StrategicRISK associate editor Nathan Skinner talks to Matt Kimber, UK chief risk officer for Marsh and former head of operational risk for the Lloyds/HBOS group

New stats from a global broker offer some insight into the banks’ financial risk management nightmare. One of the most revealing findings is that financial services risk managers don’t have confidence in their own internal controls. Executives responsible for risk management in 700 organisations across seven sectors were asked their attitudes to risk. Some 120 financial institutions responded. Their answers stand out as the companies most affected by the downturn and the ones with the least confidence in their risk management capabilities - not surprising given that the controls failed totally to avert or even warn of the banking cataclysm.

The research, commissioned by Marsh and carried about by Ipsos, also suggests that the financial industry is undergoing a major overhaul to reengineer its risk management processes. Compared with the other industrial and service companies surveyed risk managers at financial firms were the ones most likely to be receiving attention and funding from senior management. Forty-eight percent of the financial firms asked said the economic downturn had prompted them to formally review their approach to risk management. But they weren’t the only ones. The other industries mostly shared their sentiment. Does all this, as Marsh suggests, mean the financial industry has recognised its problems and is committed to solving them?

Britain has seen its share of banks on the brink of failure. According to the Treasury Select Committee, a group of MPs who recently reported on the financial failures that led to the banking crisis, poor corporate governance was in large part responsible. Risk managers weren’t able to act as an effective mechanism to balance out the excesses of a booming and complex global financial market, while internal and external breaking systems were too easily ignored or brushed aside. And the dominant culture within banks did not encourage loyal dissent from within. Non-executive supervisory boards share the blame, said the MPs.

‘The financial services industry should be reviewing its approach to risk management in four main areas,’ says Matt Kimber, UK chief risk officer for Marsh and former head of operational risk for the Lloyds/HBOS group. ‘These can be split into governance, the way risk is reported, discussed and challenged in an organisation; frameworks, the components that make up the risk management approach of the organisation; people and their skills sets, which is one of the most important elements; and culture, which underpins all of the above and is vital for effective risk management.’

He is convinced, as the report shows, that the whole financial industry is investigating these areas with the hope of finding out what went wrong. Kimber thinks corporate governance in the financial services industry is essentially fine. ‘The people acting within the governance framework, however, were not challenging enough,’ he says. ‘Although sometimes hard, you must be prepared to challenge. To think: Can I play devils advocate? That is good healthy business practice.’ But, adds Kimber, it is important not just to challenge for the sake of it. Referring to his role at Marsh, he says: ‘I have worked in other organisations where the style of management from the top is much less collaborative and much more directive which is less healthy.’

Non-executives should find themselves in the best possible position to challenge conventional truths. But the banking crisis revealed serious deficiencies in the competency of certain non executives. ‘I have worked with non-executives who are incredibly astute and able to challenge at all the right places. Ultimately, it is down to the organisation to choose the right non-executives who understand the business and have the confidence to challenge where it is appropriate,’ comments Kimber.

One of the other insights the Marsh report flags is that financial institutions need to change the way risk management is perceived by their management and employees. ‘The risk management department should not be perceived to be just a cost centre or ‘deal prevention unit’, but understood to make a direct contribution to the organisation’s performance,’ says the report. That all sounds nice but ‘ultimately it boils down to the culture of the organisation and the risk professional to navigate effectively,’ notes Kimber.

Another oft heard lesson from the banking crisis is that risk managers should be given the right level of attention from senior managers. Putting a risk manager on the board or having him/her report directly to it seems to make sense if they are to perform the role of trusted adviser. The trouble is, the closer a risk manager is to the board, and the tighter he or she is tied financially to its success, the easier it may be for the C-suite to sway their opinion. At least, that is one train of thought. Kimber subscribes to the former: ‘Generally speaking it is preferable for the CRO to sit on the board or report directly to it. I would argue that some CROs have always been trusted advisers; others will be seen as a support function. Effective risk managers can earn their place at the top table.’

And one of the ways risk managers will be able to step up and get noticed is by saving their company money. Budget cuts and a tougher operating environment is making life particularly hard for business. But, looking on the positive side, this could be an opportunity for risk managers to prove their metal. Kimber thinks as businesses reengineer their governance frameworks it is an opportunity for risk managers to make sure good controls are built in. ‘Good, effective risk management can help protect your costs and enable your income line.’ But he stresses that in order to help steer the ship towards profitability risk managers need to understand all the dynamics and levers of the business. ‘The trick to effective risk management is to look for ways to blend a risk management lens with business initiatives, so that decisions are seen as good business sense rather than as risk management protocols. Risk managers need to be well networked in the organisation and they need to be creative and flexible,’ he says.