1.1 THE ESSENCE OF CAPITALISM

Risk is the essence of free enterprise in liberal economies. The very act of incorporating a firm is an expression of risk appetite by which a number of partners will be holding liabilities to produce value and profit and meet a development objective. Meeting the revenue and profit objectives within the boundaries of the risk appetite is the mission of the executive management team. The Chief Executive Officer is the guardian of that bond between the shareholders and the board of executive directors.

The assets and human resources involved must therefore be utilized to maintain this balance between generating value and controlling risks. As such, one may argue that the discipline of managing risk has always existed. Since the 18th century’s Industrial Revolution, firms have invested, created value, survived crisis, adapted to changing technology, competed against each other and weathered many crises and wars. Or have they? Few firms actually last more than 50 years. A minority may last more than 100 years. Others, on the other hand, will most likely cease to have a purpose as their shareholders lose their appetite for risk or operate in unsustainable conditions; some others might fail. In any case, these firms somehow lose the balance between generating value in reward for labour and capital and the risks involved. The very few that survive, expand and thrive usually evolve at a staggering pace, through organic and inorganic growth, continuously adapting and innovating from core business to new market niche, often transfiguring in each decade.

The transformation leading to survival is a demonstration of balance between risk and value management. Seldom a smooth transition, the history of corporations is fraught with crises, failures and restarts. More often than not, change is a painful implementation. It is the evolution of risks, the unexpected ones in particular, that seems to be pushing the boundaries of innovation by changing the conditions for survival. Corporations and governments are forced to adapt as they face unstable and unsustainable situations - namely crises. Therefore they are periodically compelled to find new balances between risk and value generation, going from crisis to crisis. In other words, no approach to risk management, despite a brilliantly designed one, can be set in stone and dogmatically dictated to future generations of managers. Risk management is a continuous search of equilibrium, just as the balancing pole of a tightrope walker is always in movement. Managing risks requires bringing into question the very hypothesis it relies on, time and again.

In the finance industry, risk management is of even greater importance since the core business is about managing others’ money - others being the depositors of a bank, the investors of a fund or clients of an asset management service. It is also about managing others’ risks - corporates, retail customers or funds that operate on margin. So there is a double balance between value and risk generation to be maintained when operating in the finance industry - the balance of any corporation between risks and the value extracted from growth and operations and the balance between customers’ risks and customers’ support.

As the link that holds all business sectors, households, corporations, governments and institutions together, the finance sector plays a central role in every economy. Since the late 1960s, no business, administration or institution would run any operation by funding any part of its activities in cash. Hence the finance industry plays a far more critical role, akin to a heart pumping blood throughout an economy. The modern theories of efficiency in management have led absolutely every agent of a modern economy to operate ‘on margin’. Banks lend to corporates to invest, corporates in turn lend to each other to produce, whereas customers and retailers use credit for all they consume. Credit and financial activity is absolutely everywhere, in everything we touch, drive, produce and consume. Since the late 1980s, the fall of the Berlin Wall and the emergence of new economies, the model has become global. As a result, one can say that the whole world economy runs ‘on margin’, as a gigantic hedge fund. Therefore the balance of risks and value generation is even more crucially necessary for the finance industry. Losing it immediately impacts on other parts of the economy as any imbalance spills over its externalities to other sectors.

1.2 THE MOVE TO MODELS; WHEN RISK CEASED TO BE MANAGED

The above reasoning leads to an obvious conclusion that risks somehow existed ever since the very notion of investing for generating some kind of return was born. One can therefore state that from the agriculture of the Romans to the Industrial Revolution, the techniques of financial risk management have slowly evolved and inherited their progress from the growing sophistication of financial instruments, starting with the currencies of the kings and letters of credit they would issue, where the very first forms of securitization appeared in the 17th century.

Yet the term of risk management as an art or a science (at the very least as a discipline) appeared in the late 1990s, when an end-of-day report at JP Morgan that was produced at 4:15 pm became the ‘4:15 pm report’ - a statistical assessment of potential losses in the future based on the volatility and the covariance of assets in a portfolio. Value-at-risk (VaR) was born. JP Morgan later spun off the service into a start-up that became Riskmetrics and further developed risk management software and services. Other methodologies appeared and risk management was better publicized as a new profession when in 1996 a book by Professor Philippe Jorion, Value-at-Risk, presented several methodologies to compute VaR and a building block methodology to implement those calculations across the enterprise. Many other publications and variations appeared immediately after but it is a fair assessment to recognize the role of JP Morgan, RiskMetrics and Professor Philippe Jorion in the formal establishment and development of risk management techniques.

