Jessica Chew Cheng Lian: Integrated risk management approach for maintaining resilience & sustainability

Speech by Ms Jessica Chew Cheng Lian, Assistant Governor of the Central Bank of Malaysia (Bank Negara Malaysia), at the Business Continuity Management Conference "Integrated Risk Management Approach for Maintaining Resilience & Sustainability", Kuala Lumpur, 15 September 2015.

The views expressed in this speech are those of the speaker and not the view of the BIS.

I would like to thank the Disaster Recovery Institute, Malaysia and Sterling Risk Solutions for the invitation to speak at this Business Continuity Management (BCM) conference. Today, the ability of corporations to effectively manage risks has become a key factor that determines the agility and resilience of businesses. Business imperatives are changing so dramatically that risk management has become a more significant part of most organisations out of sheer necessity - largely driven by regulation, the desire to avoid costly sanctions, or to respond to increasing environmental and political risks. In leading organisations, the successful integration of risk management with strategic and commercial decision-making is creating important competitive advantages that are likely to be sustained over the longer term. This distinct organisational strength is one that cannot be easily replicated for the simple reason that building and maintaining a complete organisational response to strategic risk management, unlike say introducing a new product or marketing strategy, is not something that is accomplished within a short period of time.

This morning, I would like to talk about some of the changes we are seeing in the practice of risk management and reflect on important priorities for risk management as observed from our work at Bank Negara Malaysia with the financial industry. I will then offer some brief perspectives on business continuity management and close with some final thoughts on the prospects for the insurance industry in Malaysia to contribute towards the advancement of risk management capabilities across Malaysian businesses.

Changing practices in risk management

Since the financial crisis, risk management practices have come under intense scrutiny. The spectacular failures in risk management in the lead up to the crisis prompted deep reflections on what had gone wrong with risk management systems and practices - not least of all among companies that had invested heavily in sophisticated risk measurement and management systems only to have them ultimately fail to detect or control risk exposures. Closer to home, businesses in Malaysia are currently facing a set of challenging business conditions and some are likely to find themselves ill-prepared to respond to the challenges, with important implications for their future prospects.

So what can we learn about the changing practice of risk management from these experiences? A first observation to my mind concerns the importance of building a strong risk culture supported by governance arrangements that are explicitly aligned to a firm's risk appetite. It is striking that, in the last five years, global standard setting bodies such as the Basel Committee on Banking Supervision have moved to address risk culture, risk appetite setting and risk governance more explicitly in regulatory standards. This was not the case prior to the crisis, when emphasis was predominantly placed on risk management processes and systems, believing that this ought to be sufficient. Organisations largely failed to take into account behavioural biases that play such an important role in senior management decisions which ultimately affect the risks that a company will be willing to take or tolerate. These decisions include how performance targets are set for staff, how incentive structures are designed, and the stature and resources that are provided to risk management functions within the organisation - all of which can create a constant uphill struggle for risk managers to have any meaningful impact on risk outcomes. To illustrate the point, a report published by the Office of Financial Research in the United States observed that much of the advancements in risk management over the last decade have resulted in a highly analytical-focused discipline, while largely ignoring the fundamental drivers of risk-taking that are rooted in more subtle behavioural characteristics.

Within the financial industry, financial institutions in Malaysia are required to establish a well-resourced independent risk management function that reports directly to a board risk committee, and take active measures to promote a prudent risk culture in the organisation. This includes properly designed incentive structures that must reflect risk outcomes. Financial institutions are also required to regularly review their risk management methodologies and processes to account for the changing business environment. This aims to ensure that risk management does not become something one does to check off a box on a list and then forgets about.

A second notable observation has been the broader focus of risk management. While financial risks remain a key focus of risk management practices, risks from reputational, human capital and environmental concerns can have equally significant repercussions for a firm's business. Recovering from reputational damage is a hugely expensive endeavour, takes a long time, and success is often not assured. We have observed in our own work that where institutions take a broader view of risk management in these areas, conversations around the role of risk management at the senior management and board levels are more likely to shift beyond avoiding losses, to enhancing strategic opportunities for improving the institution's competitive position. This itself can have a mutually reinforcing effect of directing more resources towards risk management and creating better synergies between business and risk functions.

