value insights

Bank Risk Management Requirements- Valutrics

The 2008 global financial crisis has shaken up the status quo in the world of risk management and has opened the door for all companies to look at how to enhance their Corporate Risk Management programs. First, the crisis has clearly laid false the claim by the banking sector that they had best-in-class risk management practices. This is important, because others in the financial services sector had been enamored with the banking approach and were of the opinion that all they had to do was imitate it.

During the heart of the crisis, there was a lull in Corporate Risk Management advancement as individuals and companies were just scampering to survive. However, once the worst appeared to be over, companies in all sectors of the economy started to conduct assessments of their Corporate Risk Management programs to determine priorities for improvements. As before, the financial services sector is positively engaged. However, the non-financial services industry is also moving forward, some companies more rapidly than others. In particular, many companies in the consumer products sector enhanced their Corporate Risk Management activities, in part thanks to their experience with the financial crisis and its influence on their supply chain.
Another important consequence of the financial crisis is that it is no longer as difficult for those involved in the Corporate Risk Management process to get management to consider worst-case scenarios.

Banks Risky Investments
Before the crisis, banks solicited more mortgage investors by means of complex innovative mortgage investment products that made it easier to invest in the mortgage market, and where the risks to investors were even less transparent than normal (due to multifaceted packaging of mortgages and multiple handoffs) and magnified in exposure (through leverage). Two such products were collateralized debt obligations (CDOs) and credit default swaps (CDSs).
CDOs led to less transparency. A CDO is a bond with payments based on cash flows from a package of mortgage products, such as mortgage-backed securities (MBSs) and collateralized mortgage obligations (CMOs). Different CDOs have distinct degrees of risk, called tranches, based on how the CDO defines the way in which cash flows will be split up. Some tranches were regarded as highly secure (triple-A credit rating). The multifaceted packaging of mortgages made the risk behind the investment murkier.

However, further reducing transparency were CDOs of CDOs, called CDO-Squareds, which involve reselling more detailed tranches of existing CDO tranches. These multiple handoffs made investors yet another entity removed from understanding the risk. CDSs magnified the risks. A CDS is essentially an insurance policy against the failure of a given entity. The issuer of the CDS receives steady cash inflows but suffers a large loss if the entity fails. CDSs issued on CDOs or other mortgage instruments allowed the magnification of bets on the mortgage market, through leverage, because the number of CDSs was not limited to the number of mortgages, or CDOs, on which they were based.

Key Corporate Risk Management Requirements
The 10 key Corporate Risk Management Requirements are:
1. Corporate-wide scope
2. All risk types included
3. Key risk emphasis
4. Integrated throughout risk types
5. Aggregated metrics
6. Balances risk and return management
7. Appropriate risk disclosures
8. Measures value effects
9. Includes decision making
10. Principal stakeholder focus.

These Requirements are the critical defining elements of a robust Corporate Risk Management program, and are a good benchmark to use in evaluating Corporate Risk Management programs.

Requirement 1: Corporate-Wide Scope
The Corporate Risk Management program must be equally applied throughout the enterprise. The first of these was the presence of a ‘‘star unit. ’’This is a business unit that is exempt from certain activities, such as Corporate Risk Management, as a result of their generating large revenue growth and/or profits. This leads to a lack of understanding, or willful ignorance, of the risks involved in the business.
Many banks that contributed to the financial crisis fell into this scenario. The business units issuing mortgage products were encountering a high level of expansion. Management did not want to miss out on the growth opportunity in which many of their competitors were participating. The pressure for growth, as well as the seduction of easy and rapid growth, either influenced management to consciously avoid a full level of Corporate Risk Management scrutiny, or unconsciously use a light touch that avoided fully looking at the risks.

Requirement 2: All risk types included
All risk types have to be included in the Corporate Risk Management program. Risk types include the following:
* Financial risk, which includes market, credit, and liquidity risks.
* Strategic risk, which includes risks related to strategy, execution of strategy, governance, competitors, suppliers, externalrelations, regulatory changes, and so on.
* Operational risk, which includes risks related to human resources, technology, litigation, compliance, fraud, disasters, and so on.
* Insurance risk, which involves risks that generally apply only to insurance companies, andincludespricing risk, underwritingrisk, andreservingrisk; this risk category also applies to non-insurance companies issuing contracts that cover contingencies analogous to insurance contracts, such as CDSs.