Ironically, risks ceased to be managed on the very instance risk management attempted to become a form of science. In fact, from that moment onwards, the finance industry merely managed data and models, and progressively detached the management of risks from the risk management functions.

VaR then proceeded to spread around the world like wildfire. Large banks embarked in education programmes for their clients, lectured the emerging markets and presented the very use of VaR as a management tool as though it was a label of quality. There were few dissenting voices claiming that overreliance on VaR presents a false sense of confidence to the industry as it was, after all, a modelled prediction of exposure and by no means a protection against risks. A few duels over the Web and white papers distinctly opposing Philippe Jorion, and Nassim Taleb, a long-time specialist of financial derivatives, unfortunately reached only a niche of the financial industry interested in this very specific issue and failed to alert a broader audience such as the regulators.

In addition, the cry from the failure of Long-Term Capital Management (LTCM) could have been heard as a warning against model risk and dependence on modelled exposure, but it was interpreted differently. The emerging market meltdown that followed was instead seen as a lack of risk management techniques, which prompted the regulators to recommend a more formal approach.

This led to the Basel Committee for Banking Supervision (BCBS) consultation of the industry in the late 1990s to set up guidance rules for each central bank to enforce itself to some extent. As the consultations were essentially focused on large banks, which at that time seemed to have all the answers, they were quickly directed to quantitative analysis, VaR-based capital allocations and the building blocks approach. The language of Basel 1 and Basel 2 formally associated risk management sophistication with predictive modelling of market and credit exposure. The roadmap, transitional arrangements to implement risk management frameworks, would typically consist of laying out some foundation followed by refining the approach over time. Be it for market, credit or operational risks, for capital allocation, securitization or liquidity management, fine tuning in risk management was always implicitly associated with more sophisticated statistical analysis and modelling.

The generalization of VaR as a management tool and the fact that the regulators formally endorsed the methodology as the best approach to measure risk exposure and sensitivity would have two major consequences on the finance industry. First, risk management became essentially associated with modelling and statistical analysis. Second, risk management was inappropriately associated with regulatory compliance. In other words, the balance of risk and value generation, which had always been the discretionary practice of each enterprise as they adapted to changing conditions, was now handed over to mathematical models guided by standards defined by regulators. Risk management was thus not only detached from the business activities of the enterprise but was entirely removed from it.

Hordes of business and technology consultants roamed the planet with a two-pronged value proposition: First, model-based risk management dashboards are to be implemented to maintain a competitive edge in derivatives, control the costs of trading operations and monitor credit exposure. Second, banks can actually reduce the cost of the approach by optimizing their risk-based regulatory economic capital. The complexity of implementing statistical modelling and the magnitude of projects for creating straight-through processes throughout the enterprise remained a blessing for consulting firms, quantitative analysts and IT departments, but further isolated the practice of risk management into ivory towers of science and computing technology, further away from business reality and even from the executive managers.

A third consequence would eventually impact the entire world economy. The regulators embraced the methodology of statistical analysis as a main standard for computing net exposure, and hence risks and mitigations, as well as the capital structure ratio of financial institutions. This led to a worldwide standardization of capital ratios and in unprecedented uniformity of risk mitigation tactics and diversification strategies. For example, by recognizing credit mitigation tools to net out counterparty exposure, the regulators indirectly incentivized the use of credit derivatives. In a deregulated fast pace global economy driven by a relentless search for growth and capital efficiency, banks soon found themselves compelled to use credit derivatives.

When a rigid and uniform set of rules defines the conditions for doing business, it also shows the way by which those rules can be circumvented. In this case, the modelled approach to risk-weighted economic capital, resulted in a massive undercapitalization of the industry since banks were allowed to literally clean up their balance sheets of unwanted credit quality by mean of securitization and off-balance sheet schemes. More capital available would further inflate the lending capabilities, which would result in an even poorer credit quality standard, further fuelling the speculative bubbles and ballooning securitization.

