What do all the numbers mean in risk reporting
In this blog Tony and John explain the basic principles of risk management reporting. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
What does this number mean? Why is it at that level?
These key questions often arise from reading a risk report. Most risk reports are seen on a monthly basis and there can be an assumption that the reader will remember the values given in the previous month’s report. That is unlikely. The report will almost certainly be one of many that the reader reviews. Context must therefore be given to a particular number or information it contains, either from other numbers in the same report or from a comparison with the previous period, expected range or agreed appetite.
Should I do something about it?
A good report should not simply give values but should guide the reader as to whether or not action is required. Indeed, if a report does not point to some form of action or decision, its existence should be questioned. Too many reports are regularly produced whose purpose is long forgotten or whose practical use has disappeared, if there was one in the first place. The pointer to action can be explicit, as in a key indicator report showing that an indicator is in the red band, or implicit, as in a report showing the risk appetite alongside a column of values. All reports, though, should highlight the need for action or at least a decision on action. If they don’t, drop them.
Timely reporting
A report is only useful if it is produced in a timely fashion. If a report frequency is set as monthly , it is likely that the values in the report will or may change on a month-by-month basis. It is therefore no good producing a monthly report three or four weeks after the end of the month as it will have relatively little value. Time has moved on and it is almost time for new values to be calculated for the end of the following month. Equally, there is no point setting a report frequency of daily or weekly if the values only change on a monthly basis. Untimely reports like this will be ignored by management and will actively work against embedding good risk management in a firm.
Reports continuously evolve
Risk reporting is, by its nature, a continuously evolving process This stems in part from the firm’s risk profile being itself in a state of continuous change and in part from the dynamic nature of good reporting. The questions raised by, and asked of, a risk report are likely to change as the risks, controls and indicators themselves change. This will undoubtably have an effect on the structure of the report and on the data contained within it. Indeed, it could be argued that if a risk report has not changed its structural detail in a reasonable period of time it is not doing its job efficiently.
A related problem is that reports can easily grow in both length and number. If additional information is asked for, or even a new report is requested or suggested, it can be useful to remember the mantra ‘one in, one out’. A new report will only be accepted if an existing report is deleted from the pack. It’s a useful challenge to establish what information really matters to the people for whom the report is intended.
Risk ownership
Any risk report should enable management to take ownership of the information. This may be done explicitly, with a risk owner clearly identified, or implicitly through the identification of a department or business line. Either way, and linking with the point above about identifying action, a good risk report will precipitate effort to correct or enhance the risk profile of the firm by the person who owns the risk which requires action. An alternative, of course, is that the report shows that all risks are within the firm’s risk appetite and that no action is required. If this is the case, it is debatable as to whether or not the risk appetite of the firm is too conservative.
For example, a report showing that there have been very few credit risk losses for the last year indicates that the firm is probably too conservative in its credit risk appetite. The firm could probably increase its net revenues by increasing its appetite for credit risk. Even a report which, at first glance, indicates that no action is required, can prompt a useful challenge.
Identifying and treating non-compliance
Allied to this, a report should identify where there is non-compliance, with either internal or external policies or regulations, and what action is going to be taken to bring the firm back to compliance. This is fundamental and echoes the point above about a report for the board identifying exceptions. The board will also want to know what is being done about the exceptions by whom and by when. If the exceptions have been authorised, the report should show by whom and at what level.
Incentives to deliver risk strategy
Risk reports play a key role in clearly identifying the risk strategy and how it is being achieved. A number of organisations use risk reports as an input to senior management and staff incentives. If a department or business unit is doing its part in delivering the risk strategy, this will be reflected in the risk reports. Remuneration should reward good performance, including non-financial aspects as exemplified by good risk management. Pay should, in part, reflect good risk management performance, which will be demonstrated both in and by good risk reports.
Define the boundaries
It is particularly important that the interdependencies of the different types of risk such as market or product risk, credit risk and operational risk are recognised in risk reports. As an example, a loss from a ‘fat finger’ event in a bank or trading firm may have been viewed as a market risk event five years ago, but it is now almost certain to be viewed as an operational risk event. Having said that, care must be taken not to double count it in the market risk losses as well as in the operational risk losses – or to lose it altogether if definitions change in the interim. A further example, from the world of credit risk, is the inability to perfect a lien over collateral deposited with the firm. This is now likely to be viewed as an operational risk event, rather than a credit loss, which would have been the case a few years ago.
This particular problem will be largely overcome if definitions of market risk, credit risk and operational risk are clear. In addition, a firm may develop a boundaries document which explores these points and clarifies, through a number of examples, the firm’s approach to risk boundaries.
Integration with other processes
Risk does not happen in isolation. There are a number of other processes which are tangential to risk management. These include performance measurement, compensation, audit and planning. Risk reports should take these other processes into account and should not repeat conclusions drawn from them. Instead, a good risk report will, for example, add to audit conclusions and indicate risk acceptable actions which can be taken on audit points. Repeating conclusions in different reports is likely, at best, to lead to resources being wasted as a number of people seek to solve the same problem and, at worst, to cause confusion and the possibility that nobody resolves the problem.
In our next blog Tony and John discuss how to meet user needs with different report types.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com
