Monitoring A Financial Institution's Risks Across the Entire Enterprise

Fabrice Fiol, Deputy Head of Enterprise Risk Management (ERM) for Societe Generale Americas, co-leads a team in charge of monitoring the risk profile of the US operations across several risk types including market risk, credit risk, operational risk, model risk, compliance and legal risk. Fabrice just published an industry paper on how financial institutions should implement practical enterprise risk management.  As a relatively new discipline within financial institutions, we thought we’d take the opportunity to ask Fabrice to explain what enterprise risk management is and how it helps safeguard financial institutions by developing a holistic approach to risk management.

Fabrice, when people generally think of risk management within the context of banks they often first think of market risks and how a bank might protect investments against an unforeseen event, such as what beset financial institutions around the world over a decade ago with the sub-prime crisis.  But just as important for a financial institution is protecting against risks that can impact a business’s operations.  How do you define and measure these risks in a way that is useful to a financial institution?

For many years, risk departments have been organized around the market, credit and operational risk departments, all reporting risks separately to the Chief Risk Officer. This siloed approach has obvious drawbacks. Large transactions or business activity developments may require that several risk teams jointly assess these risks, while an operational or compliance alert may lead to credit or market risk limit adjustments. It is also very difficult to prioritize action plans without an integrated view of all the risks the firm is facing at a given point. This is where Enterprise Risk Management has a key role to play, to identify and provide a consistent risk framework.

It seems there’s theoretically no end to the list of what could pose a threat to an institution.  How do you draw the line between the risks you worry about and those that exist out there but are too remote to spend resources worrying about?

This is indeed a key point as risk management is an independent department with limited resources at every bank. At Societe Generale in the Americas, Enterprise Risk Management coordinates the risk identification process, and this goes beyond listing the risks we face: we make sure assessments are done under a homogeneous standard, and we focus our analysis on significant deficiencies and material risks. Only then can we address the priority and action plans to put in place with our business and risk partners including for instance market and operational risk teams.

Certainly, advancements in technology have helped financial institutions analyze what the real risks are and how to keep on top of them.  Can you tell us how technology aids in your assessment of enterprise risks?

Indeed, we hear about Big Data and Machine Learning initiatives on a daily basis. Risk Management shouldn’t stay on the sidelines. Last year I partnered with our Risk department COO teams and our data scientists to develop a machine learning algorithm to detect counterparty credit risk patterns. The key is to develop a data-driven mechanism and compare its results with the current risk approaches. There are of course many other areas where we can expect breakthroughs. I believe Enterprise Risk Management should allocate time for innovation and new techniques as it is collecting, aggregating and analyzing risk indicators for all types of risk. It is becoming quite clear that you need large volumes of data and quality data sets to have success in this area, regardless of the business need you are trying to meet.

Are there a core set of enterprise risks that you can measure everywhere and for every type of business?

What is important here is to partner with the subject matter experts within the organization, whether they are the risk owners in the business line or they reside within the risk department. What ERM brings is a needed standardization considering the complexity of the activities and the types of risks we are covering, including emerging risks. The other component is enterprise-wide reporting, aggregating and assessing the material risks and the key risk measures. This reporting can be shared across various stakeholders and should foster dialogue within the organization under a framework defined and maintained by the enterprise risk management function.

Stress testing is a big part of what you do to measure risk tolerance.  How do you determine if your tests are stressful enough or if they are too lenient?

I believe in stress testing as it is a forward-looking measure which can be applied across all activities. As your question suggests, scenario design is a key component. The good news is that the financial industry has focused a lot of its effort building efficient processes addressing regulatory requirement as well as internal scenario analysis. We recently worked on an ad-hoc US-Iran tensions scenario following a request from our US Chief Risk Officer. Developing dedicated scenarios capturing new risks (geopolitical, event-driven, etc..) and more importantly calculating in a timely manner the impact to our US Operations is part of our Enterprise Risk Management toolkit.

Can you tell us a little bit about how you got into this field of risk? 

I started my career on the quantitative modelling side of the bank and then moved on to derivatives trading. My foray into enterprise risks started in 2017 as I was previously focused on market risks when I first joined SG NY 10 years ago. This has come in handy considering the recent market volatility surrounding US-China trade tensions, Middle-East geopolitical uncertainty and Brexit developments.

The Journal of Risk Management has just published a paper you’ve been working on for close to a year.   You cover a lot of ground and provide useful insights about ERM.  In layman's terms can you tell us the top take-aways from your article?

The Journal of Risk Management reached out to me ahead of their special issue devoted to Enterprise Risk Management. They were seeking articles from practitioners who could help answer questions regarding best practices and how to organize the ERM function. It is important to note that the articles are peer-reviewed and offer insights for those engaged in the field. My day-to-day role involves developing standards and policies applied throughout Societe Generale’s US business and measuring risks in the context of the firm’s risk appetite. This article aims to help answer how this can be achieved from a practical standpoint through various themes. I chose to focus on Governance Principles, Reporting and Escalation Risk Appetite and Stress Testing. I also thought of touching upon technology as this area is fast-developing: Risk Architecture and Technology Innovations including AI & Machine Learning are also covered.