Aligning strategic planning and risk management

Aligning strategic planning and risk management

By Irfan Khan, Chief Operational Risk Officer, BB&T

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I am the Chief Operational Risk Officer at BB&T responsible for ORM Programs, Oversight Team, Business and Technology Continuity, Vendor Risk Management and Change Risk Management.

I previously worked at EY as a consultant where I led a number of Enterprise and Operational Risk initiatives and advised Banks, Insurance Companies and Asset Management Firms on risk and regulatory matters. Prior to that I worked at Canadian Imperial Bank of Commerce (CIBC) and held a number of Finance and Risk Management roles.

What, for you, are the benefits of attending a conference like Risk Americas and what can attendees expect to learn from your session?

The main benefit is to learn about leading industry practices, areas of focus and innovative risk management solutions for problems facing the financial services industry.  We’ll discuss how business strategy is inextricably linked to risk management and how they work in concert to enrich each other.  We’ll also talk about how best to add value to an organization while delivering on the regulatory agenda. Another key benefit is learning how risk management is evolving and becoming value additive for business units.

You will be presenting at the upcoming Risk Americas 2019 to discuss the impact of aligning strategic planning and risk management. Why does it continue to be an ongoing issue in the industry?

There are many contributing factors for misalignment between strategic planning and risk management. One of the key issues is the perception about risk management organization being a road block. This perception needs to be changed where risk is viewed as an enabler to the business. Rather than telling the business that they can’t do something because of the level of risk, risk must pivot to provide solutions to the business to achieve their objectives in a responsible manner.

Risk must evolve and have a balanced view where it not only considers the downside risk of embarking on new initiatives but also the risk of not adapting to the changing industry landscape quickly enough.

What factors do you need to consider when aligning strategic planning and risk management?

It is crucial that risk management and business leadership speak the same language and that the terms have the same meaning universally.

The risk appetite process needs to be closely tied with the strategic planning process.  The business leaders must engage and set the risk appetite for their business line and the enterprise.  Risk measures/metrics must be consistent for risk management and for making strategic business decisions.

Alignment between strategy and risk appetite is essentially a calibration activity and a bi-directional exercise where they both inform and influence each other.

Why is building an effective Enterprise Risk Management (ERM) framework so crucial to the success of an organization?

An effective Enterprise Risk Management framework is absolutely critical for success of any organization.  It sets and defines risk management policies, procedures, standards, guidelines, routines and overall governance which is absolutely necessary for effective measurement, monitoring, management and mitigation of risk.

It also helps integrate/consolidate and correlate the disparate risk types Into a coherent view by defining and leveraging common product, process, risk and control taxonomies as well as organizational hierarchies.

Organizations cannot make effective, informed and risk based strategic or tactical decisions without the benefit of the holistic views enabled by an enterprise risk management framework.

How has regulations affected strategy planning and risk management or how will regulations affect strategy planning and risk management for the future?

Regulation has a profound impact on key strategic decisions including but not limited to capital and liquidity planning, corporate action etc., which can impact key strategic decisions such as mergers and acquisitions, determining the optimal size of the organization, as well other direct and indirect investment decisions.

Regulation has and will continue to drive strategy planning and risk management.  For instance privacy regulation such as GDPR and CCPA will have a profound impact on companies IT and data strategy, information security, infrastructure investments and business processes.  Another example is a number of cyber security regulations that are driving the cyber security agenda and related investments.