CHAPTER 1

The Cultural Frontiers of Total Risk Management

Dennis Cox

Risk Reward Ltd

Introduction

Peter Bernstein’s Against the Gods1 illustrates how the remarkable story of risk has been an ever-evolving one, where the frontiers of risk have continually been pushed back with new breakthroughs in our understanding of risk and consequently in our improved ability to identify, measure, and manage risk. Best practices in risk management continue to be designed, defined, and refined by industry participants and their stakeholders. Indeed, there are libraries of books, reams of research papers, and years of discussion dedicated to the continual improvements that are being made in risk identification, measurement, and management. This will remain a perpetual frontier of risk management. However, rather than revisiting these best practices, I would like to focus on some of the other challenges faced by risk managers today. For many, one of the key frontiers is not to design or define new best practices—it is to embed established best practices in the management of their firms. In facing this frontier, the challenge is neither conceptual nor computational, it is in fact cultural.

Risk managers face many challenges today in supporting their businesses. These include the increasing demands on our industry by regulators, investors, and legislators. Regulators have redefined the minimum capital adequacy standards for the industry via Basel II and its successors. Rating agencies and investors are increasingly demanding about the standards of risk disclosures by firms. Legislators, via the Sarbanes-Oxley Act and similar papers, are increasingly holding management boards personally responsible for the corporate governance of their firms. Management boards, in turn, are consequently becoming more demanding of their own risk functions. This is a very heavy change agenda for risk managers and one which often meets with significant cultural challenges in many firms—particularly in more traditional firms. We will now review some of the cultural challenges faced by risk managers.

Beyond Minimum Compliance

Of the multifarious challenges faced by risk managers today, the increasing regulation of our industry has understandably attracted much focus. Despite the heavy regulatory burden, we need to remain mindful not to focus solely on minimum regulatory compliance. In an era of increasing regulatory demands, where compliance fatigue is a common industry ailment, it is easy to forget our primary purpose; that of more effective and efficient business management for our shareholders. The danger is that firms develop a culture of minimum compliance. Of course, regulatory compliance can often be compatible with better enterprise risk management. For example, the development of internal rating models is not just a means to achieving regulatory compliance. Rating models are merely decision tools that must be utilized better to manage risk and extract ­business benefits. For example, the development of Basel-­compliant ­models, which are externally validated by regulators, will open up new opportunities to mitigate risk in portfolios, which previously could not easily be traded due to difficulties of consistently measuring different risks in different firms. The emphasis on model use is a common and necessary theme throughout the Basel II use test requirements.

Improved Risk Communication

As a result of the increasing regulation and complexity of our business, there are growing requirements for better risk communication with all stakeholders. Internal stakeholders need to understand the more complex regulatory capital impacts on their businesses and how their firms need to respond strategically. Risk managers must proactively engage the business generators in their firms by communicating the strategic context of the change agenda and facilitating their firms in responding strategically to those changes. Business generators, who have their own market-driven priorities, also need to engage with and support risk managers. Without such a partnership approach, neither will achieve their strategic objectives from the heavy change agenda.

Risk management itself is ever evolving. In the same way that risk managers utilize the tools of modern portfolio management theory and value-at-risk methodologies, they must also utilize the communication skills within their toolboxes. In doing so, they must move away from the boilerplate language, with its often specialist jargon, and engage stakeholders on their terms. This is both a cultural challenge and an opportunity for risk managers to be more centrally involved in the management of their firms.

Enterprise Risk Management

With management board members now personally responsible for the corporate governance of their firms, they are rightly more demanding of their risk functions in terms of risk comprehension and risk assurance. Management boards are responsible for the economic health of the entire business and are consequently more interested in an integrated view of all risks and how these risks might change and interact in response to various scenarios. This is often termed an enterprise risk management (ERM) approach which encompasses credit, market, operational, and other material risks2 for the enterprise as a whole. An ERM approach is very different to the traditional “silo-based” approach to risk management where different risk components are managed in separate silos (e.g., credit risk vs. market risk) with little interaction between silos. An ERM approach to risk management seeks to create the ability to integrate risks and report them at consolidated levels while recognizing potential diversification benefits both within and across risks. The Risk Management Association (RMA) defines ERM as:

a holistic approach to measuring and managing major risk types based on their simultaneous consideration (and inter-relationships where appropriate), thus allowing an institution to understand and adjust its risk exposures in an overall risk-reward framework.3

There is already much literature available on what an ERM approach entails. Suffice to say, management boards need to refocus on an integrated view of risks across their enterprises and accordingly will seek risk assurances in a similar vein. However, introducing an ERM approach is a major undertaking for any firm and poses significant cultural challenges.

