4A: the minimalist risk framework

The risk framework can be a valuable tool. Used with a sharp risk vision and an action-focused risk process it can tackle our big "ERM 1.0 challenges":

  1. Opaque value: Risk seems invisible and it can be difficult to define and secure value from risk management. It doesn't have to be this way.
  2. Risk-business gap: There can be a gap between the "risk function" and other "value-generating" business functions. They can work together.
  3. ERM drag: A governance-heavy, non-integrated approach leads to puzzled boards and ERM being organisational drag. Reduce the hard slog.

4A is a minimalist and governance-lite base framework, but is not just about downplaying some areas: new items add value and remove the gap.

A "full fat" risk management framework

It seems that a lot of care has gone into producing the following risk management framework. More than likely consultants helped.

Titles of the ten diagram items

  1. Risk strategy
  2. Risk appetite
  3. Risk profile
  4. External communication, stakeholder management
  5. Governance, organisation and policies
  6. Business performance and capital management
  7. Risk and capital assessment (inc internal models)
  8. People and reward
  9. Management information
  10. Technology and infrastructure

The colour key suggests that:

  • Items 1-4 are about business strategy
  • Items 5-7 are about business management
  • Items 8-10 are about the business platform

There's a lot of enthusiastic "risk talk" – and that's before we get to the shapes and that big circle – "the heart".

What's wrong? It's all entertainment and no action

Try to spot any action in the diagram. Action in the sense that it will create value, or engage with or even affect the organisation's core business or reason for being. Look harder. It's just not there is it? There is little possibility that all this "risk talk" will change any decision to be made: how could it? Why should anyone care?

The colourful "entertainment" language is Dave Ingram's, not mine. We could instead say it's a "governance-heavy risk framework". But let's hear Dave:

A typical picture of a risk management system focuses on risk appetite, identifying and assessing risks, risk measurement, monitoring risks, risk reports, risk committee meetings, stress and scenario testing.

People spend hours and hours ... making adjustments to the system, then peering at and discussing the output.

Does that list sound familiar? Go back now and read the list again. Not a single item on that list is an action step.

Quite a number of people can be very busy doing the tasks listed above without there being any direct connection to the decisions that drive the work and ultimately the risk profile of an organization.

Source: Dave Ingram in A gigantic risk management entertainment system

Whatever the language, Ingram is right. And his point applies to other areas of risk management. Let's take a quick look at a risk management process.

The "all entertainment, no action" risk process

The risk framework had little action. This risk process from the Australian government has the same problem: "risk this, risk that" – too much "risk talk".

Elvis was right – it needs a little less conversation and a little more action.

What's wrong? Play it again Dave

A typical picture of a risk management system focuses on risk appetite, identifying and assessing risks, risk measurement, monitoring risks, risk reports, risk committee meetings, stress and scenario testing.

People spend hours and hours ... making adjustments to the system, then peering at and discussing the output.

Does that list sound familiar? Go back now and read the list again. Not a single item on that list is an action step.

Quite a number of people can be very busy doing the tasks listed above without there being any direct connection to the decisions that drive the work and ultimately the risk profile of an organization.

Source: Dave Ingram in A gigantic risk management entertainment system

You can draw a better risk process. But let's do a better risk framework.

4A framework: memorable minimalism

The risk vision and plan sets out the ambitions for risk management: it covers the "what and why" with enough "edge" to show what value the organisation intends to get from risk management. The next step on from this is a risk framework. This deals with "how and who". The diagram below is the simplest version.

4A key features

  1. Minimalist core. The 4A approach is a baseline framework, focusing on areas which add value. Other items such as governance can be added to the 4A core as required. As a bonus, 4As is memorable. Your Board will get it.
  2. Targets business decisions. The fourth "A" is Action, ranging from strategy to core decision making by business functions. No gaps from day-1.
  3. Appropriate roles for functions. 4A has a simple and practical philosophy:
    Centralize process ownership, decentralize decision making Source: AT Kearney – Seven tenets of risk management in the banking industry

    Example roles (more of which below):

What is all this decision making? What is being delivered? Can risk and business functions really help each other? Can we be a bit less conceptual?

4A framework: capital and value optimisation

It's easy to accept that the diagrams show a minimalist 4A framework, especially compared to the ten items and lengthy text in the "full fat" framework. The progression from Articulation through to Action and the natural division between risk and business functions also makes 4A memorable.

But more detail is needed to justify that the 4A framework (a) is really about value and (b) effectively links up risk and business functions – closing the gap.

Let's delve a little deeper, still keeping it simple.

Capital optimisation

This is a responsibility of the capital management team, supported by the risk management function. Objectives include the optimisation of:

  1. the type of capital e.g. debt / equity
  2. the (weighted average) cost of capital
  3. the allocation of capital to business-generating functions

A better risk process points to other balance sheet-focused risk-related decisions.

Value optimisation

This is a "simple" three-step process:

  1. Allocate capital based on likely opportunities
  2. Deliver opportunities, based on RAROC or improvements to it
  3. Measure and validate performance, feeding back into (1) above

It seems clear that this value optimisation also closes the gap to some extent.

But we can make the process work much smarter. Read on to find out how.

4A framework: increasing value, closing the gap

Summary

We look at capital- and value-based optimisation as a means of "closing the gap". We conclude that:

  • Capital optimisation will not close the gap.
  • Value optimisation based on traditional RAROC techniques will have limited success in closing the gap.
  • A smarter RAROC technique – which I have called FAB-testingshould successfully close the gap and add additional value.

Capital optimisation

Good capital management adds value in various ways. It can:

Capital allocation and the corresponding discussions clearly form a link between capital, risk and business functions. But it doesn't close the gap. Here's why.

  • Risk-based capital calculations are based on relatively extreme risks – at the 1-in-200 level and beyond in financial services.
  • Capital allocation is an infrequent exercise – possibly only once a year.
  • Performance measurement can be retrospective and is a judgement on business units.

The result is that there are limited opportunities for the sort of conversations and insight that can increase value. Optimisations actually become maximisations, which can take place without collaboration between capital, risk and business functions – as we'll see below. The gap is hardly closed.

Value optimisation: Traditional RAROC

In theory risk-adjusted return on capital was supposed to align interests, optimise results and close the gap between capital, risk and business functions.

In practice capital work mainly takes places in the capital management function, with little input from risk management and even less from business functions on an ongoing basis. In the business units "optimising" RAROC tends to be a maximisation exercise; traditional RAROC is a ratio between two deterministic numbers:

  • The denominator is the risk-based capital, but business functions are often given rules or heuristics so this can be calculated in a formulaic way.
  • The numerator allows for deterministic best estimate cashflows, including the expected run off of the capital.

This traditional RAROC approach leads to three missed opportunities. We'll now show how seizing those opportunities increases value and closes the gap.

Value optimisation: SmartRAROC

Traditional RAROCSmartRAROC
Potentially accepts loss making investments Compounds returns over time taking into account full variability, not single period returns based on expected value.
No guidance on the amount to invest The proportion of capital to invest is the result or output of the optimisation process.
No credit for risk management Although this is not formulaic there is potential to give credit.

SmartRAROC a.k.a. FAB-testing naturally leads to mutually beneficial conversations between risk and business functions, since a collaborative approach is needed to tackle the above challenges. The gap disappears and the ERM drag vanishes too.

© 2014-2017: 4A Risk Management; a trading name of Transformaction Development Limited