Chukwunomnso Anyichie is the Chief Risk Officer, Coronation Group Limited. In this interview with KEHINDE AKINSEINDE-JAYEOBA, she sheds light on risk management practices and discusses strategies for enhancing governance and compliance across financial institutions in Africa.
What is the concept of risk management in financial services in Africa?
Risk has significantly improved globally over the past decade within our continent. We have had a lot of implementation around risk management due to financial crisis we have had even here in Nigeria, I believe it was 2009. A lot of these risk management improvements have largely been driven by the regulators; whether you are looking at banking, insurance, pensions, even the Securities and Exchange Commission. They have all rolled out risk management frameworks that all the operators have to abide by. And all of them are tied to international best practices. So you have your service management frameworks, or your ISO 31,000 frameworks, that have been a basis for the development of risk management frameworks across all our different financial sectors, whether we are talking about South Africa and Nigeria, Kenya, which are your large financial centres. And you find that even in the more advanced institutions such as your banks, the risk management frameworks are leveraged or implemented leveraging advanced analytics, using comprehensive risk assessment models and having in place strong governance structures.
Recently, the Securities and Exchange Commission (SEC) sent out a circular around the implementation of Enterprise Risk Management Framework Standards, the COSO and the ISO. In addition to that, they have now put in controls so that they can have proper oversight over the risk environment and practices of all the capital markets operators. So there are now requirements for returns, in terms of risk profiles of capital markets, operators to the Securities and Exchange Commission and also you have to submit your approved enterprise risk management policy.
Now, even though this just came out on Friday, within our own ecosystem at Coronation Group, we pride ourselves of implementing global best practices and so we already have implemented Enterprise Risk Management Policy and frameworks and really have board-approved policies.
We don’t typically go according to just what the regulator is requiring, but we look to see what is global best practice and how can we implement that to ensure that we are managing our risks and ensuring that we are mitigating whatever risk that comes with us achieving our strategic objectives.
What are the common risks that financial institutions in Africa face?
One of the key ones is credit risk. Credit risk being when you look at our banks, we give out the credit. Risk is when your customer or your clients is unable to pay back the loan then you have non-performing loans in the bank. Now for us in Africa, especially because we are heavily reliant on commodities like oil, for example, in Nigeria, the fluctuation of the prices of the commodities tends to impact our ability to pay our debts.
We also have market risk. We have a lot of investments instruments – mutual funds, stocks, securities, etc. And with market risk, we are looking at the volatility of your interest rates and of the exchange rates. Here in Nigeria, we have seen Forex interest rates go as high as almost N2.000.
Operational risk is also key. We have quite a few infrastructure challenges when we are talking about power, telecoms, infrastructure, our roads, cyber threats, etc. Financial institutions are going digital. And so, we are seeing an increase in risks.
Another is regulatory risks. Because regulators are trying to ensure they protect our financial systems, they tend to roll out different policies, circulars and guidelines.
I always refer to the time of COVID-19. Sometimes you will have just a plethora of circulars coming out on a weekly basis and as a financial institution, you have to make sure you are on top of them. That is where the risk can come in because you have to make sure you are complying. You have to make sure they are consistently scanning with their new regulations that you have to implement.
We also see within our continent that financial institutions are expanding to differential restrictions and so you have different jurisdictions where you also have to be on top of their regulatory requirements and guidelines. You manage your stakeholders, your regulators in different jurisdictions to ensure that you are complying with what they asked you to.
Finally, the top five risks for me will be political risk. In Nigeria, political instability and policy changes impact our businesses and how we operate, especially in the financial institution because we want more. This is also tied to regulatory risk because the regulators also want to make sure they come out with best rules. They might come in with different views on the economy, different views on how to improve our financial system.
You mentioned compliance to new rules and regulation using companies listed on the Nigerian Stock Exchange as an example. We have seen over time lots of companies defaulting over corporate governance rules and the likes. How do you think all these institutions can really improve their governance?
First, when you have those types of issues, there is a failure in control. And in managing risk, you have to have controls in place. So let me give you an example. Based on what you have said now about complying with regulators. It is in your financial control in place would be that you have a workflow where they are reminders to those ahead of time to those who are supposed to be doing the financials submitting the financials on time, whether it is systematic, whether it is an email, there are controls in place to ensure that there are triggers that this is coming up, we have to submit ABC to the regulators at a certain time.
The board has oversight and the board should be ensuring that they are meeting the regulatory requirements that the financials are submitted on time.
Another control is that the finance function and compliance function must work together. To have this submitted, they have to be KPIs, meaning that you have Key Performance Indicators around the completion and submission of your financials. So all the things I am saying even though they are just part of the business operation, they are controls that should be put in place and when there is a break in that, you find that the risk will crystallise.
So, one is definitely strengthening that internal control and ensuring that there are clear lines of accountability.
The next thing would be around board oversight. They have the oversight. They have judiciary duties to the organisation and so they should also ensure carrying out of their oversight over the compliance related activities. And part of that will also be to do a lot of educating of the board. I say education because typically your board members are well experienced but having that sensitisation on an ongoing basis, around compliance, financials, their responsibility as board of directors, etc.
Some years back, CBN implemented a rule that required that there must be an executive on board that is in charge of compliance, that is, the Executive Compliance Officer (ECO).
