Peter Bernstein’s Against the Gods1 illustrates how the remarkable story of risk has been an ever-evolving one, where the frontiers of risk have continually been pushed back with new breakthroughs in our understanding of risk and consequently in our improved ability to identify, measure, and manage risk. Best practices in risk management continue to be designed, defined, and refined by industry participants and their stakeholders. Indeed, there are libraries of books, reams of research papers, and years of discussion dedicated to the continual improvements that are being made in risk identification, measurement, and management. This will remain a perpetual frontier of risk management. However, rather than revisiting these best practices, I would like to focus on some of the other challenges faced by risk managers today. For many, one of the key frontiers is not to design or define new best practices—it is to embed established best practices in the management of their firms. In facing this frontier, the challenge is neither conceptual nor computational, it is in fact cultural.

Of the multifarious challenges faced by risk managers today, the increasing regulation of our industry has understandably attracted much focus. Despite the heavy regulatory burden, we need to remain mindful not to focus solely on minimum regulatory compliance. In an era of increasing regulatory demands, where compliance fatigue is a common industry ailment, it is easy to forget our primary purpose; that of more effective and efficient business management for our shareholders. The danger is that firms develop a culture of minimum compliance. Of course, regulatory compliance can often be compatible with better enterprise risk management. For example, the development of internal rating models is not just a means to achieving regulatory compliance. Rating models are merely decision tools that must be utilized better to manage risk and extract ­business benefits. For example, the development of Basel-­compliant ­models, which are externally validated by regulators, will open up new opportunities to mitigate risk in portfolios, which previously could not easily be traded due to difficulties of consistently measuring different risks in different firms. The emphasis on model use is a common and necessary theme throughout the Basel II use test requirements.

As a result of the increasing regulation and complexity of our business, there are growing requirements for better risk communication with all stakeholders. Internal stakeholders need to understand the more complex regulatory capital impacts on their businesses and how their firms need to respond strategically. Risk managers must proactively engage the business generators in their firms by communicating the strategic context of the change agenda and facilitating their firms in responding strategically to those changes. Business generators, who have their own market-driven priorities, also need to engage with and support risk managers. Without such a partnership approach, neither will achieve their strategic objectives from the heavy change agenda.

With management board members now personally responsible for the corporate governance of their firms, they are rightly more demanding of their risk functions in terms of risk comprehension and risk assurance. Management boards are responsible for the economic health of the entire business and are consequently more interested in an integrated view of all risks and how these risks might change and interact in response to various scenarios. This is often termed an enterprise risk management (ERM) approach which encompasses credit, market, operational, and other material risks2 for the enterprise as a whole. An ERM approach is very different to the traditional “silo-based” approach to risk management where different risk components are managed in separate silos (e.g., credit risk vs. market risk) with little interaction between silos. An ERM approach to risk management seeks to create the ability to integrate risks and report them at consolidated levels while recognizing potential diversification benefits both within and across risks. The Risk Management Association (RMA) defines ERM as:

These cultural challenges arise as many firms still manage their risks quite strictly within risk silos. This silo-based approach often pervades the entire risk infrastructure of a firm, including its systems, processes, and people. Risk information systems are often designed specifically for one risk type and can impede integration or aggregation with other risk types. In addition to the difficulties in integrating risk information across risk silos, risk information can sometimes be difficult to integrate with other related information (such as earnings), thereby making it more difficult to evaluate risk—reward trade-offs either within or across risk types. Decision-making processes also tend to have different risk committees and risk personnel who evaluate different risks based on different evaluation criteria.

The divisions between risk silos are in many ways cultural divisions. To break down these cultural divisions, firms must invest in extensive training and development of their staff so that they can take a more integrated view of enterprise risks. They must encourage and promote job rotation across risk types in order to break down the artificial barriers between different risk silos. Job rotation between risk functions and the business also need to be encouraged so that the symbiotic nature of their relationship is recognized by all. Equally, staff must be willing, and incentivized if necessary, to become more risk-literate and consequently more quantitatively literate. Unless this is done, an ERM approach will remain an aspirational objective in many firms.