Managing Risk: A Regulatory Perspective

Keynote address

YBhg Datuk Ali Abdul Kadir
Chairman, Securities Commission
at the
RHB Investors Forum

18 June 2003
JW Marriott Hotel, Putrajaya

Thank you for inviting me to speak today. I welcome this opportunity to share and discuss with you some of the Securities Commission’s (SC) perspectives on risk management.

Regulators are often regarded as a risk-averse lot, perhaps more happy to avoid risk altogether. But the fact is that risk cannot be avoided. It is an integral part of financial activity. As some observers have argued, we are all now living in a “risk society”, where human activity interacts with technology to increase the degree and sources of uncertainties facing us.

For instance, the incidence of high-profile losses at both the corporate level as well as at the national level reminds us that the risk society in which we operate today can generate unacceptably high costs of conducting our business. The inter-relatedness of global activity means that the effects of asset price movements, disease epidemics, corporate mismanagement and macroeconomic crises can have an impact beyond their immediate surroundings.

This year being the 10th anniversary of the SC, it is worth noting that many of the issues currently faced by the private and the public sectors did not exist when the SC was set up in 1993. So it is not surprising that as the complexity of financial transactions increases, correspondingly there is a need to manage risks better. But such demands in turn raise a whole host of questions about how to do this and, perhaps more importantly, whose responsibility it is to do so.

What I would like to do this morning is to make an attempt at answering some of those questions within the context of the Malaysian capital market, and to highlight some of the key issues concerning risk management going forward.

The importance of risk management
I’d like to begin by asking a very straightforward question: why is risk management so important?

As I’m sure many of you are well aware, the SC recognises that corporate governance is vital for ensuring that the Malaysian capital market provides a conducive environment for investors. We have implemented a wide range of initiatives to enhance the standard of corporate governance in Malaysia. But vitally, good corporate governance must be accompanied by two other elements that are often overlooked-shareholder value maximisation and risk management.

Risk management is especially relevant because there is no point in having the most transparent market in the world only to be able to see clearly your company going down! Indeed, the downfall of Enron was primarily about a failure in good risk management-in this case, the management of operational risks. Poor standards of corporate governance was really of secondary importance.

In business, risk management is typically viewed within the realm of internal audit, human resources, health and safety functions. But it is steadily becoming part of the mainstream of management activity across the public and private sectors. Rather than being simply regarded-tolerated, some would say-as a cost of being in business, risk management is increasingly focusing on the future rather than on the past, and it is placing greater emphasis on maximising strengths and minimising weaknesses than on controlling problems.

But is this move towards a more systematic and managerial approach to risk management simply a trend? Far from it. The need for risk management will remain on the agenda for the following reasons:

  1. It has been reported that managers today feel they have a narrower margin for error in their decision-making. There is a feeling of constantly “walking a fine line between success and failure”, with both more pressure to avoid things going wrong, and more pressure to get things right, to improve corporate performance and shareholder value. Greater “uncertainty” seems to have become more incorporated into the worldview of senior managers everywhere.

  2. In today’s environment, managerial risk-taking is more easily equated with recklessness. For instance, companies are being asked to behave responsibly by their stakeholders, both with regard to society more broadly and internally to its business itself (as reflected in the demand for better corporate governance codes of conduct for the boardroom and the increasing focus on business ethics). Risk management-including corporate governance practices and internal controls-thus introduces greater responsibility into the risk-taking process.

  3. Risk has attracted the increasing attention of regulators. The demands to regulate risks are increasing, and authorities the world over are responding-albeit in a variety of different ways. How companies manage their risk is influencing the design of regulatory systems; the approach to regulating risks can depend on the extent to which industry conducts self-regulation.

In the case of the UK, for instance, the Financial Services Authority’s new operating framework recognises that the authority’s relationship with a regulated entity will depend on its risk assessment of that entity. In other words, its approach to regulation is converging with the risk management practice of the very entities it regulates.