CBN wanted to ensure that the responsibility of the board is clear as it pertains to compliance. They came out with a penalty scheme. So if there are infractions, not only will the company be penalised, but individuals like the Chief Compliance Officer and Executive Chief Compliance Officer will have to pay penalties. I am saying this to emphasise the importance and the role of the board. And it is important for the board to understand that if this compliance risk crystallise, what the impact would be on the company. This is not just financial risk but also reputational risk and the board has to make it their risk appetites clear. There are some organisations where there is zero percent risk appetite for infraction.
The adoption of international standards tools would help in compliance. If you look at global best practice, you always want to comply with the regulators because what your regulators have to do is for the betterment of your business; to ensure the betterment of the financial system as a whole and also to protect your shareholders and stakeholders; stakeholders being also your customers. So, I think those are some key things that need to adopt international best practice, strengthening internal controls and ensuring accountability and that the board understands their oversight and are trained or sensitised on a consistent basis.
There has been this clamour, especially from the shareholders, that the financial institutions are over-regulated. How can these institutions be on top of these regulations?
One thing that should be done is building a relationship directly with the regulators; that is key. Especially in our continent, our cultures are tied to relationship aspect. And so it is important to build that professional relationship with your regulators.
If I take Coronation for example, we are forward-looking. We have a lot of initiatives that we are pushing out. So we really believe in coming out with initiatives, products or services, for our customers to help them build wealth. Some of the things we are doing have not been done before. So we do not shy away from engaging our regulators, having those conversations, building those relationships, giving them insight into what we are up to. We carry them along them because at the time we want to roll the initiatives out, we would have engaged them, they would have understood what the requirements are from us as an operator. In some cases, we might be the ones helping them to rule out those regulations. Those are some of the benefits that come from building relationships.
For example, we are the first Securities and Exchange Commission Holding Company in Nigeria. We got the first license last year. It is about having the discussion and them seeing the benefits of having that structure; the benefits to our financial system, the benefits to our capital markets, etc.
How has technology improved or impacted risk management in the financial sector?
Technology is a game changer in risk management. There are a number of things that it does for us when we are managing risk. One is around data analytics. Having that data analytics, especially when you build it up to a point where it can be predictive, helps us as risk practitioners to identify and mitigate our risk. This helps us to make decisions quicker and better because with data analytics, especially if you have the data and you have built in all the different parameters you need based on your business, it is just at the push of a button, you will be able to see this is the issue and this is what we need to do and you get this done.
With automation, individuals will be focusing on decision making and intervention instead of doing mundane data entry or manual processes.
Another area technology has helped is in cybersecurity. So having different kinds of tools are robust security measures to help us fight against cyber threats and to protect the businesses from cyber attacks. So, ensuring that you have the security measures on your financial systems to protect the business, that is one of the great things that technology has done and overall, providing real time insights and allowing, institutions like ours to respond quickly to emerging risks that may crystallise.
With the myriad of risks faced regularly, what strategy can financial institutions deploy to enhance their resilience in business?
First, I will talk about stress testing; carrying out stress testing to assess and prepare for adverse scenarios. I will tell you an interesting story. So I was the director of governance risk and compliance at PricewaterhouseCoopers. I was there for about 12 years and I remember I had a banking client who I used to offer risk services. In review their stress test scenarios, I suggested using N1,000 for a dollar. As at then, forex was about N300 to $1. They said that is not possible, that will never happen. And I think they ended up doing like N500 or 600.
Stress testing is a great tool and a great strategy because you can plug in different scenarios, and see what the outcome will be on your business, on your balance sheets. And then you can now have time to sit and walk through what are those things that we need to do when you get stressed to this point, if this crystallizes, to bring us back to business. This is a key tool to use, especially with emerging risks.
Definitely, stress testing is a key strategy that all institutions in Africa need to put in place to enhance their resilience.
The second is around maintaining adequate capital for the company and ensuring that they have capital buffers to cover the business.
If you are familiar with the bassel regulation which is an international regulation that is actually around risk management, CBN has implemented it for banks. And it is a way in which you assess all the risks in your business, you quantify them and then you calculate how much capital you need to cover those risks in addition to the capital that you need to run your business. It is a way in which you manage your risks.
With the controls, I have the crystallised for example, to cost me a billion naira. So I need to make sure and then I take that and look at against my financials and see am I adequately covered with the capital I currently have? What would I need to raise more capital to cover my business?
Now this is a global bank regulation that CBN has adopted. For us in Coronation, the impact of this strategy adds great value to our business. We have actually implemented what we call ICAP (Internal Capital Adequacy Assessment Process). Every business in Coronation has actually implemented the strategy. We are not banks, but because it is the way in which we can manage our capital, looking at our material risk. So ensuring you have that capital buffers your business and your risk. It is a strategy that should be put in place.
Another strategy is diversification. In Africa, there is a lot reliance on volatile sectors like commodities and there was concentration in this sector. I remember when the energy sector was doing well, the banks were loaning money to oil and gas sector and then there was a crash. For those who had significant concentration in that area, the impact was higher. So it is important to diversify.
We are starting to see people diversify into things such as manufacturing, tourism, agriculture. Diversification is important to reduce your concentration risk because you don’t want something to happen in that particular sector.
Finally, our risk culture. Promoting a culture of risk awareness and proactive risk management does not sit with the risk department. We have three lines of defence: the first line, they are actually the ones that face the risk, whether it is your sales people, your tellers, your investment managers, your agency , they are the ones who actually on a daily basis have to manage risk. You have a second line of defence, you have your compliance. We also have our role to play in that. And then you have your third line of defence which is your audit. So, every single person should be a risk manager. Every single person within that organisation should be a risk manager because you face risks every day.
ALSO READ: FG engages private sector on Fodder, Soybean export to Saudi Arabia