Traditionally, risk management brings about a negative connotation, sometimes being viewed as a cost to doing business mandated by regulation, rather than an instrument which is driven by appropriate culture and proactively structured as a tool to propel sustainable growth for any business.

The key here is building a risk culture from the foundations of an institution, substantiated by proactive strategies. As business models evolve, fueled by rapid developments in the digitilisation of financial services, the contemporary approach is gradually evolving. Institutions like Andaria Financial Services recognise that employing proactive techniques and procedures to handle risk, underpinned by an internal culture to proactively manage day-to-day risks, will enhance business opportunities. 

Mark Curmi, Chief Risk Officer within the Financial Services Group, explains that the way a business approaches risk management depends on a lot of factors. These include the services offered, where an organisation is operating in/from, and - especially - with whom it does business. 

“From a financial services perspective, the way risk is managed depends on the risk culture of the institution, which is translated in its risk appetite. Risk appetite can be viewed as a living organism, which evolves and develops itself subject to internal and external forces. It shapes itself from the jurisdictions it is operating from, and services offered, the way other players operate and the regulatory scope in play, among other factors,” Mr Curmi starts off.

He explains that Andaria uses risk management as a strategic pillar to prevent and mitigate losses and to grow potential revenues, taking a proactive approach based on the five pillars of risk management.

“The text-book approach for the five pillars of risk management is identification, assessment of probability and potential impact, treatment and mitigation, monitoring and - finally - continuous improvement.” 

However, the way these pillars are applied depends on what Mr Curmi refers to as the ‘DNA’ of the institution. He uses traditional banking as an example, where risk assessment is typically based on looking at past performance, assessing the potential risk and putting together controls to mitigate it.

“When the risk element actually occurs, the institution then reacts according to plan. This is the reactive approach and one centreed around threat-focused risk management,” he tells WhosWho.mt. 

Instead, Andaria Financial Services takes a pre-emptive or front foot stance, through identifying risk trends, applying risk mitigation strategies based on those trends, inherently accepting that there will be exposure in business activities and employing processes (metrics and behaviours) to reduce potential future negative impacts.

As a practical example, picture the risk management assessment that a firm dealing in e-commerce would need to carry out. The firm is aware from the start that it will be exposed to cyber threats; it’s a certainty that one day a type of cyber event will occur. 

A reactive risk management approach would involve ensuring you have minimum levels of IT security, responding to threats as they occur, and, for those that are a bit more risk conscious - taking out insurance against threats.

A more proactive risk management strategy, however, would also include, running an IT security programme, supported by detailed market trends and the application of artificial intelligence, to identify gaps, vulnerabilities and security weaknesses and adding processes to identify threats before they occur. To then work to have strategies – and recovery plans in place to resolve them, should they occur is the closing act.

“This is the difference between a reactive and a proactive risk strategy, and which one is applied boils down to the risk culture employed within the institution. Andaria takes a cautious, but positive approach in this respect. We view risk management as a positive that can be used for sustainable growth in line with compliance requirements and the regulatory frameworks we operate in Europe and the UK. 

“To ensure that we offer the highest level of services to clients, we have implemented a series of processes. Instead of saying no, we understand what the risks are and we mitigate them while ensuring regulatory compliance,” Mr Curmi says.

He makes a distinction between the frontliners of a financial institution, such as those working in business development, and the second liners, which would include the risk management, compliance and IT security teams. A robust risk culture is a culture of risk controls and risk appetite which resonates across the iinstitution. And, he believes that frontliners are key to actively understand the risk element of clients they propose to work with. 

“The general belief is that the business development team is at regular loggerheads with risk management because the former wants to attract business while the latter are solely interested in implementing controls. In reality, the functions should complement each other while working separately,” he says, adding that at Andaria Financial Services this is the ethos. “How else can you implement effective pricing-for-risk strategies, if not?” he says.

“From a regulatory perspective, the two work autonomously. But it is essential for business development to understand the importance of risk management, and for the risk management teams to understand the core components of the business development efforts. Andaria’s process ensures that business development is cognisant of all the risks a new client will bring to the institution. This puts them in a better position to carry out risk pricing and to identify expectations in connection to the client, even to decide whether on-boarding such a client is viable or not,” Mr Curmi explains.

He emphasises the importance of keeping the roles separate, explaining that the risk management team will only offer guidance, and never become involved in the sales process itself. 

“We assess the risk with the team, we advise about processes that will be needed to mitigate risks which may be presented and means to ensure compliance. For example, a client’s risk might be such that it requires enhanced monitoring to contract it. Or else we might put in place certain limitations, reviewable at stages, to service. Or even, after investigation, it may turn out that taking on a client is not viable. This process ensures that we offer a high level of service to clients without resorting to a blanket ‘no’ without first investigating.”

The general belief is that a higher risk appetite equals a higher reward. Mr Curmi explains that in reality, a higher risk means that you need to implement tighter controls, and these come at a cost. Risk-based pricing helps align price and cost by increasing the price for clients who are higher risk (and thereby higher cost) clients. This provides for higher-revenue and better risk customers. 

 “It’s a question of identifying the opportunities that the risk can create, and this is also part of a series of proactive risk management strategies. Taking up a high-risk client with strict controls may not necessarily lead to increased revenue in the short-term. However, it may mean that you gain specialisation in a specific market, paving the way for more clients. You may gain a bigger market share or make inroads in a new sector that firms with a low-risk appetite will (unfortunately – or fortunately) automatically refuse,” Mr Curmi continues. 

He uses medical cannabis and online gambling as two obvious examples, explaining that because Andaria Financial Services has the right structures in place, it is in a position to understand the risks in place when dealing with such customers, and can take educated assessments of whether it wishes to support a prospective, or otherwise. 

“This means that we do not need to put all gaming operators in one bucket, for example. There is a massive difference in risk between taking on a two-people gig with a license in a jurisdiction with unsatisfactory controls, and accepting a bona fide organisation with all the right governance structures, licences and professionals in place. This is why we include a thorough assessment process in our risk management strategy, rather than blanket banning business that is traditionally considered high-risk,” he elaborates.

That said, an organisation’s risk appetite will also be influenced by external forces. He uses traditional financial institutions as an example, saying that these have been under substantial pressure over the past decade or so, which understandably translates into enhanced regulatory and compliance burdens and costs, ultimately shaping their risk appetite. Thus, the risk culture is also defined by external players in the ecosystem - for example, your ability to work with a correspondent bank or a material service provider.

“If your material business partners have a low risk appetite, this will in turn shape your own risk appetite. Thus, a firm may decide not to take on a licenced, regulated and legit medical marijuana service provider for the simple reason that the bank it works with will automatically deem that sector too high risk.”

Mr Curmi believes that, ultimately, risk management strategies are driven by culture.

“If you’re unreasonably cautious, it will deter growth. In reality, the only way there is zero risk is if you walk into your office and do nothing. The minute you do business, you have risks. And when you proactively manage those risks, using technology, using the pillars of risk-management, and the right professionals, there is huge potential for growth,” he concludes.

Main Image:

Read Next: Placeholder

Written By

Ramona Depares

Ramona is an award-winning journalist and an author whose works have been published on both local and international fora. She is also the founder of a cultural blog - www.ramonadepares.com - dedicated to theatre, fashion, books and events in Malta. Ramona is fuelled by good coffee, music, the occasional glass of wine, and people-watching.

Trending articles

Trending articles