“Explain the risk management framework outlined in Kaplan and Mikes and evaluate how you would use it to manage both operational risk and market risk in the bank”
Introduction:
As a result of the financial crisis of 2008 Robert S. Kalpan and Annette Mikes asked why Risk Management had so dramatically failed. In the aftermath they wrote the Harvard Business Review paper “Managing Risks: A New Framework” June 2012.
Within the context and parameters of this assignment, the author will endeavour to simply explain the risk management framework outlined by Kaplan and Mikes (2012), how they have categorised different types of risk and how each of these categories should be managed.
Furthermore the author evaluates, in summary, how this framework may be used to manage both operational risks and market risks in a banking system.
Finally a conclusion of the findings from this and other research material will be provided.
Report:
Kamensky (2012) suggests that the framework developed by Kaplan and Mikes (2012) enables executives to determine the way in which risks should be managed, either through a rules based model or alternative approaches. Kaplan and Mikes (2012) research shows that any risk from any one category can be fatal to a company’s strategy or even cause its demise. The categories of risk identified by Kaplan and Mikes (2012) are preventable risks, strategy risks and external risks.
Preventable risks: Kaplan and Mikes (2012) suggests that these are internal risks that can be avoided or controlled through internal controls and guide-lines clarifying the company’s goals and values and what is expected of all employees. Kaplan and Mikes (2012) further suggests that:
“companies should seek to eliminate these risks since they get no strategic benefits from taking them on”.
Essentially internal risks include fraud, theft, detrimental behaviour or breakdown in processes. According to CareersinAudit (2013) internal risks are explained as non-compliance or information breaches. Simons (1999) states that the checks and balances designed to protect assets and to make sure that information is reliable are known as internal controls. These do not vary with strategy but are essential for controlling risks. Simons developed a calculator (See Figure 1) which is used as a gauge to enable companies to measure the level of risk associated with three pressure points – 1. Growth, 2. Culture and 3. Information Management.
Figure 1.Simons, (1999)
Strategy risks: Kaplan and Mikes (2012) explains that these are risks which are not inherently undesirable and suggests that:
“a strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential”.
A survey conducted by Forbes Insights (2013) on behalf of Deloitte found that 81% of companies now explicitly manage strategic risk rather than areas such as compliance, operational and financial risks.
“Companies that fall behind on the innovation curve may quickly fall prey to innovation’s evil twin – disruption. That is just one of the reasons managing strategic risk has become a high priority for many executives”- Ristuccia and Demneri (2013).
Mohammed and Sykes (2012) suggest that strategic risks can be explained as uncertainties and untapped opportunities embedded in your strategic intent and how well they are executed. Credit risk could be considered a strategy risk as any loan could default, however if repaid as agreed will produce revenue.
External risks: According to Kaplan and Mikes (2012) these are risks from events that happen outside the company and are outside the company’s influence or control. These include risks from sources such as natural and political disasters and macroeconomic shifts.
Investopedia (2015) states that external risks cannot be forecasted with reliability and as it is outside of the company’s control it is hard to reduce the associated risks. Horton (2015) states that all companies can create risk management strategies to lessen the damage and on-going impact of external risks, for example having property or liability insurance. Horton (2015) further suggests:
”Companies can lessen the negative consequences of a risk materializing by creating and maintaining strategies to accept, transfer, reduce or eliminate organizational risk”.
The most recent political issue to affect business has been The Brexit issue in the United Kingdom which resulted in Bank of Ireland share price falling significantly. Kaplan and Mikes (2012) states that many external risk events require analysis from a different approach for each of the sources of external risk as they do not occur often or managers cannot visualise them in normal circumstances. Different analytic approaches are used by different companies for each different type of external risk.
Kaplan and Mikes (2012) suggest that companies risk management processes should be adapted for the different risks. A compliance-based approach while it would be effective for managing preventable risks it would not be adequate to manage strategy risks or external risks. Strategy risks and external risks require an essentially different approach based on discussions which are open and unambiguous. According to Kaplan and Mikes (2012) this is not as easy as it seems as individuals when discussing risks are inclined to be biased and may even be discouraged from having negative thoughts in relation to risks that have not yet happened or may never happen.
