I was thinking the other day about the evolving nature of risk management sophistication and it's impact on system architecture. It is now conventional wisdom (driven by the events of the past couple of years) that simply looking at traditional measures of risk (such as Var) is highly inadequate. I refer here not to esoteric arguments about the inadequacies of specific models. Rather, it's becoming clear to me that at some macro level all these risk measures depended in a subtle way on the argument that the proverbial Black Swan (i.e. an extremely rare but not impossible, and cataclysmic, event) did not exist. To put it more precisely, there was a vague acknowledgment that one should be watching out for a black swan, but since we did not really believed that it existed, we need to only apply some crude multiplier factor to gross calculations as a "comfort factor" that we'd addressed the occurrence of an exceedingly rare but disastrous event. In other words, most people did not take the probability of stress events occurring very seriously. And if they did, it was certainly not reflected in the risk systems of most organizations. How this happened, and the human dynamics that made this all possible will be left for others to ponder.
A lot has changed in the past two years. The world has seen what stress events can do to hitherto fine, upstanding companies like Bear Stearns, Lehman, AIG et al (to take only the US example). Stress tests are all the rage, whether mandated by the government or by newly energized corporate governance advocates, board members and senior management of financial corporations. At the same time, financial companies also seem to be getting "risk-aware" in their day-to-day business. There is increased interest in ensuring that risk-based pricing be done right. Of course, the flip side of this coin - ensuring that employee compensation is properly risk-adjusted - has generated a lot of interest as well.
What does all this have to do with technology? A lot, as it turns out. Let's take a look at the sample loss-distribution below.
We see three distinct areas: risks that are covered by pricing, those that are addressed by capital and those risks (that are above some predetermined level of probability - in the example 99%) that are quantified by stress scenarios. It's an interesting exercise to map these to risk systems commonly found in banks. The left-most risks are usually embedded into pricing mechanisms. The integration of these mechanisms into systems depends on the products that are being priced. Large corporate loans credit pricing systems take expected risks as direct inputs into the pricing algorithm for each customer, while for mass retail products (such as credit cards) such risks are priced into the product via behavioral scores. An element of capital is often embedded into the pricing as well - the popular RAROC hurdle rate measure is an example of such a mechanism. Of course such capital must take into account all risks associated with the products - not only the obvious credit risks but also operational risks such as fraud.
What's interesting is the assumption that the risks on the right-hand side - those covered by capital and the extreme risks (that should also be covered) are assumed to be priced in as well. Those products that are covered by a measure such as RAROC have at least considered the possibility of prices being adjusted for capital consumption. But even for these products the question is - have extreme risks been truly factored in? In other words, is the capital attributed to the deal a true reflection of the capital required to secure the deal? In the past FIs (and regulators) made vague assumptions that these outsized risks could be addressed via a multiplier on the calculated capital. This assumption has now been proven a fallacy, so more needs to be done to actually quantify the risks.
The systems implications of these changes are interesting. Every self-respecting bank attempts to do a reasonable job calculating capital of the existing portfolio of the firm (though far too many, it seems, take undefensible shortcuts). In the case of pricing there are two additional challenges however. First, firm-capital must be parsed into the capital for a specific deal and customer. This is itself a non-trivial task given the sorry state of customer files, reference data on hierarchies, inaccurate exposure information and unclear data semantics that one finds in most financial firms. But pricing needs to take it one step further and analyze what the capital would be for the deal if it were added to the portfolio. It's clear that the current crude averaging techniques will not pass muster in the future; capital calculation systems will need to be much more coupled with front-office pricing systems.
Stress testing (the right-most region in the image above) adds another wrinkle. New deals could cause increase in stress numbers either on an individual basis or more commonly by adding to the concentration of existing risks (such as geographical or asset-class concentration). The question for deals that generate high stress risks is a) should these deals be done at all? and b) if so, at what price? Considering that comprehensive stress testing is a only just a developing art, it's easy to see how there is a gap in integrating this discipline into deal-making systems. As stress systems develop into production-ready environments in their own right, one would hope that they provide the kind of software interfaces that would allow easy access to generated information.
To sum up, a good way to look at risk management systems in a financial institution is to consider a typical loss-distribution curve. The current landscape shows systems efforts in three distinct clusters, which are typically not designed to talk to each other. Going forward, it seems clear to me that a major challenge in risk system design will be to break down these solitudes to form one integrated platform.