There are three reasons why companies may fail to satisfy this condition. Two of these apply here:
1. Inability to quantify strategic and operational risks. Banks use one of two alternative capital-based approaches to risk quantification. Both alternative approaches ignore strategic risks altogether. The majority of banks use Alternative 1, which poorly measures operational risks in that it is not a risk-based approach and is sometimes not even directionally correct. Those banks using Alternative 2 are unable to fully quantify operational risks because they ignore impacts to future revenues and expenses.
2. Financial analyst bias. financial analyst bias (an excessive focus on financial risk) arises from the fact that the financial modelers’ education, training, certification, experience, and department are all focused solely on financial risk, and that their techniques only work well for these risks. Bank financial modelers definitely suffer from such bias. This bias leads to management receiving information on enterprise risk exposure that appears complete, but is not. In fact, as discussed, research shows that financial risk only represents a fraction of the bank’s overall exposure, once strategic and operational risks are properly factored in. Deepening this false impression is the level of precision with which the financial risk exposures are presented. The level of precision is implied by the significant digits in the exposure data provided to management.

Some claim that the financial crisis was a ‘‘perfect storm’’ where an unforeseeable combination of rare events suddenly came together. Others contend that many bank personnel were aware of the exposures or should have been aware, but this information did not become available to their boards of directors, executives, or management. If so, why not? What went wrong?
There are three non-financial sources of risk that contributed to the financial crisis:
1. Agency risk
2. Process risk
3. Errors

Agency Risk
Banks have agency risk, in terms of a misalignment of the interests of management with that of the shareholders, as well as with that of the taxpayers. The agency risk due to misalignment with shareholders comes in the form of incentive compensation programs that reward management for generating high revenues and profits without properly adjusting for the corresponding increase in risk exposure. To prevent this:
1. Measure risk exposures on the basis of impact on value
2. Integrate information on risk exposures into business performance evaluation, including an attribution at the individual level
3. Integrate information on risk exposures into incentive compensation

The first feature, measuring risk in terms of value impacts, is critical to aligning management’s interests with that of the shareholders, because the shareholders’ primary metric is company value. However, bank risk management programs do not have this feature, because they measure risk in terms of the balance sheet, as impacts on capital or required capital.

Bank risk management programs also do not have the second and third features. Though banks do have risk exposure metrics in their business performance analysis, they are flawed. Banks typically use the Value-at-Risk (VaR) metric. VaR is often defined as the maximum amount of capital that can be lost in a single day, within a given small predefined likelihood. A key weakness of this metric is that bank associates can add large amounts of risk without accountability, by creating it, or defining it, as just beyond the likelihood threshold, so that it is not captured in the VaR metric. In addition, banks generally do not produce attributions of the risk exposure metrics at the individual level. Without knowing the level to which an individual elevated risk exposure, it is impossible to build this into incentive compensation.

The presence of the agency risk causing misalignment with shareholders contributed to bank management’s taking on excessively high levels of risk.
Doing so increased the possibilities of massive bonuses. Indeed, bank management did receive massive paydays during the mortgage boom. In fact, bank management even received massive bonuses after it became clear that their actions contributed to the financial crisis as well as to the failure of their own firms, some of which had to be bailed out by the government.

The agency risk due to misalignment with taxpayers comes from the moral hazard of bank management thinking that the government will not allow them tofail, butwillinsteadbailthem out, iflarge lossesensuefrom anyoftheir excessiverisk taking. This has also been eloquently referenced to as the problem of ‘‘privatizing profits and socializing losses. ’’

The occurrence of the agency risk causing misalignment with taxpayers encouraged banks to take on excessively high levels of risk. Banks felt even more emboldened by the fact that so many of their peers were taking the same high-risk bets, which made it even more likely that the government would need to step in, because if trouble ensued, it would cause major systemwide problems. This kind of thinking was confirmed and reinforced by government bailouts of many banks, particularly the largest ones. The DoddFrank legislation was intended to address this moral hazard by making future bailouts more difficult. However, many are skeptical, because the banking system is still just as vulnerable, if not more so, to another financial crisis, and when one occurs, the same political pressures for bailouts will reemerge, and a temporary emergency measure could easily be passed to empower another government bailout, notwithstanding the Dodd-Frank bill.

Process Risk
Banks have process risk in that the risk management program is not designed properly and therefore not performing as expected. However,there is one additional failure in the process design of bank risk management programs that is worth mentioning. See ‘‘Is It Gross or Net?’’

