Dimon: JPM ‘Simplifying’ Its Business, Improving Compliance

 

Dimon: JPM ‘Simplifying’ Its Business, Improving Compliance

SEP 17, 2013 10:42am ET
 

WASHINGTON — JPMorgan Chase (JPM) is focusing on simplifying its businesses and improving compliance with regulatory requirements, Jamie Dimon said in an e-mail to employees on Tuesday.

The bank’s chairman and chief executive said that its recent exit from the student lending business and elimination of its physical commodities sales and trading businesses was an attempt to “refocus our priorities.”

“We have been asking our senior people to eliminate products and services that are not essential to serving our customers and are not core to our business,” Dimon wrote.

In the lengthy e-mail, Dimon said the bank is also working to confront the regulatory challenges facing it, including reviewing its foreign correspondent banking business, improving oversight of outside vendors, and adding regulatory compliance staff.

The e-mail comes as JPMorgan Chase nears a $750 million to $800 million settlement with regulators related to last year’s “London Whale” trading scandal. An announcement could come as early as this week.

It also is yet another sign of a newly resurgent Dimon who, after the criticism he took over the Whale incident, successfully fought off an attempt by shareholders to strip him of his chairman title earlier this summer. Since then, he has become more outspoken about the issues facing the industry and his institution.

The regulatory settlement is expected to include an admission of wrongdoing by the bank. Although Dimon did not reference it directly, he said in his e-mail that if “you don’t acknowledge mistakes, you can’t fix them and learn from them.”

“So now, as in the past, we are recognizing our problems, rolling up our sleeves and fixing them,” Dimon wrote.

That includes a renewed focus on the bank’s foreign correspondent banking business, an area that has gotten several large banks, including HSBC and Standard Chartered, into trouble recently with U.S. regulators.

JPMorgan Chase was slapped with a consent order from the Office of the Comptroller of the Currency in January over “critical deficiencies” with respect to its anti-money laundering practices. Many observers expect regulators to impose a monetary penalty on the bank soon over those failures.

Dimon said JPMorgan Chase is strengthening its internal controls “particularly around ‘Know Your Customer’ and transaction monitoring.”

He also said the bank is stepping up supervision of outside vendors, yet another area that has tripped up the bank.

“If a vendor or partner engages with our customers, we need to be as vigilant about their practices as we are about our own, particularly if they interact directly with customers,” Dimon wrote. “We are also proactively trying to decrease the number of vendors we have, which reduces complexity in our business and creates more jobs internally.”

Earlier this summer, JPMorgan Chase halted most sales to third-party collectors of credit card debts amid regulatory concerns over how it pursues payments from customers who are delinquent.

Dimon said that the bank has significantly boosted compliance resources, adding roughly 3,000 employees this year that are dedicated to risk, compliance and control efforts. The bank has also provided 750,000 hours of regulatory and control-related training related to topics like anti-money laundering and Dodd-Frank implementation, he said.

Dimon added that he has also tried to build a “more open and transparent relationship with our regulators.” He held town halls for examiners with the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corp. in May and June. He also held a corporate town hall with bank employees who “regularly interact with regulators.”

“We discussed our culture of transparency, stressing the necessity of fully and accurately reporting material issues to our regulators in a timely manner and responding promptly to their requests,” Dimon said.

Dimon concluded by pledging to create a “best-in-class operating system” for the bank.

“Never before have we focused so much time, effort, brainpower, technological power and money on a single, enterprise-wide objective,” Dimon wrote. “Make no mistake — we are going to get this right.”

 

Deloitte survey: Financial institutions increasing focus on risk management

Thursday 22, August 2013 by Robin Amlôt

Deloitte survey: Financial institutions increasing focus on risk management

 

Heightened regulatory scrutiny and greater concerns over risk governance have led financial institutions to elevate their focus and attention on risk management, a new global survey from Deloitte finds. In response, banks and other financial services firms are increasing their risk management budgets and enhancing their governance programs.

 

According to Deloitte’s eighth biennial survey on risk management practices, titled “Setting a Higher Bar,” about two-thirds of financial institutions (65 per cent) reported an increase in spending on risk management and compliance, up from 55 per cent in 2010.