Kaplan and Mikes (2012) states there are three approaches to managing strategic risks. According to Shefrin (2016) the first approach is using independent experts to manage risks at the outset of a project and to challenge project leaders. Kaplan and Mikes (2012) suggests doing this at different times during the project development. These experts express contentious opinions to influence debate or test opposing arguments, thus heightening awareness of risks and the likelihood of possible failure or defects. Experts are unbiased so have no agenda except to assist in avoiding unacceptable levels of risk. The second approach is to employ facilitators, usually a small central risk-management group, to gather relative information from operating managers, thus enabling managers to be more aware of the relevant risks that have been taken on across the organization and helps more informed decisions to be made in relation to the risk profile. The third approach suggested by Kaplan and Mikes (2012) was to use embedded experts within the organisation to continuously monitor and influence the companies risk profile. These experts should work alongside line managers whose activities relate to generating new ideas, innovation and risks, and the possibility of profit.
According to Kaplan and Mikes (2012) companies can call on different tools to assist in managing major external risks, including scenario planning and war-gaming. The approach taken depends on the imminent danger that the potential risk’s impact could cause and whether it arises from economic, geopolitical, environmental or competitive changes.
Scenario planning: Scenario planning, suitable for long range analysis usually five to ten years. It defines the plausible boundaries of the states of the world, examining political, economic, social, regulatory, technological and environmental forces. Typically four drivers that would have the biggest impact are selected. The maximum and minimum anticipated value over five to ten years is estimated for each driver which combined lead to 16 scenarios. Half are considered plausible and are used to assess performance of the firm’s strategy. If the view from these scenarios is optimistic managers can modify it to accommodate a pessimistic one. Alternatively managers can develop plans with regard to changing their strategy should early indicators dictate that events could turn against it. The steps involved in Scenario Planning are provided in Figure 2.
Figure 2 CGMA (2015)
War-gaming: War-gaming is suitable for a more short term horizon than that of scenario planning. Four teams devise plausible near term strategies which may be adopted by existing or potential competitors during the next one or two years. This tool is of particular value when the competitive environment is undergoing change. According to Kaplan and Mikes (2012)
“War-gaming assesses a firm’s vulnerability to disruptive technologies or changes in competitor strategies”.
According to Kappa (2007)
“the Business War-gaming concept is based on the recognition that an organization’s success reflects three major lines of force: 1. Your company’s plans and execution 2.Competitors’ plans and actions 3.Uncontrollables” (See Figure 3).
The four teams assume the role of competitors and examine how clever competition could attack the company’s strategy preventing managerial biased opinions and enables consideration of actions alternative to their current beliefs. The likelihood of risk events identified through tail risk testing, scenario planning and war-gaming by competitors, cannot be influenced by the company but managers can take actions to alleviate their impact. For example, insurance can protect against negative events which is also known as hedging, while it will not stop the event from happening the impact will be lessened.
Figure 3 Kappa West (2007)
Managing risk and managing strategy are very different. Kaplan and Mikes (2012) states:
“Risk management focuses on the negative-threats and failures rather than opportunities and successes”.
Rules and compliance can alleviate some critical risks. Active and cost-effective risk management requires managers to think methodically about the different categories of risks they face so that they can initiate the correct processes for each.