Banks have significant risk exposure to errors by financial analysts doingthemodelingworktoevaluatetherisksinherentinbankproducts.4Bank management relies heavily on financial modelers. In fact, the banks did experience such risk events, which contributed to the financial crisis. We will discuss two examples. One was mispricing the default risk of CDOs.  Another was mispricing the insurance risk of CDSs. Financial modelers significantly mispriced the default risk of CDOs by taking a disastrous shortcut. They did not do the hard work to develop individual risk scenarios from historical data, understand the structure of each CDO and how its underlying assets behave, quantify the CDO’s default risk by the impacts on the future distributable cash flows of each CDO, and, further, measure the correlation between CDOs using the exposure data developed. Instead, they used a shortcut that involved a formula called a copula, which inferred the default risk of a CDO, and correlations between CDOs, from that implied by the historical market prices for the CDS on the CDO. In other words, because the CDS is an insurance contract on the risk that the CDO will default, the price changes reflect the level of default risk of a CDO, and the relationship between price changes reveals the correlations between CDOs. The market prices of CDSs on CDOs were available because CDSs were tradable securities.

One of the reasons to calculate and internally report risk exposures on a pre-mitigation risk exposure basis is because mitigation does not always work as expected. In the context of our discussion, this is precisely what occurred in the financial crisis. Both examples of the mitigation disappeared. The bank was suddenly no longer able to offload the bulk of the risk to its suppliers, as the market dried up and these suppliers suffered huge losses. In addition, some banks had their monoline insurance company collapse, and the CDO rating immediately fell to the level of the monoline, which was downgraded.

Had these banks calculated, and internally reported, risk exposures on a pre-mitigation, or gross, risk exposure basis, the financial crisis might have been averted, or at least mitigated. Had the pre-mitigation risk exposures been reported up to executives and to the boards of directors, they would have seen a huge surge in exposures in this one area. Seeing the magnitude of the risk on the basis of ‘‘what if our mitigation disappears’’ might have triggered additional scrutiny and some caution that could have diminished, or even prevented, the financial crisis.

This shortcut did not capture enough detail to make it appropriate for use. It assumed that correlations are constant, when in fact they are unstable. In addition, the historical data on CDSs, upon which the assumptions were based, was not appropriate for developing long-term assumptions. The historical data period was less than 10 years (because CDSs had not existed before that), which is too short. This only included a housing boom period, and certainly did not include a national downturn in housing prices, which occurs periodically. When the housing bubble burst and defaults exploded, banks relying on this inappropriate shortcut for their pricing of CDO default risk and correlation suffered huge losses.

Financial modelers also significantly mispriced the insurance risk of CDSs. Most insurance products must, by law, only be issued by insurance companies. There is a good reason for this. Insurance policies require a high level of security. They provide great social value in the form of extremely long-term guarantees upon which people rely for their future financial security. Insurance companies provide this security.6They are heavily regulated. In addition, insurance companies use actuaries to understand the complex insurance products, price the risks, set up appropriate reserves to pay future obligations (where the reserves have additional margins of safety for errors), set up appropriate levels of state-required capital (which provides another layer of protection), and set aside additional capital (yet another layer of protection).

However, CDSs are a type of insurance contract which can be issued by non-insurance companies, such as banks. The banks generally did not use actuaries as their financial modelers to understand and price the risks of CDSs, nor did banks set aside appropriate reserves or capital. This is part of what led to the excessive growth of CDSs and what made them appear so profitable (before they suffered enormous losses). The banks did not understand the risk exposures and they were essentially ignoring a large part of the cost of being in the insurance business: setting up reserves and capital. When these products suffered huge losses, the taxpayers picked up the tab for these ignored costs and more, through the government bailouts of these banks.

Requirement 3: Key Risk emphasis
Most banks have risk management programs that are indeed properly focused on prioritizing risks and focusing on the most significant threats. They rank their risks and focus more efforts on the largest exposures for the enterprise as a whole.