Integration of Risk Silos

These cultural challenges arise as many firms still manage their risks quite strictly within risk silos. This silo-based approach often pervades the entire risk infrastructure of a firm, including its systems, processes, and people. Risk information systems are often designed specifically for one risk type and can impede integration or aggregation with other risk types. In addition to the difficulties in integrating risk information across risk silos, risk information can sometimes be difficult to integrate with other related information (such as earnings), thereby making it more difficult to evaluate risk—reward trade-offs either within or across risk types. Decision-making processes also tend to have different risk committees and risk personnel who evaluate different risks based on different evaluation criteria.

For example, while a VaR4 approach to market risk is well accepted in many firms, there is no reason why a credit VaR approach could not equally be employed in the same firms. Aside from the obvious but surmountable data constraints, why is it acceptable for a quantitative portfolio management approach to be adopted for one risk type (i.e., market risk) and not for another (i.e., credit risk) within the same firm? Even where different risks are not easily aggregated, we need to begin to speak the same language—for example, economic capital—and develop nomenclature across risk categories if we are to have an integrated view of enterprise risks.

However, while changing the systems and processes in a firm is one thing, changing the embedded staff culture of a firm is another entirely. Herein lies the real cultural challenge for any enterprise in seeking to adopt a more integrated approach to risk management. In many firms, risk professionals tend to operate in one silo (e.g., credit risk) with little interaction with other silos (e.g., market risk) and consequently tend to have little understanding of, or perhaps interest in, other risks. Moreover, professional progression and reward is often based on technical expertise within one silo and consequently those who succeed in becoming senior risk officers tend to have the majority of their experience in only one risk silo. Where this happens, risk managers do not receive the best preparation for understanding or managing enterprise-wide risks.

Staff Development

The divisions between risk silos are in many ways cultural divisions. To break down these cultural divisions, firms must invest in extensive training and development of their staff so that they can take a more integrated view of enterprise risks. They must encourage and promote job rotation across risk types in order to break down the artificial barriers between different risk silos. Job rotation between risk functions and the business also need to be encouraged so that the symbiotic nature of their relationship is recognized by all. Equally, staff must be willing, and incentivized if necessary, to become more risk-literate and consequently more quantitatively literate. Unless this is done, an ERM approach will remain an aspirational objective in many firms.

In addition to the training and development of staff, many firms may also need to look to the skills balance of staff across risk functions. In many traditional firms today, the majority of risk professionals remain focused on credit risks such that the cost of credit risk management is often a multiple of the actual expected loss for a portfolio. This is despite increasing evidence that the major killer risks faced by firms are increasingly of a nontraditional or operational risk nature. While credit risk probably remains the primary risk source for many firms, is the high concentration of risk staff in credit risk functions justifiable when this is the area of risk in which firms have developed the most experience and expertise over many years? This is sometimes exacerbated by the type of risk analysis undertaken where credit risk professionals are focused on transaction-by-transaction credit approval rather than on overall portfolio management.

Proactive Portfolio Management

While financial firms are in the business of actively taking on risks, once assumed these risks must also be proactively managed while simultaneously recognizing their contribution to portfolio dynamics. However, this does not always occur, particularly where there is no trading-book discipline. Even firms which have developed sophisticated performance measurement models for loan origination purposes are sometimes guilty of poor portfolio management thereafter. For example, many firms calculate the RAROC5 or EVA6 of every transaction at origination, which takes into account complex economic capital calculations and transactional optionalities. However, once these loans are underwritten, little portfolio management may then be evident. While one can confidently assert that such transactions add shareholder value at the “point in time” of origination, one cannot be as confident as these assets season or as their risk profiles inevitably fluctuate over time. This demonstrates the limitations of any point-in-time metrics, no matter how sophisticated. Portfolios need to be proactively re-evaluated and managed over time; not just at origination or default.

Proactive portfolio management does not end with ongoing risk evaluation. Risk managers also need to go further and ask the fundamental question—so what? It is insufficient to determine whether a portfolio is value-enhancing or not. Portfolios must also be proactively managed using various risk management and mitigation techniques. For example, where a portfolio is outperforming expectations due to a tightening of market spreads, this is not necessarily the time to rest in the knowledge of a good investment decision. Indeed, good portfolio management may dictate that the embedded value of these assets be realized rather than waiting for market spreads to widen again. Alternatively, we may believe spreads will continue to narrow and increase our position. This is proactive portfolio management, which is rarely passive.

