Frontiers of Risk Management was always a bold title for any book to try to live up to. Our objective was simple: to consider the entire spectrum of financial services risk management and to identify the best writers we could who would be able to both appreciate current problems and predict future issues and solutions. We did this in 2007and it is that text which is largely reproduced here. Authors are shown with the positions they held at that time since they wrote based upon their experiences at that time.
While this is an easy objective to write, it is a difficult one for the authors to achieve. Finding authors that really understand the issues, techniques, and practice in the current environment is hard enough. The challenge that we set of asking the authors to go boldly into the future makes this a stimulating and interesting book. I am sure you will agree that all of our authors, each from their own perspective, have risen to achieve these ideals. What is perhaps surprising is that they not only looked to future, but the future they foresaw is still some years away. They were not just a few years ahead, in many cases they were 15 years ahead. When you now read these papers it will be clear to you that people did see the problems that were coming, it was just that firms were not yet acting. In these two volumes of reprint we look at these issues in detail.
Some of the chapters look at mathematical issues, while avoiding detailed discussion of mathematical techniques, while others focus on the practical and qualitative approaches. Some authors were asked to look at risk management from a horizontal industry perspective corporate finance, for example—while others were asked to look at it from a risk perspective for example, the impact of credit ratings. Taken together, they represent a complete current view of thought within the financial services risk-management industry.
The Nature of Change
The financial services risk-management industry is going through a period of unprecedented change. This is driven in part by the guidance issued by the Bank for International Settlements (BIS) and the so-called Basel Accord, which has changed the way that banks will in future calculate regulatory capital. But the Accord goes much further than that and requires management involvement in risk management together with the development of a series of new techniques for new challenges. Some of these have been the subjects of new, specific papers from the BIS; stress testing and liquidity risk management, for example.
What these chapters highlight is that risk management is pervasive throughout a firm, from the chairman to the security guard. While a few may be involved directly with market, credit, or strategic risk, all will be involved with reputational and operational risk. Perhaps the most important issue coming out of the Accord is that operational risk requires a regulatory capital charge and is therefore elevated in importance within the risk-management framework.
The Accord now requires regulatory capital to be set aside for market risk, credit risk, and operational risk, but not in Pillar 1 for strategic risk, reputational risk, or liquidity risk. These are all dealt with in Pillar 2, which means there is no explicit calculation and the capital levels will be effectively set by the local regulator. The main reason for this is that the BIS considers these risks to be difficult to model.
When a board considers risk management within a financial institution, it is for the board to consider all of the risks that may befall a company. There would be little point in having excellent controls over credit, market, and operational risk, only to be wiped out by liquidity risk impacting reputational risk, for example. Then there is the issue of insurance and the extent to which it can protect an institution. Again, there are problems with firms not purchasing insurance for every potential loss situation, but rather for reasonably plausible but painful situations. What would be the point of buying insurance for a loss that is greater than the capital value of the firm? The institution would fail because of the event and the receiver would claim on the insurance!
Of course, it would be nice to be able to say that regulation was the result of deep, meaningful, considered thought developed from academic research through the technical skills of industry professionals. What we actually see is regulation often resulting from public failures that are of such magnitude that the regulators have been required to take action. Sarbanes-Oxley in the United States is perhaps the most obvious recent example of this—the US response to Enron—but it is by no means unique. While regulation developed in haste is repented at leisure, there can be no doubt that these public failures have elevated the science of risk management to a much higher plane.
The Problems with Risk Measurement
Boards need to look at risk holistically, considering all of the risks to which the institution is subject all at the same time. This is easy to say, but difficult to achieve. At the heart of this issue is the problem with measurement of risk, for you cannot have risk management without some form of risk measurement.
We are accustomed to measuring market risk and are generally moving to a mark-to-market basis, with a few exceptions—an approach that effectively looks at current value. Credit risk is different. Here the measurement is primarily based on historic experience judging a current portfolio based on historic accounting principles. Operational risk measurement is a developing skill but makes use of a series of building blocks, including control and risk self-assessment and internal and external loss data. There are no common techniques yet for measuring reputational, strategic, or even liquidity risk, or the BIS would have implemented Pillar 1 rules. To make matters even worse, the BIS rules lead to calculating capital based on differing parts of the risk curve. We shall see this explained in more detail within the various chapters.
So what is the result of all of this? Clearly the modeling approaches are all inconsistent, so it is difficult for a board to take the results of the credit, market, and operational risk measurement systems and come up with a total risk for the institution for these three risks, let alone deal with the others that are not currently modeled.
