The separation of Risk Reporting from risk taking is a key tenet of ERM and especially of bank risk culture. The idea is that someone other than the person who is judged for the P& L of risks must be the one who reports on risk positions.
If looked at from a logical perspective, this must be because business unit people, such as risk traders, are not to be trusted. When faced with the opportunity, they will lie about their risk positions.
This might be because the people who might be doing the false reporting believe that what they are doing is ok because that there is something different between risk and profit. Risk is about the future. A measure of risk is ephemeral. It exists in a moment and is never proven by experience. In most cases, risk either becomes a loss or it evaporates to nothingness. It is that later sense that tempts the traders and other risk miss reporters. In their reckoning, “no harm, no foul”. If the risk didn’t become a loss, it really doesn’t matter what number we wrote down for it. And if these is a loss, what is important is the amount of the loss, not the potential loss that we call the risk measure. They may consider themselves to be realists.
Profits are different, aren’t they? They are about the past. So when they are recorded, profits are facts, aren’t they? Well, no, not really. Profits usually depend upon several estimates of provisions for future contingencies. Sarbanes-Oxley in the US, has set up a massive system that leads to a statement by the CEO that the financial reports, the reports of profits are correct. So for profits, the CEO can be the ultimate arbiter if the company spends enough time following auditing procedures. The CEO can be trusted to report on his or her own profits, usually a key determinate in compensation. But for Risk, many call for a CRO who is independent of the CEO, who reports directly to the board, so that this independence of risk reporting and risk taking can be maintained at every level. The presumption is that the CEO does not believe in ERM, so will be tempted to apply the “no harm, no foul” principle from time to time.
This is evidence of a broken risk culture, not a part of an effective risk culture.
That line of thinking means that in general, management and especially the traders do not believe in the risk management program of the organization. It means that no one actually believes that it is important whether the bank stays within its risk tolerance. That if a risk trader were to lie about their risk position and make a profit because the risk did not become a loss, that the organization would not fire or censure or probably even sincerely reprimand the trader as a matter of policy. And the manager who gave the “reprimand with a wink” would be considered the real carrier of the company culture rather than the risk management person who pointed out the misrepresentation. That risk management person would be considered in league with the regulators, not the bank. A member of the Business Prevention Squad.
That is not the reaction of a bank to most dishonest actions. For example, if someone in a bank were caught walking out of work one day with their pockets stuffed with cash, that person would doubtless be sacked immediately and turned over to the police. But if a risk trader misstates their risk position and because of that misstatement is able to maintain a risk position that they otherwise would have had to sell or offset that leads to them walking out of the bank with a large (sometimes extremely large) check, then that dishonest is ok. It is ok because “no harm, no foul”. Which is the same as saying that the bank does not really believe in one of the central tenants of risk management. That is the idea that your risk evaluation is a good indicator of your expected losses over time. Which leads to the belief that limiting the potential loss indicated from risk evaluation, over the long haul will limit the losses.
That is what is totally wrong about the Risk Culture discussion from the regulators as epitomized in the FSB paper on Risk Culture. In that document, regulators are urged to perform evaluation of the risk culture of the bank. But the evaluation is all about assessing whether banks are going through the motions of a good risk culture. It includes the separation of risk reporting and risk taking as one of the key components of a strong risk culture. By this approach, the regulators are acknowledging that the banks will never actually reform their cultures to the extent that they will actually expect their employees not to lie about their activities. They are, in effect, saying that the key financial services of the advanced economies of the world should be expected to always operate in such a manner.
The most important aspect of risk management culture is whether the board and management believe in the importance of ERM. If they believe in ERM, they will execute as competently as they execute most other important functions. If they do not believe in ERM, telling them in detail how to execute ERM is of little impact. And the aspect of risk culture called “Tone at the Top” will be delivered without a wink.