While most firms have made significant progress in developing their risk measurement capabilities, many firms have further to go in implementing proactive portfolio management models. Such portfolio management requires significant cultural change from the traditional banking model where lenders sometimes feel personal ownership over “their assets.” It requires the functional separation of loan origination and portfolio management. This is a critical step in moving away from the transaction-by-transaction approach to risk so favored by the traditionalists. It allows a firm to optimize its overall shareholder return and to minimize nasty surprises. Without a portfolio management view of risk, how can a firm identify risk concentrations or diversification benefits? How can it provide incentives to increase portfolio diversification or disincentives to the build-up of any undue concentration risks in a portfolio? Such objectives are very difficult to achieve without a portfolio management view of risks. Loan originators can continue to underwrite business on a case-by-case basis but risk managers must manage risk at the portfolio level.

Raising the Bar

This illustrates that cultural change is not driven solely by regulation and is also a prerequisite for good business management, which must remain our primary objective. Indeed, most of the Pillar 1 requirements of Basel II were already being fulfilled by the advanced firms in our industry. Indeed even the Basel III requirements focus on capital as being the answer with liquidity to any problems. It is these advanced firms that are continuing to push back the frontiers of risk management with regulators by seeking more independence to utilize their own more sophisticated and risk-sensitive risk methodologies rather than the prescriptive ­regulatory rules in Basel II/III. This interaction with regulators and policy makers will inevitably lead to better regulation for the entire industry by raising the bar for all.

Despite this, Basel II/III will not necessarily lead to a leveling of the risk management playing field. Whereas many firms are struggling with the regulatory compliance challenges, the more advanced firms are already moving on and will always continue to develop more sophisticated risk management infrastructures. Later iterations of the Basel Accord should reward this increasing sophistication and raise the bar further for the entire industry. This increasing sophistication also needs to be recognized by stakeholders other than regulators; however, such recognition will not happen by right. It is also behoven upon risk managers to demonstrate and communicate their superior risk management capabilities. This, too, is a cultural challenge.

Improved Risk Disclosure Standards

Improved communication with stakeholders will become a critical requirement if firms are to achieve the benefit of their improved risk management capabilities. Moody’s Investor Services recently produced a damning commentary on the Risk Disclosures of Banks and Financial Firms.7 Its main findings are summarized as follows:

Moody’s overall opinion is that the current risk disclosures of banks and security firms fail to inform on the full scope and nature of risk exposures and risk mitigation efforts of these firms. The following are our top level observations:

• Disclosures tend to be limited to measures such as VaR, which give an incomplete picture of risk and use mostly ­boilerplate language.
• Contextual and qualitative elements necessary to ­understand the real magnitude of exposures and risks ­typically lack depth.
• There is no standardized format across firms surveyed: risk disclosures are uneven in size and quality, and they are ­scattered across annual reports.
• Finally, risk disclosures basically lack the minimum reliability requirements for relevant and consistent comparisons across firms.

The Moody’s report did not suggest that surveyed firms did not have sophisticated risk management capabilities: rather that their disclosure practices were lacking. Across the industry, however, we can certainly expect some causal link between the sophistication of risk infrastructures and the quality of risk disclosures. Indeed, the quality of risk disclosures represents a potential area for firms to achieve a competitive advantage over their peers and to achieve an additional investment return from their risk infrastructures. Rating agencies and other stakeholders obviously take the quality and sophistication of risk management practices into account in evaluating firms. It is, therefore, imperative for firms not only to have best-in-class risk management practices but also to be able to communicate such practices to stakeholders.

Investor Relations

It is inevitable that the wider investment community will also require similar improvements in disclosure standards in order to identify those firms with superior risk management capabilities. Banks and financial firms are unlike other entities in that they actively seek out risk-taking opportunities. As a result, investors cannot realistically be expected to distinguish between different financial firms based solely on traditional performance multiples without reference to the amount, type, and volatility of risks a firm undertakes (its risk profile) and how it manages and mitigates those risks (its risk strategy). How long then before investment brokers also begin to really challenge firm’s vis-à-vis the quality of their risk disclosures?

If a bank already has a comprehensive and effective risk management infrastructure, such disclosures will already be utilized in managing the firm and can easily be reproduced with different emphases for different external audiences. A superior risk management capability should lead to more sustainable economic performance and fewer nasty surprises for investors, particularly when the economic environment is less favorable. Such a capability should also lead to competitive advantages in terms of capital requirements, external ratings and, consequently, investment efficiency and performance. Needless to say, this will only happen when the quality of risk disclosures improves significantly beyond current ­standards. In the interim, investors will continue to judge the quality of firms’ risk infrastructures by the quality of their financial performances and by comparing the content, frequency, and timeliness of their various risk disclosures.

