Risk management in financial institutions has developed from two sources. The practice of evaluation of any business risk has been with us since mankind first started to trade in commodities: crops, metals, livestock, and more recently, money. But this skill was something that good businessmen had, and bad ones did not. There was no formality, no way to compare success, and no attempt to teach this specific skill.
The second source is more recent and began with the application of probability to financial markets in the 1920s and the development of financial modelling. This led to the development of value at risk (VAR) by J P Morgan in 1994: the analysis of volatility in asset prices and the correlation of relationship across different assets. VAR has become the standard risk management tool across the financial industry.
But the two sources were never adequately combined. VAR is only a tool of probability, not the end product of the risk management process. VAR depends on the models being both accurate and, critically, comprehensive. This does not work for risks that are hard to quantify, such as management practices and herd behaviour, and it does not succeed in correlating systemic risks across industry participants.
Nor was VAR much use in liquidity issues. A bank's bond may be given a price in the future; but what value is that calculated price if buyers believe, perhaps incorrectly, that the bank is in trouble? And can banks step off the liquidity treadmill? There is a famous quote by Charles Prince, ex-CEO of Citigroup: "When the music stops, in terms of liquidity, things will be complicated. But as long as the music is playing, you've got to get up and dance. We're still dancing." The music has long since stopped.
Did risk management fail? John Wisbey, Chairman and CEO of Lombard Risk, a global leader in bank regulatory software, says "The crisis was due to a unique failure of regulators and politicians to foresee the systemic risk issues that struck so quickly, and a failure by both senior bankers and risk managers to prepare for those risks. The massive fall in the value of even some AAA rated mortgage-backed securities, combined with an equally massive contraction in liquidity, was something that few firms would have contemplated even assuming their models could cope with it."
There are many tools out there. There are financial models for parts of the risk area, and market risk; the correlation of prices, interest rates and foreign exchange values is well developed. Hedge funds have developed a successful industry on the back of market risk modelling, and this industry, without government backing, could be said to have withstood the downturn better than the big banks.
But standards and best practices must be improved. Existing tools must be evaluated and incorporated into a wider set of standards which will enable those who manage banks to take decisions, whilst understanding all the aspects of risk. Where the standards are lacking: liquidity risk, remuneration practices, correlation of risks, etc, that lack should be identified and a process to fill the gap started.
There may be excellent tools for parts of the risk management constituency: disaster protection, data management, incident reporting, credit scoring, etc but there are no tools or standards that bring all the risks together and help in the understanding of their interrelationships. Managers with the time, experience and training to be able to weigh all the risks in a bank and to be able to communicate recommendations to the business team are rare. Nor is there any easy way for regulators to measure the risks across banks if every bank manages risk in a different way.
But standards and tools alone will not solve the problems and prevent or reduce the impact of the next crisis. We need to look at those tasked with the management of risks within banks.
Tom Wilson, Chief Risk Officer (CRO) at Allianz says "The main challenge facing CROs is not whether technical models are correct: a good CRO, understanding that models are abstractions of reality, will know how to combine common sense, simple rules and solid business experience to compensate. The most important challenge for good CROs is to influence management (and shareholders) that sitting out an occasional dance, and not being at the top of the league tables or bonus pool charts regardless of competitors behaviour, may actually be in their best interests in the longer run."
A key issue has been the inability of CROs to influence management and the business. This could be because the risk manager is too low in the hierarchy to have the required influence. An example of this could be the allegation that Paul Moore, the ex-group Head of Regulatory Risk at HBOS had his recommendations overridden and was fired, to be replaced by a less experienced individual.
Others may have been infected by the money-making enthusiasm around them. Many risk managers were simply ex-trading managers, and ignored the risks because they stood to make their bonuses from today's profits or because they did not feel strong enough nor have enough incentive to stem the tide. Or maybe they had insufficient business experience and lacked formal risk management training? Wilson says "Important in addressing these issues is to make sure that the risk function is populated with experienced individuals who combine a good sense for the business with integrity, communication and management skills, in addition to possessing strong technical skills".
In the short term there is no doubt that work needs to be done on improving the risk management risk standards and best practices. We need to identify the mistakes that happened and to learn from those who moved against the tide. And those missing but monumental risks that the models ignore as too difficult: management practices, herd behaviour, market panic, strategic board decisions and government intervention to name but a few, need to be brought into risk practices, even if they are unquantified, and even unquantifiable.
And more needs to be done. Once new standards are developed, they need to accepted by all in a consistent fashion. We accept the need for a common and consistent set of accounting rules. Why not the same for risk management?
No one disagrees that a CFO must have an accounting qualification. So why do we not insist that a CRO and his team have relevant risk management qualifications? Remember the ex-leaders of RBS and HBOS having to admit to the Treasury Committee that they had no banking qualifications? Risk managers should not escape the need for a good and wide basis of risk management knowledge, and this can be achieved only by formal qualifications.
And we need to ensure that risk management is right up there in board and senior management decisions. The best way to do this is to create a risk management committee, lead by a suitably qualified CRO. Returning to the accounting simile: why not a Risk Committee run along the same lines as the Audit Committee?
In the long term, risk management will succeed only if it is treated as a profession, not a skill learnt by experience. This requires professional standards, suitably qualified risk managers, statutory risk committees and risk returns, and eventually, even external risk audits. Only then will risk management play its required part in reducing the risk of failure in our banks.
David Millar is the Chief Operating Officer at the Professional Risk Managers' International Association - www.prmia.org.
The full version of this supplement can be read at http://np.netpublicator.com/netpublication/n63059333.
The supplement was published by London based publishing house, Raconteur (www.raconteurmedia.co.uk) who produce independent special interest reports exclusively for The Times and The Sunday Times.
