Pim Poppe: How do we staff the risk management organisation?
Pim Poppe: How do we staff the risk management organisation?
This column was originally written in Dutch. This is an English translation.
By Pim Poppe, Managing Partner at Probability & Partners
Risk management has become enormously broad and deep in recent years. Regulations governing risk management are often extremely prescriptive, sometimes provide limited guidance, and are sometimes even absent, particularly where emerging risks are concerned.
Certain risk areas can also suddenly become a priority and require extra attention and resources. Examples include geopolitical risk, cyber risk or the Wtp transition. A key question for a pension fund, asset manager, bank or insurer is whether these activities should be carried out by in-house staff, self-employed professionals or external agencies, or what the ideal mix might be.
Options for structuring a risk management organisation
Advice on risk management organisation
In recent years, Probability & Partners has advised pension funds, insurers, pension administrators and banks on the implementation of (parts of) the risk management function. This involves determining how to structure the tasks, powers, responsibilities and reporting lines. It also involves determining whether these activities should be carried out by permanent staff, by self-employed professionals or by an agency.
In recent years, we have advised on the Key Functions of Risk Management and Internal Audit, the risk management department, model validation, model risk management, as well as the CISO / ISO and the data protection officer. On a number of occasions, we have assisted with the comprehensive redesign of the ‘three lines’ model. Sometimes we are asked by an institution to assess the entire risk management organisation and provide recommendations for improvement, in terms of governance, staffing, data & systems, regulatory compliance, and the quality of risk management output.
Risk or audit as a managed service
We also provide clients with risk management services as a managed service. This means that we permanently carry out the risk management activities, or part thereof, on behalf of a client. This relieves the client of these concerns. This may involve key RB and IA functions, the risk management department, model validation, model risk management, but the CISO / ISO and the data protection officer can also be provided as managed services. At present, managed services account for approximately half of our service provision. The consultancy work on the structure and the operational work in managed services reinforce one another.
Advantages and disadvantages of staffing
A key question here is whether risk management or internal audit should be carried out by permanent staff, by self-employed professionals or by an agency. Given the client’s needs, ambitions and financial capacity, one of these options is preferable. Based on our experience, we have identified a number of considerations.
To bring these abstract considerations to life, let us assume we need to define the risk management function for a medium-sized pension fund. What, then, are the considerations? These are set out in the table below.
Brief explanation of the table
This is an indicative example for a medium-sized pension fund. For large funds or other sectors, the balance may be different. The key point is that a careful assessment must be made. The following considerations may play a role:
Expertise
When it comes to expertise, we prefer an agency. These often employ experienced risk managers who have fully committed themselves to the profession. Furthermore, an environment with colleagues performing the same work for other clients offers the opportunity to share knowledge and provide professional feedback. We also believe it is virtually impossible for a single person to possess expertise across all risk domains. If the SFH RB is less knowledgeable in a particular sub-area, they can call upon specialist knowledge within the consultancy.
Independence
In terms of independence, we also prefer an agency. If necessary, the agency can let the client go because the financial consequences are negligible in the bigger picture. A permanent employee or a self-employed person might, due to the loss of income upon dismissal, choose not to stand their ground when it is necessary to do so.
Knowledge of the organisation
As regards knowledge of the organisation and picking up on informal signals, a permanent employee is generally preferable. It should be noted, however, that for all options, physical presence can greatly enhance knowledge of and rapport with the client.
Hourly costs
Theseare lowest for the permanent staff option and highest for the agency option. The self-employed solution falls somewhere in between. The actual costs may be the same or even lower because an agency has greater resources in terms of knowledge, templates and approach based on work previously carried out for other clients. The role can then be fulfilled in fewer hours.
Continuity
Experience shows that all employees fall ill or change jobs from time to time. If a particular role at a financial institution is filled by one or two permanent staff members, the disruption is significant if someone is absent. An agency, on the other hand, often has the advantage of having several consultants with comparable expertise and client networks. If someone is unexpectedly absent, a replacement can often be arranged quickly and easily.