Evidently, the chaos of the 2008-2009 crisis did not wait for the subprime crisis of 2007. It results from a long process in which statistical analysis progressively replaced human judgement, while electronic processing replaced informed decision. Financial institutions gradually lost sight of their internal balance of risk and value generation in respect of corporate policies desired by the shareholders. Externally, a culture of uniformity and convergence progressively replaced the corporate diversity that kept markets in balance. With financial institutions increasingly embracing similar strategies and tactics for business purposes and adopting standardized rigid financial structures, and the world economy operating like a leveraged hedge fund, it was only a matter of time before the entire structure lost its own balance and brought risk management into question.

1.3 THE DECADE OF RISK MANAGEMENT

Risk management brings balance sheets into perspective. Performance and especially overachievements can be perceived negatively. When investment banking divisions, for example, benefited from the exceptional volatility of all markets at the beginning of 2009, they were requested in many firms to bring transparency to their results or they would risk being considered potentially hazardous to their groups.

As the management of risks validates the performance of a firm, it becomes a strategic driver within firms, therefore deserving a new level of consideration. The role of the risk managers is changing accordingly since they now hold the keys of enterprise value. Functions that create value and are essential for firms to grow have a massive impact on corporate hierarchies, on the relative importance of the C-level executives sitting on the boards and on how Chief Executive Officers (CEOs) are selected. In the 1960s, for example, firms could grow through industrial development and technical innovation as the post-war world was accelerating its modernization. Engineers who could invent new products to create wealth and growth were a driving force of corporate strategies and their views would drive strategies. The companies that thrived in this new world were the innovative powerhouses of the automobile and electronic industries. Instilling a culture of innovation within their core structures, they organized their entire operation around the process of inventing, manufacturing and distributing. Then in the 1970s, the consumers’ markets of the developed world saturated and it became more critical to sell products than to produce them. It became the decade of marketing, advertising and publicity. Marketing divisions became powerful influencers. The cultural changes led to the appointment of chief officers for ‘marketing and innovation’ in large organizations who owed their success to their capability to convey their messages before shipping their products. The CEOs of the 1970s were likely to be picked from among them.

In the 1980s, the developed markets were saturated with both products and communications. To maintain growth, firms needed to become international. Firms started to systematically export their products and relocate their productions; the critical size for firms to become multinationals was dramatically reduced. Chief Financial Officers (CFOs) then replaced the engineers and the marketers as leading influencers of corporate strategy. It was their turn to hold the keys of the true value behind the balance sheet. This trend accelerated so much in the 1990s, with the emergence of the new economies of Asia, Central Europe and Latin America, the NAFTA agreement, the fall of the Berlin Wall and the entry of China to the World Trade Organization (WTO), that firms were no longer challenged to meet the requests of local and international clients but to develop strategies to cover the world. A decade of merger and acquisitions (M&As) followed, where the power shifted from pure finance to financial engineering. Firms would no longer wish to be present in every country. Translating, converting, adapting and communicating their offers would take too much time and effort. Growth and capital efficiency would rather result from mergers, acquisitions and - less publicized - ‘unmergers’ and division sales. The new generations of CEOs dreamt of becoming one of those visionary heroes who built empires like one manages a portfolio, buying and selling financial, technical and human resources based on return and capital efficiency. Shareholder value was the main focus, as long as it was achieved and rewarded appropriately, the amount achieved did not matter. This is where the disconnect between C-level board executives and the rest of the operations actually happened, leading to the compensation mismatch that later created public outrage. By merely recognizing performance through capital efficiency, the fate of CEOs, senior executives and whoever is incentivized with tools relating to shareholder value is no longer directly linked to the technical, commercial or human achievements of the company.

The early 2000s did not change much from the philosophy of the previous decade apart from, following the repeal of the Glass-Steagall Act in 1999, the fact that the spheres of banking and securities were bridged to create even faster development, higher leverage and unheard of returns on capital.

Clearly, then, the 2010s will be the decade of risk managers. New CEOs of ailing financial groups are increasingly being selected based on their risk management skills and experience, a trend that no doubt is expected to continue. In 2008 and 2009, the worst crisis since the Great Depression highlighted the urgency of restoring the lost balance, which made risk management the top priority of all regulators and most governments. Yet a stronger dose of a medicine that failed - or even made things worse - is unlikely to durably cure the patient. Making the rules even more rigid would not fix their vulnerability. Fixing methodologies for market or credit risk assessments can only achieve immediate objectives. Once growth and innovation have resumed, any regulatory-based approach, assumingly perfectly created, would necessarily be misaligned with new types of exposure, or industry structures from which growth will result. Supplementary capital requirements, mandatory liquidity buffers, new reports and special rules for the ‘too big to fail’ may, as a combination, have a dramatic and unpredictable impact on the corporate strategies and, even if they eventually turn positive, would be short lived.

