On October 20, 2021, ERM Program Director Sim Segal interviewed Lakshmi Shyam-Sunder, Vice President and Chief Risk Officer of World Bank Group. Watch their conversation in full, or read through highlights below.
Can you give us an overview of the World Bank?
The bank is organized into four financial institutions. International Bank of Reconstruction and Development (IBRD) and International Development Association (IDA) lend to countries. International Finance Corporation (IFC) lends to and invests in the private sector. The Multilateral Guarantee Agency (MIGA) provides political risk guarantees. In total there are about 600 billion dollars under management. The institution is owned by 189 countries with operations in 170 countries and offices in 130 locations with 16000 staff. Unlike other financial institutions, the World Bank is a development organization that tries to be financially sustainable. The World Bank is not regulated; it is organized by International treaty. Nonetheless, the organization maintains an AAA rating and identifies and follows best practices in order to maintain that rating.
In 2008 the organization began their enterprise risk management program. In 2012, a formal CRO position was created. A second line of defense was formally established and an operational risk department was created in 2014. The operational risk department manages the many risks in processes, systems, and people.
How is the program used for decision making?
In the financial risk domain, the infrastructure is mature. The exposure limits and amount of capital required for different transactions is defined. For operational risk, it has been a journey to build the decision making infrastructure for things like IT decisions: data privacy, legal risk, vendor risk management. The risk committees use their understanding to influence decisions such as "what risks can be taken" and "how much capital is required."
This decision making can culminate in firm-wide increases in capital that requires board and shareholder approval, as occurred in 2018.
How do discussions take place?
It is important to go out and talk to people. Many discussions are informal and one-on-on or small groups. In terms of where the World Bank runs client operations, that decision goes to the operational units and not the CRO. Matters related to financial and internal operational risk go through the CRO.
How is risk assessed?
A risk taxonomy categorizes risk into strategic risk, development outcome risk--what do we seek to achieve for the client, financial risk, and operational risk. These are clearly articulated risk appetite statements for each risk area. On an annual basis, conversations are held with the heads of many departments. These conversations can reveal blind spots and help keep the risk taxonomy updated. At its best, a culture is created where people bring risks to the attention of the CRO.
What is the approach to risk quantification?
The infrastructure for measuring and managing financial risk is developed and sophisticated. The data can be aggregated and parsed by location or other categories. In contrast, operational risk can be very qualitative and requires the development of metrics such as, for IT: how many breakdowns, how many outages, how many phishing attacks. By having these measures, the World Bank can detect where risks are increasing and can also put tolerance bands on the different risks or increase resources to mitigate the risk.
Also, the World Bank is building a database of risk events that have occurred, including near misses. By including near misses, which are risk events that could have occurred, more observations can be recorded and studied.
How do you define risk appetite and use it in the governance process?
At the broad enterprise level, the risk appetite statement states that we will pursue our developmental objectives while remaining financially sustainable at AAA levels. That statement is echoed in other risk appetite statements. At the subdomains the risk appetites more quantitatively state risk tolerances.
How does your risk appetite shift?
Sometimes, the business can change and the appetite must change. Sometimes after a period of growth, the amount of capital might not be enough to support further expansion. At that point a discussion needs to occur by gathering information from credit, market, liquidity, operational, and other risk management functions.
What are some successes in the program?
It has created an awareness of risk. The institution has been made aware of what can go wrong and now there is a common language to communicate. A framework also provides standardization which then allows aggregation.
Another success is that when problems occur now there is an avenue to try to address them and trust that resources can be used to address the problems.
Training is another aspect. Guest speakers are invited to visit and share their ideas and experience.
What are some concerns for the future?
Complacency. Now that we are surviving COVID, there can be a feeling that the worst thing has already occurred. But vigilance is required. Another threat is cyber security which is difficult to mitigate and Climate Change which could affect us sooner than we project.
What advice do you have to students entering the risk management field?
It’s good to be at a place that is facing risks and be able to address them. You can’t really plan your career. You need to go with the flow. Identify what is important now and find where you can add value. Then you build from that.
The CRO position is one where you connect the dots. It’s not enough to be an expert in a single domain. You also want to have great interpersonal skills, including that ability to say "no" when necessary. You want to have trust and be able to build buy-in. You want to be capable of speaking technically, summarizing and simplifying, and selling projects and points of view.