While more firms are acknowledging the importance of reputational, human capital and environmental risks, actions however have generally not measured up. Many companies still have weak succession plans in place and remain vulnerable to key-man risks. Few companies have robust risk management frameworks that incorporate measures of how their products and services affect the well-being of consumers or if consumers are being treated fairly, as long as legal exposures are contained. And efforts to adopt triple bottom line approaches to reporting firm performance are only beginning to gain traction. Within Asia, fewer than 10 banking institutions today subscribe to the Equator Principles for assessing and managing the environmental and social risks for projects.

Clearly the gap between the existing risk management practices and a whole-of-business approach which fully embraces broader aspects of risks remains large. Regulation and greater shareholder activism will remain important drivers of change, and in my view, so will a new breed of risk managers who effectively integrate traditional and emerging risk perspectives, and who can speak to these perspectives in a compelling and cohesive way to an organisation's key stakeholders.

A third observation that I want to make today relates to the increasing importance of viewing risks over a longer-term horizon, and imagining the unthinkable. I mention these together for a reason. When one is focused on looking both backward and forward over a reasonably long horizon, the universe of what is unthinkable becomes smaller and our vision is less likely to be blinkered by limited experiences of only the most recent past. We are also likely to become more open to broader possibilities of new and emerging risks on the horizon. In the world of creative arts, it is often said that we are limited only by our imagination. I think the same can be said of risk management. If we can stretch our imaginations a little further, then there is a higher chance that risk management will be more proactive in anticipating future problems, especially problems that we may have never encountered before. This requires risk managers to go beyond estimating the probability of risk events occurring, and allowing a greater role for uncertainties, no matter how remote, to feature more prominently in risk management approaches. While easier said than done, innovations like reverse stress testing and the increasing degree of internal and external collaboration that goes into constructing stress testing scenarios are positive indications of how firms are responding to this challenge. On this score at least, risk management is increasingly proving to be more of an art than an exact science.

Organisations also continue to face significant challenges in efforts to break down risk silos and achieve an integrated view of organisational risks that adequately takes into account operational dependencies and common exposures that can significantly amplify risk outcomes. A key challenge often overlooked is the failure to effectively integrate human resource management strategies with enterprise-wide risk management goals. This can create significant inertia, with organisations often falling back to managing risks in silos as the default position. Successful organisations have recognised that silos are fundamentally a cultural phenomenon. If we can build and nurture people within an organisation to be always attuned to risks that may affect the organisation, whatever their nature or origins, then there is a good chance that any system, process and framework constraints will be more easily overcome and less likely to inflict major losses on the organisation. When faced with challenging business and financial conditions and a highly dynamic environment, it is always more important to have excellent people than excellent models.

BCM as part of enterprise risk management

This brings me to the more specific area of business continuity management, or BCM. A paper published in 2008 by the Chartered Management Institute of the United Kingdom found that 76 percent of the survey respondents reported that business continuity management is seen as important in their organisations but only less than half revealed that they have specific business continuity plans. There are several reasons for this which I will not get into here, but a major one is the lack of metrics to measure success in the absence of a major institutional crisis. One commentator put it this way - the return on investment is simply that business stays open.

Two contrasting examples of BCM help to underscore this point. Investigations by the Japanese Government into the Fukushima tsunami disaster revealed material inadequacies in the handling of complex risks associated with managing a nuclear power plant. This was demonstrated in poorly executed emergency procedures in evacuating residents during the incident. Consequently, the operations of the power plant were suspended. In contrast, during the 9/11 attacks on the World Trade Centre, a sustained commitment by a large multinational financial service provider to strengthen its BCM and continuously improve its evacuation procedures over almost a decade, enabled it to reduce the time taken to evacuate its employees from four hours to 45 minutes, saving thousands of lives.

Within the financial sector, a key focus of reforms since the global financial crisis has been on the development of recovery plans which aim to protect the continuity of critical functions and core business lines in a situation of financial stress. Work has also been initiated to implement this in Malaysia. Financial institutions are expected to develop a menu of options for recovering from events of severe stress in order to restore business to a stable condition. These plans must be regularly updated to reflect changes in a firm's business model and operational arrangements. At its most basic level, recovery plans are helping financial institutions to better understand their operational and financial interdependencies and how this can affect recovery options that are available to the institution. Some institutions are finding through this process that their operations have become far too complex to support credible recovery strategies. These institutions are taking or considering steps to restructure parts of the business to achieve wider options for recovery. Indeed, an important development emerging in the recent period has been the more explicit consideration of implications for recovery plans in key strategic decisions, such as decisions to hub operations at a particular location or service provider.