Requirement 4: Integrated throughout Risk Types
Most banks do not use an integrated approach to risk management. Each department tends to manage risk separately from the other. In addition, they also measure risks one at a time, in silo form, and then attempt to use correlation adjustments to reflect risk interactions. This fails to capture the bulk of the interactivity.Silo risk management has several disadvantages, including incompleteness, inefficiency, and internal inconsistency. One of the disadvantages of incompleteness is most relevant for our topic: it omits multiple simultaneous risk events, which can lead to the largest losses. The financial crisis was such an event: There were multiple risk events occurring together, including an increase in interest rates and an ending of the investment supply–demand imbalance which removed excess foreign capital, both of which exacerbated these parate impacts of either event, in terms of their impact on housing prices, due to the triggering of the financial crisis and its downward spiraling events. In addition, as discussed earlier, there were non-financial risks that also contributed to the financial crisis.

Requirement 5: Aggregated Metrics
Banks generally do not have either of the two aggregated Corporate Risk Management metrics. They cannot calculate a proper enterprise risk exposure, because they do not have a single metric that can fully quantify all risks. Most banks measure the impact of risk only on the current balance sheet—in terms of change in capital or required capital—rather than on company value.As a result, businesses within the organization that do not have capital requirements cannot be so measured. In addition, strategic and operational risks cannot be fully quantified using capital-based metrics,becausethe majorityof their impact comes fromchanges to future revenues and expenses.
In addition, most banks cannot clearly define their risk appetite. This is the second of the three core challenges to Corporate Risk Management. This is directly related to their inability to calculate enterprise risk exposure, because it is the basis for defining risk appetite.In addition,the lack of aclear, quantitative definition of risk appetite means that these banks also do not have a top-down allocation of risk appetite to risk limits.
Because most banks do not have an aggregated enterprise-level understanding of what their risk exposure is, or what it should be, it is easier to understand why they fail so frequently, and how they were able to create such a high level of exposure that led to the financial crisis.

Requirement 6: Balances Risk and Return Management
Most banks do userisk information for both upside and downside opportunities.  However, they do not do this optimally, because they only measure risk in terms of its impact on the current balance sheet, rather than on company value. Without fully integrating risk and return information, banks will continue to make suboptimal business decisions.

Requirement 7: Suitable Risk Disclosures
Most banks do not appear to have risk disclosures that adequately incorporate the appropriate information from their risk management programs. As one important example, most banks do not appear to prioritize their key risks, in terms of their potential impact on company value, which would match shareholder priorities. In the context of our discussion, some banks were unable to properly disclose the financial impact of the crisis until multiple quarters after it took hold.

Requirement 8: Measures Value effects
Once again, most banks do not measure risk on the basis of its potential impact on company value. Instead, they measure it in terms of impacts to the current balance sheet capital or required capital.

Requirement 9: Includes Decision Making
Most banks do not effectively integrate their risk information into decision making. This is the last of the three core challenges to ERM. They do use risk information for mitigation decisions, but their approach is lacking.

Each of the three critical elements must be inplace for effectively integrating Corporate Risk Managementinto decision making:
1. Corporate Risk Managementmetrics that support decision making
2. Practical Corporate Risk Managementmodels
3. Consensus buy-in from business segments

First, the metrics most banks use do not support all decision making, because they only have robust risk quantification methods for financial risks (this was discussed earlier). In addition, the metrics that they use only provide the risk (capital) side of the equation and not the return (value) side, both of which are needed to support effective decision making. Second, the risk models are not practical. Although the models generally have reasonably fast runtimes, they tend to be lacking in reliability, they use an inappropriately high number of significant digits, and they are particularly poor in terms of transparency.

Most banks do have buy-in from the business segments, but they have the reverse problem: Too much buy-in regarding the risk models. In the context of our discussion, this is one of the factors that contributed to the financial crisis. Most banks failed to scrutinize risk-modeling assumptions or question their validity with enough skepticism.

Requirement 10: Principal Stakeholder Focus
Most bank risk management programs cannot support a primary focus on the shareholders because they don’t use company value as the risk metric. In addition, the use of the capital-based risk metric is indicative of their focus on goals related to secondary stakeholders: maintenance of a satisfactory rating (rating agency focus) and maintaining adequate mandatory capital levels (bank regulators).

