Risk Officer
International Association of Risk and Compliance Professionals (IARCP)

Some of our pages:

1. What is Risk?

2. The Role of the Risk Officer

3. Credit Risk

4. Market Risk

4. Operational Risk

5. Reputational Risk

According to the US Government Accountability Office (GAO), while, in some instances, the public and private sector should apply risk management principles in similar ways, in other instances, the public and private sectors manage risk differently.

In both the public and private sectors the risk management process should include:

1. The systematic identification and assessment of risks through scientific efforts.

2. Efforts to mitigate risks.

3. Risk adaptation to address financial consequences or to allow for effective transfer of risk.

The private sector manages risk by "pre-funding" and diversifying risk through insurance. In addition, the private sector creates incentives for individuals to lower the risks they face from, for example, a car accident or a natural disaster, by offering to reduce insurance premiums if the policy holder takes certain steps to mitigate these risks.

Similarly, the public sector plays a unique role in managing risk, for instance, regulating land use and establishing building codes; organizing disaster protection, response, and recovery measures; setting regulatory frameworks; and supplementing the insurance industry.

In addition, the private sector organizations have more flexibility than the public sector to select which risks to manage. For instance, the private sector could avoid risks in cases where the costs of ensuring these risks are too high.

The private sector tends to naturally consider opportunity analysis—or the process of identifying and exploring situations to better position an organization to realize desirable objectives—as an important part of risk management.

In contrast, participants observed, public sector organizations have less flexibility to select which risks to address through protective measures. Like the private sector, the government has to makes choices about which risks to protect against—since it cannot protect the nation against all hazards.

Unlike the private sector, the government has a wide responsibility for preparing for, responding to, and recovering from all acts of terrorism and natural or manmade disasters and is accountable to the public for the investment decisions it makes.

In the private sector, after the Sarbanes Oxley Act in the USA, the Basel ii/iii Accords in more than 100 countries and the Turnbull guidance in the United Kingdom, the risk officers have become way more important.

A company's system of internal control has a key role in the management of risks that are significant to the fulfilment of its business objectives.

A sound system of internal control contributes to safeguarding the shareholders' investment and the company's assets.

Internal control facilitates the effectiveness and efficiency of operations, helps ensure the reliability of internal and external reporting and assists compliance with laws and regulations.

Effective financial controls, including the maintenance of proper accounting records, are an important element of internal control.

They help ensure that the company is not unnecessarily exposed to avoidable financial risks and that financial information used within the business and for publication is reliable.

They also contribute to the safeguarding of assets, including the prevention and detection of fraud.

A company's objectives, its internal organisation and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing.

A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed.

Since profits are, in part, the reward for successful risk-taking in business, the purpose of internal control is to help manage and control risk appropriately rather than to eliminate it.

All employees have some responsibility for internal control as part of their accountability for achieving objectives.

They, collectively, should have the necessary knowledge, skills, information, and authority to establish, operate and monitor the system of internal control.

This will require an understanding of the company, its objectives, the industries and markets in which it operates, and the risks it faces.

The risk officers must coordinate this effort. Good risk officers make a real difference in any organization.

Governments also need good risk management.

According to the GAO, improving risk communication, political obstacles to risk-based resource allocation, and a lack of strategic thinking about managing homeland security risks.

Improving risk communication posed the single greatest challenge to using risk management principles.

To address this challenge:

1. We must educate the public and policymakers about the risks we face and the value of using risk management to establish priorities and allocate resources

2. We must engage in a national discussion to reach a public consensus on an acceptable level of risk

3. We must develop new communication practices and systems to alert the public during an emergency.

In addition, to address strategic thinking challenges, governments must develop a national strategic planning process for security and government wide risk management guidance.

To improve public-private sector coordination, the private sector should be more involved in the public sector's efforts to assess risks and that more state and local practitioners and experts be involved through intergovernmental partnerships.

The Basel ii / Basel iii framework and the risk officer

Effective risk management and corporate governance is critical to the proper functioning of the banking sector and the economy as a whole.

Banks serve a crucial role in the economy by intermediating funds from savers and depositors to activities that support enterprise and help drive economic growth.

Banks’ safety and soundness are key to financial stability, and the manner in which they conduct their business, therefore, is central to economic health.

Governance weaknesses at banks that play a significant role in the financial system can result in the transmission of problems across the banking sector and the economy as a whole.

The increased focus on risk and the supporting governance framework includes identifying the responsibilities of different parts of the organisation for addressing and managing risk.

Often referred to as the “three lines of defence”, each of the three lines has an important role to play.

The business line – the first line of defence – has “ownership” of risk whereby it acknowledges and manages the risk that it incurs in conducting its activities.

The risk management function is responsible for further identifying, measuring, monitoring and reporting risk on an enterprise-wide basis as part of the second line of defence, independently from the first line of defence.

The compliance function is also deemed part of the second line of defence.

The internal audit function is charged with the third line of defence, conducting risk-based and general audits and reviews to provide assurance to the board that the overall governance framework, including the risk governance framework, is effective and that policies and processes are in place and consistently applied.

One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks' information technology (IT) and data architectures were inadequate to support the broad management of financial risks.

Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities.

Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices.

This had severe consequences to the banks themselves and to the stability of the financial system as a whole.

In response, the Basel Committee issued supplemental Pillar 2 (supervisory review process) guidance to enhance banks' ability to identify and manage bank-wide risks.

In particular, the Committee emphasised that a sound risk management system should have appropriate management information systems (MIS) at the business and bank-wide level.

The Basel Committee also included references to data aggregation as part of its guidance on corporate governance.

Many in the banking industry recognise the benefits of improving their risk data aggregation capabilities and are working towards this goal.

They see the improvements in terms of strengthening the capability and the status of the risk function to make judgements.

This leads to gains in efficiency, reduced probability of losses and enhanced strategic decision-making, and ultimately increased profitability.

The potential impact and frequency of risks to which banks are exposed varies from business line and by bank.

The way in which employees of a particular business line are remunerated can have a significant bearing on the level of risk that is ultimately taken on by that business.

For example, direct off- or on-balance sheet exposures written on a commission basis will typically give rise to a much greater degree of risk than a fee-for-service business, such as the provision of financial advice.

It is essential that risk adjustments to remuneration be tailored to match the risk profile and risk appetite of individual financial institutions.

These adjustments need to take into account the nature of the risks involved and the time horizons over which they could emerge.

In addition to the level of risk, the type of business also influences the measurability of risk.

This in turn affects the ease with which risk adjustments may be made to performance measures and variable remuneration.

Appropriate risk adjustments depend on the ability to develop quantifiable performance measures as a first step.

In some businesses, such as traded market risk, these measures are more readily available and the next step – appropriate risk adjustments – can be undertaken.

However, for businesses which rely more heavily on qualitative measures, such as a risk management unit, the process of quantification and therefore risk adjustment becomes more difficult.

Nevertheless, this should not dissuade businesses from adopting a qualitative approach when this is the most reliable method available.

Every Monday

Top 10 risk and compliance management related news stories and world events

Do you want to receive every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?

You may submit the form that follows. We meet strict national and international privacy standards. You can unsubscribe at any time.

Join the International Association of Risk and Compliance Professionals (IARCP). Membership is Free

Reading Room

Certified Risk and Compliance Management Professional (CRCMP)

Certified Information Systems Risk and Compliance Professional (CISRCP)

Privacy and Compliance with the Federal Trade Commission Fair, the California Online Privacy Protection Act, the Children Online Privacy Protection Act, the Privacy Alliance, the Controlling the Assault of Non-Solicited Pornography and Marketing Act