Change needs to penetrate the industry deeper in order to restore the lost balances and reconnect the management of exposure and mitigations with business operations. Realigning the interest of the shareholders with those of the staff involved in business operations at every level of the hierarchy takes more than restructuring of a company or rolling-out a preconfigured methodology from a consulting firm. It consists of repurposing all resources - financial, technical, commercial and human - that inevitably lead to readjusting the perceived value of capital versus labour. How does the availability of capital at risk enable the creation of a working environment for human resources to contribute to increasing the value of such capital? The former and the latter clearly fulfil each others’ purposes. The key is to find to which extent they do so and define the rules of engagement. This is not the role of any regulator or policy maker. Neither is it a paradigm shift but it is, more importantly, a distinct cultural change.

The culture of free enterprise as a whole must better integrate the values of managing risks by balancing the quest for capital efficiency using the judgement of the human beings who are assigned to deliver it. It must happen through the right people, instead of relying on models or regulations. The following five chapters propose a methodology progressively to involve each level of a corporate hierarchy in the identification, assessment and mitigation of risks. It does not preclude the use of models and known methodologies but repurpose their use. The proposed methodology elevates risk management to the level of a corporate culture by which corporations will make sure that they are best suited to adapt to the ever-changing environment. Harmonious developments based on such organic adaptation and diversity will in turn foster the conditions of financial stability among nations and regions throughout the world. The last chapter focuses on industry and regulatory issues and proposes changes at this level as well.

1.4 RISK INTELLIGENCE PRECEDES RISK MANAGEMENT

When risk is managed as a corporate culture and brought as a core value to the forefront of corporate strategies, then the current systemic crisis will be over. Whether it is the cause or a consequence of the crisis, the financial system as we knew it will continue to disintegrate. The regulatory structures are far too misaligned with the realities of the global economy. The risk management techniques - not limited to but mainly inspired by regulatory requirements - are poorly adapted to the complexities of modern financial instruments. Funding strategies and liquidity management techniques are not sustainable under the current business conditions.

For these reasons, the new system order that will eventually restore confidence shall necessarily be based on the management of risks. Making risk management a corporate culture means bringing risk awareness to the very heart of each centre of profit and each centre of cost. As we will demonstrate and propose in the following chapters, it requires a risk-based information workflow throughout the enterprise, the backbone of the new corporate culture. For corporations to adapt naturally to their ever-changing external business conditions and internal challenges, their approach to balancing risks and performance must be adaptive, as a piece of ‘corporate DNA’ (the deoxyribonucleic acid that contains and distributes genetic information in living organisms).

Several levels of information layers will be necessary to establish the necessary exchanges. First, the information workflow ensures that the brain and the organs are perfectly in sync and react together to information about internal and external conditions. We later refer to cause and effect reflexes. Second, the system must be able to store critical information and build its own body of knowledge. The following chapters will propose in detail a step-by-step methodology to create and maintain those flows.

Moreover, the culture of risk management and the risk-based information flow must pervade the financial sector, as well as national and regional economies. The above types of information flow are again necessary: first, the creation of cause-and-effect processes in order to take action and prevent risk from becoming losses as early as possible and, second, creating and maintaining a body of knowledge in which action taken, risk events, gaps and failures can become lessons for the entire system to use for adapting. The final step is to redistribute the knowledge and information under formats that can be read and understood by all.

New or revamped regulations should therefore promote reactivity and agility rather than imposing uniform tactics and standard internal structures that may not necessarily meet corporate cultures and the shareholders’ objectives. The regulators and the industry representatives need to embark in constructive cooperative programmes to define the key principles of the workflow.

The build-up of a body of knowledge, which would help to define the overall business conditions and detect asset concentrations of ‘bubbles’, for example, is a key element of the adaptation process. Statistics, monographs, databanks and generally all information that would let the members of a sector understand in which type of ‘regime’ they operate, with alert triggers and emergency support available, are tools used in other industries when they collectively face adverse business conditions with potential effects reaching beyond the sector they operate within.