This last point underscores the inextricable link between regulation and risk management practices by capital market participants. It also highlights the significant roles of regulatory discipline and self discipline in determining the interaction of regulation and business activity within the capital market.

Risk management and regulation
Regulatory discipline usually refers to the traditional approach of command-and-control regulation. It is perhaps least-loved by business! Self discipline is typically associated with internal controls and the management of regulatory compliance by the regulated entity itself. But, as I have suggested, self discipline also involves good governance and other “softer” practices including business ethics.

There are clearly trade-offs in pursuing each approach, namely between the efficiency of regulation and the severity of the impact of market failure. A strong command-and-control environment arguably provides greater control by the regulator over the management of risks-but at the likely cost of regulatory efficiency. On the other hand, greater autonomy for businesses to handle their own risks could increase the impact of market failure if risk management practices are weak.

Modern financial systems typically combine elements of both regulatory and self-discipline. Rules are designed to influence businesses so that they operate in a manner that aligns their corporate strategy with regulatory objectives. But it is not so favourable an outcome when businesses focus their management practices purely to meet regulatory risk requirements.

To avoid this, businesses must understand why they are implementing various risk management practices. The most state-of-the-art risk management techniques are of little use if businesses do not understand why they are doing what they are doing. One observer has noted that in the financial services industry, factors relevant to managing economic capital internally is becoming further and further divorced from short-term measures of risk, such as VaR (value-at-risk). Instead, managing economic capital is increasingly concerned with forward-looking views on earnings volatility and downside vulnerability in the longer-term.

What this implies is that businesses must not lose sight of the bigger picture while focusing on the more esoteric and technical aspects of financial risk management. In fact, the same observer suggested that the most significant risk management issue and opportunity facing providers of financial-services was to develop an integrated longer-term view of risks that could be linked more closely to capital structure and performance management. Importantly, he argued that this should be easily understood by its creditors and shareholders.

What this ultimately means is that risk management should not be practised blindly and for the sake of conforming to rules, but be pursued as part of a firm’s strategy to enhance value to its stakeholders. This, as well as the pursuit of strong corporate governance, are among the key thrusts of the SC’s efforts to promote and improve further risk management within the capital market.

SC’s role in enhancing risk management in the Malaysian capital market
Allow me to describe, then, what the SC itself is doing to enhance risk management in the Malaysian capital market. In the last 10 years, the SC’s working environment, just like that of the industry we regulate, has become more complex. The demands from our stakeholders are rising. For example, the investor constituency is asking for more re-assurance, greater transparency and higher standards of governance. Also, we are also being asked to focus on ensuring markets meet non-financial investment criteria, including free-float, social responsibility and so on. Hence, the task of delivering our regulatory goals and objectives has become more challenging.

It should not be surprising therefore that over the years we have been enhancing our capacity and taking the initiative to deliver on our respective roles with respect to risk. These consist of our:

  • Regulatory role, where we deal with risks arising from the activities of businesses and individuals that may effect other players in the market

  • Stewardship role, where we address risks which could have a systemic impact on the market and whose management may be beyond the responsibility of individual players

  • Developmental role, where we address risks and opportunities to the longer-term development and integrity of the Malaysian capital market; and our

  • Management role, where we address risks concerning the SC’s immediate operating environment, including our own internal processes. This ultimately encompasses the work we do in performing the three previous roles I have mentioned

You are all, I am sure, more than aware of our regulatory role, in which the SC enforces the legal and regulatory framework that governs the activities of businesses and individuals in the securities industry that may give rise to risks to other players in the market. So let me say a few words about our other three roles with regard to risk management.

Stewardship role
First, stewardship. Some risks can be beyond the scope or responsibility of individual players to manage, especially when they have a potential consequence on the market as whole. These include events like the 9/11 disaster, the impact of the Iraq conflict on certain industries-even the threat of disease, like SARS. In light of such risks, the SC plays a stewardship-or protective-role in which we address systemically significant risks to the capital market. Among our many activities in this area, we continuously conduct forward-looking “horizon-scanning” for risks that could affect the market systemically. If necessary, we will take appropriate action to mitigate their impact.