Regulatory Relations

Regulators are also moving in this direction as is evident from Pillars 2 and 3 of the Basel II Accord. Whereas Pillar 3 will formally address some of the public disclosure requirements, Pillar 2 will require firms to describe and explain to regulators the process by which they ensure their capital adequacy. Significantly, there is no distinction in these later pillars between standardized and advanced status. The regulatory prescriptions around capital adequacy and public disclosures will apply equally to all firms. In fact, Pillar 2 is probably the most challenging component of Basel II, requiring, as it does for the first time, a more holistic risk assessment across the entire firm. As a result, it is Pillar 2, rather than Pillar 1, that will transform the frontiers of risk management.

The internal capital adequacy assessment process (ICAAP) of Pillar 2 requires firms to identify and assess all material risks, to describe how these risks are managed and how internal capital is adequately attributed to these risks. This process must be consistent with a firm’s current risk profile and must be embedded into the business strategy and decision making of the firm. As a result, the requirements of Pillar 2 are consistent with an ERM approach to business management and should result in a much-changed relationship between firms and their supervisors.

Supervisory Outsourcing

Significantly, supervisors are not being overly prescriptive about how firms ensure capital adequacy. The lack of prescriptive detail is both an opportunity and a challenge for firms. It is an opportunity for firms to design their own bespoke ICAAP that is intimately tied to their own risk profile, business strategies, and environment. It allows firms to focus on business benefits while at the same time achieving regulatory compliance. More significantly, supervisors are effectively outsourcing to firms the supervisory modeling that they traditionally undertook themselves at an industry level. This supervisory outsourcing is most apparent in the nonprescriptive nature of the ICAAP and in the stress-testing requirements in particular. Firms need to have a rigorous and comprehensive stress-testing program in place which is meaningful to the portfolio characteristics of each individual firm. This is a significant and welcome change of emphasis by regulators and will allow firms to use their own scenario analysis capabilities for regulatory stress testing.

There are significant sanctions for firms who have an inadequate ICAAP, particularly considering the lack of distinction between advanced and standardized approaches. Where firms can demonstrate, however, that they have a rigorous and well-understood ICAAP, they should benefit from a more favorable capital treatment. That is, if supervisors are to promote more sophisticated risk management practices, they must also provide a positive correlation between the capital required to adequately address a firm’s risks and the strength of its risk infrastructure. Of course, a superior risk management capability is not just about capital efficiency, it is also a sine qua non for good business management, which is our primary objective. Moreover, a well-defined and rigorous ICAAP will also meet many of the disclosure requirements of external stakeholders ­discussed earlier. As the Basel II Accord and the Moody’s disclosure report demonstrate, however, inadequate risk disclosures will no longer be tolerated by external stakeholders. Neither should inadequate risk reporting be tolerated by management boards.

Cultural Challenges

Overall, great progress is being made by all firms in developing more sophisticated risk management infrastructures. This progress is being made at a time of unprecedented regulatory, legislative, and market demands. Some of the major challenges faced by many risk managers are not regulatory, legislative, or market-driven, however; they are, in fact, internal cultural challenges. More importantly, without cultural change, many firms may continue to manage their businesses suboptimally.

Occasionally at risk conferences, bankers can be heard openly discussing the issues of the day. A number of themes are common. First, risk managers not only speak passionately about the capability and potential of their improved risk management infrastructures, but they also talk about the project fatigue from regulatory compliance and the difficulties in embedding change in firms. Second, lenders discuss their difficulties in achieving RAROC hurdles when credit spreads tighten, as they have done in many markets over the last few years. Are these lenders’ views invariant to market risks? Do they consider a business line is no longer viable at current margins and exit this market? Alternatively, do they believe the market spreads have overshot and do they continue to underwrite business, in order to maintain market share, even though they think it may be destroying shareholder value? By underwriting such business, are they merely contributing to the (real or perceived) overshooting of the risk—reward relationship? What is the tolerance for such behavior within the firm? What would they do if they thought of the conundrum as a shareholder instead of as an employee? How aware, if at all, are shareholders of this regular conundrum?

These questions are, in many ways, queries about the risk culture of the firm. If a firm has a strong risk culture such questions are readily understood and addressed. Developing such a risk culture, however, is not easily achieved as it must permeate all levels of an organization. The management board may define the risk culture and set the “tone from the top” but it is often behoven upon the risk management function to embed this risk culture throughout the organization. A risk culture does not merely come about top-down: it has to be nurtured, developed, and embedded in an organization.

This is a major challenge for most firms and one that falls heavily on the shoulders of risk functions in these firms. Risk managers cannot, however, effect cultural change on their own. They need to bring their colleagues with them on a journey. To do this, risk managers must also be willing to change. Moreover, they must be supported and championed by their own management boards. Only then will shareholders realize the full business benefits of the huge investments being made in risk infrastructures. This is in many ways one of the real frontiers of risk management today. Plus Áa change, plus c’est la même chose.

---