As much as organisational resources are put into enhancements of business continuity management, it is important for businesses to always keep in mind the inherent limitations of business continuity plans and not be lulled into a false sense of confidence that these plans may provide. Scenarios featured in these plans are often based on assumptions, which are a simplification of reality at best. Such scenarios should always be rigorously challenged to account for changing conditions. Business recovery or resumption actions should also contemplate a range of conditions to build agility within the organisation to execute required, but potentially untested, responses. Firms should expect that they will rarely get to a point of precision in their scenario planning and BCM responses. This does not mean that BCM is necessarily reduced to an exercise in futility. A commitment to continuous improvements in BCM is almost certainly likely to prepare firms better for disasters and tail risk events even if those specific events were not exactly contemplated. This is because the organisation will be naturally better at coming together in a crisis, and would be able to leverage on some of the core elements of response plans that have already been developed and tested.

The world today is encountering more extreme disasters such as epidemics and unpredictable weather-related calamities. In our own country, the worst flood disaster experienced in decades last year saw over 250 thousand people displaced with estimated costs of more than two billion ringgit to repair damaged infrastructure. This presents a sober reminder of the responsibility of all corporations to ensure that they are well prepared for and remain resilient against calamities, not just for their own survival, but in the interest of employees and the community that depend on them.

Role and prospects of the insurance industry in advancing risk management

The cost associated with negative tail-risk events will only escalate as business networks grow in complexity. The use of insurance continues to be an important way in which companies can reduce this cost by transferring risks to insurance providers. Insurers are well-placed to assume such risks given their long standing history in risk analytics which enables them to effectively exploit the law of large numbers and benefit from risk pooling. Among emerging economies, however, there is still a sizeable protection gap in spite of the increased frequency and severity of weather related disasters and other natural catastrophes. In 2014, insured losses in Asia only covered about 10 percent of total losses incurred as a result of natural and man-made disasters. Combined insurance premiums written from emerging markets accounted for only 18 percent of global premiums in 2014, against 82 percent recorded from the advanced economies. Given the concentration of growth and development in emerging economies, going forward, the extent of under-insurance is a concern. In many of these economies, efforts are being aggressively pursued to increase awareness of the importance of insurance protection in helping one manage risks, and to develop an effective insurance market to meet these needs.

The insurance industry in Malaysia currently stands at crossroads of implementing important reforms being introduced by Bank Negara Malaysia both in the general and life insurance sectors. The objective of the reforms is to further enhance the competitiveness of the industry, ensure its continued resilience, and encourage greater innovation in solutions offered for households and businesses to better manage risks. To this end, two aspects of the reforms are significant. The first is the progressive strengthening of prudential standards that aim to improve underwriting and risk assessment capabilities within insurance companies, while substantially strengthening incentives for insurers to differentiate themselves in the market. The second is the structural changes that are being introduced to reduce market distortions and drive efficiency improvements. Beyond domestic borders, the Bank also continues to pursue further liberalisation in the cross border provision of insurance in certain sectors, such as the Marine, Aviation and Goods in International Transit (MAT) sector, both to enhance capacity and reduce costs for businesses. This is primarily being advanced under regional integration plans, focusing in particular on ASEAN.

Taken together, the reforms are expected to result in wider product offerings and delivery channels, service quality improvements, greater market transparency, and more differentiated pricing that is reflective of risk.

This will help risk managers for whom the decision to purchase insurance is increasingly driven by wider considerations which go beyond just the intention to transfer risk. Significant advancements in risk management practices and financial innovations have substantially broadened the actions that risk managers can take to control risks. For many companies, insurance solutions are no longer viewed as the only, or even the most important, way to reduce risk exposures. The insurance reforms will allow the industry to better respond to changing demand drivers. Importantly, it will also create opportunities to build stronger partnerships between corporate risk managers, insurance companies and insurance brokers in elevating risk management practices more generally. This includes a wider role envisaged for the industry in providing risk advice to clients, and initiatives to advance the quality and coverage of risk information that is useful to risk managers across a broad spectrum of areas, such as information on hazard exposure, demographic changes and technological risks.

Conclusion

In conclusion, maintaining that delicate balance between extreme risk aversion and well-reasoned risk taking, which is essential for businesses to grow and prosper, will always involve difficult judgements. We should be careful to ensure that advancements in risk management practices are serving to sharpen, and not blunt, such judgements. This requires that investments in people and processes are firmly supported by good information, confidence in a strong risk culture, and compelling risk managers who will ensure that organisations do not become complacent, and remain focused on doing their very best to prepare for any possibility.