How to create a secure risk management mechanism for financial institutions

Recent incidents of Vijay Mallya, Nirav Modi, and Mehul Choksi have now brought in questions on how banks have exposed themselves to so much credit risk, and why they were not able to mitigate or detect these incidents early on. Not just that, Cosmos bank has recently reported a Rs 94 crore hack from their servers. Could better risk management practices have sent early warning alerts before the entire issue became a big mess? These are some basics questions that everyone is asking. We have heard quite a few jokes on this on social media as well.

From my personal experience of meeting various compliance leaders from the finance industry, Indian companies typically have a reactive way of risk management, as compared to most of global MNCs who are more proactive in their approach. ‘Jugaad’ or makeshift arrangements is quite pronounced in the way Indian financial institutions run their risk management function. One of the very large financial institutions that we met didn’t want a full-fledged risk management programme as they knew that they would find many skeletons in their cupboard, and so no one wanted to bell the risk and compliance ‘cat’ for fear of losing their jobs.

Now we all know that the probable rate of return is directly proportional to the amount of risk taken. If something was easy then everyone would be doing it, and the rate of return would be very small. So, the question is – how much risk should a financial institution take to meet their financial objectives? The answer to that lies in the type of financial instructions. Commercial banks, investment banks and companies, insurance companies, etc. may have varying levels of risks that they may have to take. Whatever the levels of risk, what is important is to quickly start a proactive risk management mechanism. In my opinion, there are three basic steps for any strong risk management mechanism:

Assessing risk

The nature of risks is continuously changing, and evolving faster than we have ever seen in history. With the world getting networked globally, there are new threats emerging all the time. Therefore, continuously assessing these risks is very important. With the increased digitization in all financial institutions, threats can originate from any part of the world. Benchmarking other players in the industry is a good way to keep abreast of the financial institution’s risk programme. Learning from others’ mistakes and smoke testing them in your organization is also another way of continuously assessing risks.

Defining/amending strategies to mitigate risks

Once a complete assessment of the risks has been carried out, the next step in developing a good risk management mechanism is to articulate financial and operational strategies in a way that allows measurement of their impact on the risks identified.

Defining what is acceptable and what is not acceptable needs to be clearly articulated in the strategies. These definitions will help to maximize the values to be derived from the risk management programme, or can even act as an early warning system to the financial institution.

Implementing a successful risk management programme

Clinical execution of a well-thought-out strategy is important for any risk management programme. Embedding this in the company’s culture goes a long way in making the programme more successful.

Trying to do too many things at the same time may also not help in the risk management programme. The best way is to start small. Get quick wins. The organization must start believing in such a programme for a larger implementation.

Most importantly, risk management should ideally be a top-down approach. The top management should be at the forefront of driving it and leading the organization culture by example.

Generally, the organization is so focused on its growth strategy that they sometimes oversee the risk management mechanism as it may be seen as an obstacle to growth. So, when the leadership emphasizes on the good implementation of a well-perceived risk management strategy, the probability of the risk management programme being successful is ensured.

To become global leaders in their business operations, financial institutions have to run a proactive risk management programme to be able to get early warning messages for the leadership to act upon. These programmes are very painful in the beginning, but like they say, we need to sweat more in peace and bleed less in war.

Lt Commander Anil Prem D’Souza (Retd) is CEO of Simpliance Technologies, a Quess company.

(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)