Chief Risk Officer (CRO) Responsibilities
The chief risk officer (CRO) is the head of the Corporate Risk Management program, and the supporting members of the corporate Corporate Risk Management team.
The Corporate Risk Management team is responsible to lead the development of new Corporate Risk Management capabilities, to maintain existing Corporate Risk Management infrastructure, and to introduce enhancements over time. Below is a list of fundamental Corporate Risk Management program infrastructure elements that the Corporate Risk Management team builds, maintains, or enhances:

1. Build
The Corporate Risk Management team must build the following Corporate Risk Management program elements:

* Develop an Corporate Risk Management program implementation plan
* Outline an initial basic risk governance structure
* Develop a comprehensive risk governance structure after at least one pass through the Corporate Risk Management process cycle

Risk identification
* Develop the risk categorization and definition (RCD) tool
* Designtheprocess,tools,andmaterialsforthequalitativeriskassessment
* Lead the development of the key risk list by conducting the qualitative risk assessment
* Develop the risk event database, which is developed during risk identification but used during risk quantification
* Develop the emerging risk identification tools and processes

Risk quantification
* Build the value-based Corporate Risk Management model
* Calculate baseline company value
* Design the risk scenario development process and techniques
* Facilitate development of the key risk scenarios by conducting the risk scenario development process, such as FMEA interviews
* Calculate the individual risk exposures
* Facilitate the development of the key risk scenario correlation assumptions
* Calculate enterprise risk exposure in the graph form
* Facilitate the development of initial pain points, and produce enterprise risk exposure in the table form

Risk decision making
* Facilitate the definition of risk appetite and risk limits by conducting the risk appetite consensus meeting
* Develop the methodology for the top-down allocation of risk appetite to risk limits
* Develop the protocol for the integration of Corporate Risk Management information into decision making
* Monitor risk exposures to ensure they are maintained to within risk tolerance limits
* Facilitate the integration of Corporate Risk Management into strategic planning and business decision making

Risk messaging
* Facilitate the integration of Corporate Risk Management into business performance analysis and incentive compensation
* Develop risk communications for shareholders, rating agencies, and regulators

2. Maintain or Enhance
Over time, the Corporate Risk Management team must maintain or enhance the following Corporate Risk Management program elements:

Risk identification
* Maintain the risk categorization and definition (RCD) tool, such as occasionally adding risk subcategories
* Risk Governance
* Conduct qualitative risk assessments periodically, sometimes annually, often at least every two years, or whenever warranted by significant changes in the internal or external environment; periodically identify or develop supplemental information to assist survey participants,suchasacomparativeanalysisofcompetitors’disclosedrisks
* Update the key risk list after each qualitative risk assessment or for significant changes in decisions or in the internal or external environment
* Update the risk event database for risk events occurring in the company
* Coordinate continual emerging risk identification activities, including monitoring known risks and environmental scanning for unknown risks; periodically identify new techniques to supplement existing activities

Risk quantification
* Maintain, update, and provide appropriate access to the value-based
* Recalculate baseline company value with at least the same frequency as the strategic planning process
* Update the key risk scenarios impacted by significant changes in decisions or in the internal or external environment by re-conducting the risk scenario development process, such as the FMEA interviews
* Recalculate the individual risk exposures with the same frequency as the strategic planning process, or whenever the key risk scenarios are updated
* Update the key risk scenario correlations when there are significant changes in decisions or in the internal or external environment
* Recalculate enterprise risk exposure with the same frequency as the strategic planning process, or whenever the key risk scenarios or key risk scenario correlations are updated

Risk decision making
* Update the definition of risk appetite, but only infrequently, with significant changes in the strategy or the internal or external environment, by facilitating another risk appetite consensus meeting
* Update the definition of risk limits, but only infrequently; for example, with changesin risk appetiteor areorganization, by facilitating another risk appetite consensus meeting
* Monitor risk exposures against risk tolerance limits, and ensure appropriate risk-priority actions are taken by decision makers
* Update Corporate Risk Management information supporting strategic planning and business decision making for changes in the business
* Over time, facilitate the expansion of applications for the integration of Corporate Risk Management into business decision making

Risk messaging
* Over time, facilitate the expansion of applications for the integration of Corporate Risk Management into business performance analysis
* Over time, facilitate the evolution of the integration of Corporate Risk Management into incentive compensation
* Update communications to shareholders with the same frequency as its venue, such as annually for 10-K risk disclosures; over time, modify communicationsfor changes inregulatorydisclosures aswellaschanges in industry sector conventions regarding disclosures
* Lead the routine development of rating agency communications and conduct the dedicated Corporate Risk Management presentations to rating agency analysts; update communications for changes in rating agency Corporate Risk Management criteria
* Update communications to regulators for changes in regulations