Scalability
As mentioned, increasing risks and additional regulation or supervision are difficult to plan for. They simply happen. In such cases, it is beneficial to be able to scale up capacity quickly. The Wtp transition, for example, has led to extra work in many places. We expect this will also apply in the near future to the mitigation of geopolitical risk.
External signals
In principle, picking up on relevant external signals is easier with more people than with fewer. If knowledge-sharing is well organised, an agency usually has more eyes and ears than an individual. This may concern IT hacks, best practices, a different or stricter stance by a regulator, opportunities to deploy AI, and so on.
Combining key function ownership and fulfilment in a single solution?
A related issue is whether key function ownership for risk management and the fulfilment of key functions should be assigned to a single party. This applies to all key functions. Sometimes the decision is made to assign the role of Key Function Holder for Risk Management or Internal Audit to a director, whilst an agency is hired to fulfil the function. Sometimes, a single solution is chosen for both Key Function Holder status and fulfilment, and this is outsourced to a specialist agency. Sometimes, the Key Function Holder status is assigned to a self-employed individual, whilst the fulfilment is handled by an agency. Various considerations also play a role, including, at the very least, expertise, scalability, continuity and costs.
Procedures or substance
A final debate that has been topical recently is what exactly is expected of the SFH Risk Management and its fulfilment. Should the focus be primarily on a limited domain along a procedural axis? Or should the view be broader, primarily along the axis of substance? We have seen quite a few discussions on this over the past few years. Sometimes the board puts the SFH RB in a bit of a bind by saying that it is not within the SFH RB’s remit. Sometimes the SFH RB also tends to stay a little too much in the safe procedural corner of ‘everyone has looked at it, it has been procedurally signed off, so it is fine’. At Probability & Partners, we believe that both procedure and substance are important, but when it comes down to it, substance must take precedence over procedural considerations.
Conclusion
Risk management is broad in scope and deep in substance. Furthermore, it is subject to often stringent regulation and supervision in a world where the scale and nature of risks can change rapidly. The question is what mix of permanent staff, flexible personnel and agencies will achieve the best possible outcome for the financial institution. As an example, we have worked out the options for a medium-sized pension fund.
The key conclusion, in any case, is that staffing is a conscious decision that takes into account ambitions and financial capacity in order to arrive at a suitable solution.
Share this post!
Related posts
-
Read more about "DNB: Pensioentransitie en dekkingsgraad pensioenfondsen 1e kwartaal"DNB: Pensioentransitie en dekkingsgraad pensioenfondsen 1e kwartaal
-
Read more about "Dick Kamp: The Wtp requires a more differentiated and transparent approach to risk management"Dick Kamp: The Wtp requires a more differentiated and transparent approach to risk management
-
Read more about "Columbia Threadneedle: Risicopremies opkomende markten relatief stabiel"Columbia Threadneedle: Risicopremies opkomende markten relatief stabiel
-
Read more about "Aon: Dekkingsgraden pensioenfondsen onder druk door geopolitieke spanningen"Aon: Dekkingsgraden pensioenfondsen onder druk door geopolitieke spanningen
-
Read more about "Mirova: Markten krijgen te maken met toenemende risico’s onder de oppervlakte"Mirova: Markten krijgen te maken met toenemende risico’s onder de oppervlakte
-
Read more about "Columbia Threadneedle: 20 jaar LDI"Columbia Threadneedle: 20 jaar LDI
-
Read more about "Allianz Trade: Voorkom nieuwe energieklap met crisisdraaiboek"Allianz Trade: Voorkom nieuwe energieklap met crisisdraaiboek
-
Read more about "Optimix: Aandelenweging omlaag vanwege toenemende risico’s"Optimix: Aandelenweging omlaag vanwege toenemende risico’s
-
Read more about "Adam Barszczowski: Cyber risks at PUOs – insights for board members"Adam Barszczowski: Cyber risks at PUOs – insights for board members
-
Read more about "Vanguard: AI en rente bepalen de risico's en kansen dit jaar"Vanguard: AI en rente bepalen de risico's en kansen dit jaar