Risk Management Organization and Central Functions
The emergence of risk models and the enterprise-wide organization of risk management, with the central units such as the risk department and asset-liability management (ALM), allow risk management to extend "bank wide," across all business lines and across different risks. Risk management practices traditionally differ across risks and business lines, so that a bank-wide scope supposes a single unified and consistent framework.
Bank-wide risk management promoted the centralization of risk management and the "clean break" between risk-taking business lines and risk-supervising units. Risk supervision requires independency from business units, since business units face conflicts between expanding business or profitability and risk controlling. A clean break between business lines and a bank-wide supervisory body applies to supervisory processes, such as setting guidelines or resolving conflicts between business units (front offices) and risk controlling. A centralized risk control unit would be over-loaded by the number of risk issues raised by the front offices. Risk managers embedded in business lines within the "first line of defense" should be accountable for risk as well, allowing decentralizing the process.
The risk-supervising unit has full control of risks, possibly at the cost of restricting some of the riskiest business developments. The risk department is under the direct control of the top management. It sets up all guidelines for controlling risk, such as risk limits and reporting, with which all business units should comply. As such, it defines, with the top management, the risk policy and the operational guidelines of the bank.
Two other central units are in charge of risk management, and are subject to the risk department supervision.
• ALM - asset and liability management - is the unit in charge of managing the mismatch risk and the liquidity of the bank. It belongs often to the finance department. Internal funding transfer prices are the responsibility of ALM. They serve for defining the costs of funds used up by all business lines. The fund transfer pricing (FTP) system is bank-wide and plays a key role in that it defines the cost of funding of the business lines.
• Credit portfolio management is a relatively recent function, whose purpose is to reshape the lending portfolio, or a fraction of it, making extensive usage of such techniques as "securitization" and credit derivatives to achieve such rebalancing. Credit portfolio management appears as the most recent evolution of the business model of banks, from the "originate and hold" view to the "originate and distribute" business model. "Distributing risks" means transferring them to other financial players, through securitizations or credit derivatives. Securitizations have been used for decades. Credit portfolio management uses credit derivatives for trading credit risk. When purchasing credit derivatives, it hedges the credit portfolio risk, when there is concentration of credit risk on certain industries or regions for example. When selling such instruments, it takes an exposure on credit risk, for increasing the diversification for example.
Both ALM and credit portfolio management have risk management duties that might generate additional profit for the bank, and can be profit centers. By contrast, the risk department has a supervision role, and might extend its activities to restructuring some transactions jointly with the business lines, for making sure that they comply with risk guidelines. But the risk department cannot be a profit center unlike the other risk management units.
Internal auditors, the "third line of defense," focus on periodical auditing of internal processes, making sure that they comply with internal rules as well as external regulations. Auditors can examine any unit of the bank, from central functions to all business lines. Although introduced here in relation to risk management, auditing has a larger scope of activities since its scope extends to all processes whether or not related to risk management. Auditing has the ability to make recommendations and supervise their execution. Compliance with risk regulations and supervising risk management tools, practices and models, risk data collection and recording in the information system relies on a number of areas of expertise. Internal auditing often relies on validation units for specialized auditing on risk models and information systems.