Within both Operational Risk and Market Risk managers face a number of the categories identified by Kaplan and Mikes (2012)
Operational Risk:
Operational risk has two main causes, internal and external. Internal risks include process, people and systems while external risks include fraud, acts of terrorism or sabotage KPMG (2012). Internal risks should be controlled and eliminated, Kaplan and Mikes (2012) include internal risks under the category of Preventable risks so therefore some operational risks can be managed by active prevention, monitoring of operational processes and having a set of guidelines setting out what exactly is expected of staff. A well-defined mission statement states an organisations purpose and reason and serves as an internal compass to help keep staff on the right path, each employee needs to understand and read the mission statement. Also clear value statements will assist employees in avoiding lowering the company’s standard, putting its reputation and assets at risk. In addition, boundaries, which clarify what is not allowed, can also be used to manage operational risks. As already stated external risks can also be a cause of operational risk. While internal risks can be managed on a rules based compliance approach external risks are generally beyond the companies control and therefore must be managed differently. Companies must identify possible external risks and discuss these risks. These discussions can be difficult as research has shown, Kaplan and Mikes (2012) states:
“that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late”.
Different companies use different logical approaches to deal with the different sources of external risk. Tail-risk stress testing is used by the bank to determine what effect major changes in one or two variables would be. These effects would be major and immediate but exact timeframe cannot be predicted. This type of stress testing is carried out by financial services on external events such as changes in oil prices, a major change in exchange or interest rates and on the default of a major institution or sovereign country with respect to the effect it could have on trading positions and investments.
Market Risk:
Market risks can consist of changes in credit spreads, interest rates and equity prices among other indicators whose values are set in a public market and can cause losses in the bank’s trading book, McKinsey & Company (2012). Kaplan & Mikes (2012) states that banks often manage market risk in a separate group to credit risk and also in a separate group to operational risk. Kaplan and Mikes (2012) suggests that compartmentalization of risks into separate categories such as these can inhibit knowledge of risk interaction. They further suggest that risks need to be discussed on a confrontational and integrative basis. Businesses may have failed in the past due to a combination of minor events which have a knock on effect on each other which may never have been envisaged due to lack of discussion. Risk professionals need to consider a 360° view, in other words they need to look at the whole picture not just part of it. While market risks are fundamentally external risks in relation to Kaplan and Mikes (2012) risk categorisation process, banks have to have strategies in place to manage them. While according to Kaplan and Mikes (2012) external risks such as those included in market risk cannot be controlled by the bank, techniques and strategies such as Value at Risk (VaR) and diversification are used to safeguard, as far as possible, against the negative impact of market risks. Value at risk (VaR) is a technique used to quantify and measure the extent of financial risk within a firm or investment portfolio over a specific length of time. Diversification is a technique that mixes a variety of investments within a portfolio with the idea that different kinds of investments in one portfolio should yield higher returns and pose a lower risk than any single investment found within the portfolio. Current research is contradictory in regards to the ability of banks to use diversification as a strategy for managing market risk, however if used the investments must be uncorrelated. Kaplan and Mikes (2012) states that:
“to manage major external risks outside the company’s control, companies can call on tools such as war-gaming and scenario analysis”
however scenario analysis appears to be more suited to longer time periods typically five to ten years than war-gaming which is typically one to two years. In the author’s opinion even one year can be long time in a volatile market place.
Conclusion:
In conclusion, to definitively assess the workability of the risk framework developed by Kaplan and Mikes (2012), a comparative study of a number of financial institutions pre the 2008 recession working in the absence of this framework and post the 2008 recession working with this framework would have needed to have been carried out. However in the absence of this information the author has found that Kaplan and Mikes (2012) provides a simplified categorisation system for different types of risk. They also provide solutions to a number of these risk categories which appear viable in relation to Operational Risks, however external risks, which encompasses Market Risk, seems to have more long term solutions and this time period may be detrimental to the company in a volatile market scenario. As a result of ‘Brexit’ the Bank of Ireland share price fell by 22.7% overnight (breakingnews.ie, 2016). Strategies and techniques to deal with market situations similar to this cannot afford a time frame of one to two years. Other research, referenced throughout this document, appears to provide more efficient solutions to Market Risk in the form of VaR and diversification. The majority of referenced material relates back to Kaplan and Mikes (2012) which may suggest that other economic researchers need to look at and assess how an alternative framework might function. With the onset of ‘Brexit’ and the rise in the number of terrorist attacks occurring anywhere, an updated framework may become imminently necessary.