1.5 RISK MANAGEMENT AND THE HUMAN DIMENSION OF CAPITALISM

The task of rebalancing the values of capital and labour within the financial sector and then within the economy is certainly daunting, but the human approach to the balance of risk and returns that we propose to re-establish through the methodology hereafter can be used as a key. Once understood and implemented as a culture, the management of risks is precisely the hinge between delivering performance and maintaining sustainable business conditions to achieve corporate or systemic goals. In other words, the inner notions of managing risks are the missing links between capital and labour if those who are tasked with delivering performance use judgement, skills and experience to remain within the boundaries of the risk appetite expressed by the providers of capital.

1.5.1 Risk scales and balances

Capital is provided by the shareholders for corporations to deliver a return. To this extent, we can say that the conditions of obtaining capital define the performance objectives. The cost of capital, for example, drives return expectations. Yet the performance objectives are pondered by the risks that corporations have to expose themselves to. The external business conditions, the regulatory and legal requirements or the volatility of the markets require an appetite for risk that the shareholders may or may not have, depending on their corporate culture. Whenever the risk appetite of the shareholders matches the risk management capabilities of the executive team, an agreement is found and a bond is established. It is only and exclusively in the context of a specific corporate culture that the bond exists between the executive management team and the shareholders. Thus if risk management is part of the corporate culture shared by all staff within a firm, all participants within a system, then the core values used to manage the corporate risks are the very limitations of capital objectives. If the values are truly shared and rooted in the corporate culture, then the more human intervention in the management of risk, the more accurate will be the balance between the value of human labour and capital efficiency. Following the excessive independence of executive management boards in the 1990s and early 2000s, which resulted in a disconnect notably illustrated by the compensation mismatches, the corporate world will now evolve towards finding a new balance between the perceived value of labour and capital remuneration. This balance will solely rely on the adequacy of risk management principles individually applied to each specific corporate culture.

1.5.2 A risk culture is corporate DNA

A corporate culture is generally defined as a set of core values shared by a community, defined and abided by through common principles. A corporate culture of risk management is much more than that. Because risks are never still and keep changing in nature and magnitude, risk management principles need to be more than just defined and even more than just kept alive. They need to adapt.

As previously discussed, managing risks as a corporate culture relies on exchanges of information and on the existence of cause and effect reflexes. It also requires the continuous accrual of countless tiny pieces of information into a body of knowledge, a memory databank that progressively assimilates patterns and uses them to readjust the information flows and the cause and effect reflexes. In time it creates a self-adaptive culture that becomes ‘corporate DNA’ influencing all decisions and perceptions shared by the providers of resources, capital, liquidity and labour.

A DNA process not only creates a culture but also keeps it alive. Precisely the main role of DNA is not only to store information but also to code it so that it becomes instructions used to build other components. Data become genetic information brought over to the operating organisms in units, which are able to spell out their genetic instructions. This is achieved through a genetic code that the organisms are able to read and understand.

The risk management culture of each specific firm replicates this process. First, it needs to gather sensitivity from risk factors by establishing sensors in order to read information arising from the outside and the inside, in order to understand how they impact each other. Following this, it must analyse whether the sensitivity to the hazards fits the instincts and desire for survival of the shareholders (risk appetite). To what extent the existing cause and effect reflexes (or lack of) are fit or unfit for the designated purpose is the risk management assessment continuously accrued as a body of knowledge containing risk intelligence. For these data to become genetic information they must be analysed and understood. A scenario-based approach simulating the potential effects of shocks on the risk factors estimates the boundaries of exposure that can meet the expectations defined by the risk appetite. Those boundaries (exposure and sensitivity limits) must now be codified in such a way that the organisms (units) can read them and use them as instructions. Their feedback will in turn increment the corporate memory, which becomes risk management intelligence.

Our proposed methodology for the definition and implementation of a corporate culture based on risk management will therefore consist of the five following steps (Parts 1 to 5):

1. Distributing risk exposure and sensitivity across the enterprise

2. Empowering business units with risk management capabilities

3. Creating an information workflow for continuous feedback and preventive decision making

4. Aligning funding strategies and liquidity management tactics with corporate risk policies

5. Enabling external communications, disclosure policies and transparency

Part 6 then follows, which suggests ways regulators can abide by the same principles in order to establish an adaptive risk management culture among the financial sector participants.

Part 1

Distributing Risk Exposure and Sensitivity Across the Enterprise¹

Executive Summary

This part describes the first critical step towards implementing a corporate culture focused on risks: distributing all risk exposure by risk factors to all groups or individuals of a company that are responsible for it, instead of cumulating them on business lines.