During the height of the Iraq conflict for instance, the SC had a rotating team of analysts that closely monitored global developments around the clock. The team assessed risks to the Malaysian market arising from a variety of sources, from international asset price movements to the geopolitical environment, and made relevant recommendations. The recent SARS epidemic is another instance in which the SC took the initiative to manage a potential systemic threat-in this case by enhancing the management of operational risks within the capital market in the event that SARS escalated in this country, which thankfully it did not.

Developmental role
Next, I would like to turn to our role in managing risks to the development of the capital market and highlight some of our work with regard to corporate issuance.

As part of our efforts to facilitate the development of a market for premiere companies in Malaysia, the SC is in the process of completing a shift in the regulation of securities issuance from a market-based approach to a disclosure-based system. This shift is expected to translate into more efficient pricing and greater transparency, as well as to meet investor expectations of full disclosure of material information concerning the potential corporate issuer.

Naturally this demands higher standards of disclosure and accountability on the part of issuers. Measures introduced to encourage better disclosure include enhanced prospectus requirements that ask for, among other things, a statement on good corporate governance practices. Going forward, in the interest of promoting strong risk management within the corporate sector, we would also like to see in the future such prospectus requirements expanded to include a statement on good risk management practices by the company concerned.

Nevertheless, the SC continues to make forward-looking assessments of certain corporate issuance risks. If necessary, we will take action to mitigate them. For instance, in the past, certain issuance proposals may have met quantitative criteria (such as profit track-records). But a closer assessment of various qualitative criteria suggested that the extent of core business risks faced by these companies simply could not justify a public listing.

Management role
Lastly, let me turn to our management role. Following on from our recently-concluded organisational transformation project, the SC has allocated greater resources to risk management. We have re-organised our risk management function to improve the delivery of our regulatory and developmental objectives. This would entail among other things: increasing the effectiveness of anticipating risks; minimising uncertainty for investors, issuers and our other stakeholders; providing greater opportunities for industry and regulator alike to innovate; and ultimately to build a higher level of confidence in the overall capital market.

Our new approach focuses on deepening our understanding of risks and policy trade-offs and to strengthen further our ability to identify, gauge and assess risk and uncertainty. Proposed enhancements include:

  1. A more integrated approach to risk management that enhances and incorporates risk assessment explicitly into existing decision-making processes and reporting structures

  2. A top-down and bottom-up approach in which major decisions at all levels of the organisation-strategic, project and operations-undergo an explicit appraisal of risks and opportunities

  3. A multi-pronged and multi-disciplinary approach emphasising on creativity and the challenging of conventional wisdom in making risk assessment, through the participation of greater numbers of people with a diversity of skill sets and experiences

Ladies and gentlemen: to conclude, I would like to highlight the key points that I have made this morning:

First, risk cannot be avoided, but taking calculated risks is quite different from being rash. Risk management-including corporate governance practices and internal controls-introduces greater responsibility into the risk-taking process.

Second, the move towards a more systematic and managerial approach to risk management is here to stay. The SC intends to continue promoting more effective risk management within the Malaysian capital market, starting with itself, and I have outlined some of the measures that we are pursuing. In the same vein, businesses need to develop a strong culture of risk management that permeates top down. Boards of directors and senior management must realise that there are returns to be made not only by excelling at their core activities. Benefits also accrue to those who are equally adept at recognising, quantifying and managing risks that are inherent in the environment.

And third, stronger risk management practices afford greater regulatory efficiency and lowers the cost burden on businesses. But businesses must know why they are doing what they are doing. Risk management should not be practised blindly and for the sake of conforming to rules, but be pursued as part of a firm’s strategy to enhance value to its stakeholders.

Thank you for your kind attention.