We recognize this to be one of the greatest challenges to the industry going forward—to deal with the entire spectrum of risks on a consistent basis so that boards, regulators, and other stakeholders can actually have confidence in the stability of these institutions.
What Is the Purpose of Capital?
At the heart of this discussion is the issue of regulatory capital itself. The key question is what is it for? It is one opinion that regulatory capital is not very good at protecting the customer. When things go wrong all of an institution’s capital tends to disappear and the depositors still lose out. Clearly the best way for a customer to be protected is either a deposit protection scheme or insurance. Can capital protect an investor? It is hard to argue that it can—the capital is actually part of what the investor is paying for when purchasing an investment. If the capital is dissipated through an unlikely risk event occurring, then their investments will also fall away in value.
There are then only two stakeholders that could be protected by the regulatory capital the market and the regulator. Yet these two stakeholders have opposite objectives. For a market to operate effectively it clearly needs effective and efficient regulation, yet one man’s regulation is another’s competitive advantage. There is no benefit to a regulator in reducing regulatory capital. When an institution fails as a result of some unlikely event, there will be criticism aimed at the regulator for their failure to regulate adequately the institution and to ensure that the institution had capital adequate to cover this unlikely eventuality that somehow seems more likely in retrospect.
The problem is that banks do fail, for a variety of reasons. History is full of old names of institutions where an event caused their demise, with Barings being only one of the most recent examples. Banks will fail and no amount of regulatory capital or supervisory attention can ever act as a total insurance against this. We can clearly see the tension between the regulators wanting higher capital and the market wanting flexibility operating in the creation of the current regulatory regime.
The Challenge of Regulatory Capital
Thus, if we follow the proposition that regulatory capital is designed to protect the regulators and the market, then it must be that it should be mostly concerned with what might be called unlikely nongoal correlated events—or, in plain English, things we do not expect to happen. That is why we welcome the increased emphasis on both stress testing and scenario modeling.
What financial institutions need to increasingly focus on are these low-incidence, high-impact events that might plausibly occur, but have not occurred to date.
The challenge to the regulators is, therefore, to come up with a basis which will enable them to isolate this part of the risk spectrum from expected risks that are better dealt with through budgeting and product pricing within financial control. The challenge for management is to consider the impact on certainty and planning from such unexpected events.
Of course, no book can be completed without the assistance of a number of people. Our thanks must primarily go to the authors who have all dealt with what was a difficult brief. My thanks also go to Saketh Kaveripatnam of Citigroup who acted as Associate Editor and provided invaluable assistance in the identification of suitable authors combined with constructive criticisms and creative suggestions for this publication; and to Lisette Mermod from Risk Reward Limited for her assistance throughout this process.
Risk management is a discipline that is always dealing with change. An event will occur somewhere that immediately makes you question what you have done to date. Perhaps it is a change to the volatility of an instrument that impacts upon your assumptions within a model; perhaps, instead, it is the occurrence of an operational risk event that you had previously considered impossible. It may, of course, be some form of new legislation or regulation implemented either locally or globally. Whatever the change, one thing that can be said with certainty is that risk management is a developing discipline that will continue to evolve over future months and years.
The Following Decade
It is ten years since this work was first produced and this was just prior to the financial crisis. The expectations included within this text were not fulfilled and indeed it is the current regulatory requirements that are now driving their implementation. Indeed perhaps the failure of the market to recognize the importance of risk management as key to the success of a firm probably was a major contributor to the crisis occurring. Now we have moved on from Basel 2 to Basel 3 and its revisions, but has risk management improved? In another work I have set out in a nutshell the practical steps a firm should take. Indeed Risk Management in a Nutshell can be taken as a text that underpins much of what is here.
In this revised edition in two parts I have sought to be faithful to the original text from 2007 and have only made changes where they were clearly necessary. I am sure that any reader will gain something from some of the material here and identify common themes. For me the continued failure of some firms to recognize that the currency of their firm is risk with results being a consequence of the calculated taking of risk remains a disappointment. Too many firms still have failed to appreciate how risk management should be embedded and what they need to do in practice. Risk management is a driver to the success of any firm and this text seeks to provide some pointers. Written by industry professionals who were at the leading edge of the development of this subject I hope you find this revised text of interest.
Dennis Cox
London, 2018.
Dennis Cox
Risk Reward Limited