To distribute risks, one first needs to identify the factors and conduits that lead to the root-risks. Then one can assess the exposure of groups and subgroups of individuals to those factors. Once the exposure is understood and acknowledged by all, each business unit can estimate the sensitivity of the exposure based on a baseline scenario, a high-severity scenario and a catastrophic one. In return, risk managers will be in a position to collect and aggregate risks as understood and estimated by the agents conducting day-to-day business activities - the actual generators of risks. This is a major departure from the previous approach, where computing risks out of exposure merely relied on models. This new scenario-based approach fosters a collective participatory environment, which is key to establishing a culture.

Distributing the exposure to the respective individuals through risk factors that they define and understand is the initial step to raise awareness. Further engagement would require business unit managers to assess the sensitivity and quantify risks. Eventually, ‘riskconscious’ behaviour should pervade throughout the enterprise into all areas such as company expenditures, product quality or customer satisfaction.

Information systems must be designed to create an adaptive and dynamic workflow of risk-based information. The architecture must be mapped on such workflow, thus integrating the multiple and ever-changing sources of information, distributing exposure and collecting feedback as a nervous system enables body movements. The resulting risk information workflow, or ‘Risk Bus’, is critical to implement the successive steps towards establishing a corporate culture, empowering the units so that they are in control and fully accountable for their risk mitigation.

The key to truly control risks is to take action where and when risk arise and prevent rather than cure. To achieve this, risks must be contained within predefined limits, either through hedging or sensitivity caps.

This, however, is more of an art than a mathematical science, for sure hedges and stable limits are difficult to determine or achieve. The responsibility of designing, implementing, monitoring and adjusting the hedges must therefore be allocated to responsible and accountable units. To achieve this, it is necessary to empower people with the corresponding accountability for the risk they take, and rewarding them appropriately for maintaining exposure within the defined boundaries. Human intervention at this stage would be critical to the success of risk management. Risk exposure and sensitivities do not merely rest on amounts and figures. In other words, risk is a changing geometry, an adaptive complex system that reacts differently in time to yet identical factors.

To truly manage its risk, a firm must make the largest number of people responsible and accountable for it. However, people can only feel responsible for what they understand and would only take action on what they can see. Hence, the cause-and-effect relationship between risks measured as exposure, sensitivity and maximum loss, and the action they take must be clear and obvious. Value-at-risk limits, for example, imposed by the mid-office departments to front office desks, have failed to produce the desired effect. Most traders would find them theoretical, hypothetical and, more importantly, belonging to another culture.

Leverage effects must be well accepted. This means that the trade managers or unit directors must feel ‘comfortable’ with their leverage, avoiding the sensation of piloting a car too fast for one’s skills. So the total amount of responsibility for risks must first be understood and accepted firm-wide, and then distributed to each of the responsible actors. Whenever the relation between business operations and risk management is no longer linear, or is blurred by excessive complexity, further distribution of risks would be needed.

Identifying risks factors that people can comprehend and quantify as their ‘comfort level within those risks is the very first step to implementing a culture of risk management. To move to the next level of risk management, the distribution of risks by risk factors as well as deriving action from risk information are absolute prerequisites, as opposed to simply estimating potential losses based on historical observations.

The traditional approach to risk management consists of cumulating exposure by business lines, which has been suggested by the risk managers and regulators who wanted to break the silo structures inherited from the rapid inorganic growth of the roaring 2000s. The diversity of business lines, however, meant that assessment of risks was akin to comparing apples with oranges, which led to model-based theoretical approaches. An example was the 2007-2008 crisis, which later revealed that the operational risk of cross-division modelling was even worse than the credit and market exposure it initially wanted to hedge when credit risks transferred from banks to asset management divisions ended up in an equity market crash.

In the post 2007-2008 crisis era, managing risk departed from implementing strategies in a uniform manner, where estimating exposure extended beyond modelling it. Undoubtedly, mitigating and managing risk must become a corporate culture, a set of values and attitudes shared by all operating units within a firm. Risk is people’s business.

A long journey to raise risk as a core value of the corporate culture has begun. Among the changes that are necessary to implement a corporate culture based on risk, and as a starting point to involving people at all levels of the hierarchy, business managers should be required to assess the exposure they generate through the operations they conduct. The total exposure should therefore be distributed by risk factors on to the various business units, which will also be required to estimate the risk sensitivity and maximum losses.

Identifying Risk Factors