dashboards present the consolidated and aggregated risk exposure for the ‘Top 20’ risks types as defined at one point in time and have since been reported on each month or quarter, failing to take the rapid evolution of the risk landscape into account. Insights into the firm’s real risk profile, including the dynamic interaction between risks and the possible emergence of future risks or control weaknesses, therefore get lost within these consolidated and aggregated risk exposures. Whilst providing a consolidated view is of some value, it rarely provides actionable insight, leading to ERM fatigue on the executive and board level.

To drive board engagement in the ERM process and deliver powerful business insights, firms need to ensure that their ERM processes and systems deliver on both core capabilities. By understanding these relationships between risks, firms can drive a more engaging conversation with their boards, generating more insightful analysis and efficient reporting.

The fallacy of ERM is that it is about managing the ‘big risks’; in fact, this is, or should be, just one part of an ERM programme.

An ERM programme should deliver two core capabilities:

  1. The ability to consolidate risk exposures through risk types to provide a holistic, enterprise view of risk
  2. The ability to understand the relationships and interactions between risk types and individual risks to generate powerful insights that support better-informed business decision-making

Importantly, when implementing an ERM programme, firms should never lose sight of its real purpose – to enhance the firms’ ability to deliver its objectives and create sustainable shareholder value.

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: Best practices for eComms and multi-channel surveillance

Surveillance of multi-channel communications is a moving target as financial institutions continue to add conversational streams, in many cases mobile applications previously banned from the trading environment. With more eComms channels comes more data that must be managed, retained, and ready for regulatory compliance. For many firms, the changing shape of surveillance is a complex...

BLOG

STP Differentiates Investment Services with ComplianceAdvisor for Buy-Side Firms

STP Investment Services has introduced STP ComplianceAdvisor, a new practice aimed at providing comprehensive compliance solutions for investment firms. This expansion leverages STP’s existing expertise in technology-enabled investment servicing to address the growing demand for compliance assistance among its investment advisory clients. STP ComplianceAdvisor also expands the company’s technological capabilities. The new team will leverage...

EVENT

AI in Capital Markets Summit New York

The AI in Capital Markets Summit will explore current and emerging trends in AI, the potential of Generative AI and LLMs and how AI can be applied for efficiencies and business value across a number of use cases, in the front and back office of financial institutions. The agenda will explore the risks and challenges of adopting AI and the foundational technologies and data management capabilities that underpin successful deployment.

GUIDE

Regulatory Data Handbook 2024 – Twelfth Edition

Welcome to the twelfth edition of A-Team Group’s Regulatory Data Handbook, a unique and useful guide to capital markets regulation, regulatory change and the data and data management requirements of compliance. The handbook covers regulation in Europe, the UK, US and Asia-Pacific. This edition of the handbook includes a detailed review of acts, plans and...