 

A closer look at the numbers finds, though, that there is a divergence when it comes to the spending patterns of different-sized firms. The largest and the most systemically important firms have had several years of regulatory scrutiny and have continued their focus on distinct areas like risk governance, risk reporting, capital adequacy and liquidity. In contrast, firms with assets of less than $10 billion are now concentrating on building capabilities to address a number of new regulatory requirements, which were applied first to the largest institutions and are now cascading further down the ladder.

 

“The financial crisis has led to far-reaching major changes of doing business in financial institutions’ risk management practices, with stricter and ruled based regulatory requirements demanding more attention from management and increasing their overall risk management and compliance efforts,” said Joe El Fadl, Financial Services Industry Leader at Deloitte Middle East. “That said, risk management shouldn’t be viewed as either a regulatory burden or a report destined to gather dust on a shelf. Instead, it should be embedded in an institution’s framework, philosophy and culture for managing risk exposures across the organisation.

“Knowing that a number of regulatory requirements remain in the queue, financial institutions have to be able to plan for future hurdles while enhancing their risk governance, enhancing management capabilities with better risk awareness using data analytics, and improving in data quality,” added El Fadl. “Those that do will be well placed to steer a steady course though the ever-shifting risk management landscape.”

The majority of the institutions participating in the survey (58 per cent) plan to increase their risk management budgets over the next three years, with 17 per cent anticipating annual increases of 25 per cent or more. This is not a trivial matter as 39 per cent of large institutions – particularly those based in North America – reported having more than 250 full-time employees in their risk management function.

 

Risk management moves up the boardroom agenda

Alongside increased spending, risk management has also significantly risen up the agenda in the boardroom. According to the survey’s results, 94 per cent of company boards now devote more time to risk management oversight than five years ago, and 80 per cent of chief risk officers report directly to either the board or the chief executive officer (CEO). Additionally, 98 per cent of company boards or board-level risk committees regularly review risk management reports, an increase from 85 per cent in 2010.

 

“Regulators have been focusing more and more on the role of the board of directors in risk governance, engaging them to approve the institution’s risk appetite and risk policies, overseeing their implementation by management and increasingly looking to understand the challenge that the board makes in its oversight of the financial institution’s risk management of key issues,” said Fadi Sidani, partner in charge, Enterprise Risk Services at Deloitte Middle East.

Other major findings in the survey include:

Almost three out of four risk managers rated their institution to be either extremely or very effective in risk management overall, an increase from 66 percent in 2010’s survey results.

 

The impact of increased regulation is having a significant effect on business strategy and the bottom line, with 48 percent of firms confirming that they have had to adjust product lines and/or business activities, a percentage that doubled from 24 percent in 2010.

The use of institution-wide enterprise risk management (ERM) programs is continuing to grow. Today, 62 percent of financial institutions have an ERM strategy in place, up from 52 percent in 2010, while a further 21 percent are currently building a program. The total of 82 percent of firms either with or building an ERM program is significantly up from 59 percent in 2008.

 

Institutions are increasingly confident about their effectiveness in managing liquidity risk (85 percent rate themselves as extremely or very effective vs. 77 percent in 2010); credit risk (83 percent against 71 percent in 2010); and country/sovereign risk (78 percent vs. 54 percent in 2010).

 

Stress testing has become a central plank in many institutions’ risk management efforts. Eighty percent of the institutions surveyed stated that stress-testing enables a forward-looking assessment of risk, and 70 percent said that it informs the setting of their risk tolerances.

Technology used to monitor and manage risk is a particular concern and, according to the report, significant improvements in risk technology are needed. Less than 25 percent of institutions rate their technology systems as extremely or very effective while 40 percent of institutions are concerned about their capabilities in the management of risk data.

 

Progress in linking risk management with compensation has changed only incrementally since 2010’s survey results. Currently, 55 percent of institutions incorporate risk management into performance goals and compensation for senior management, which is little changed from 2010. The use of “clawback” provisions in executive compensation, however, has increased (41 percent vs. 26 percent of institutions in 2010).

 

“Financial institutions are becoming increasingly confident in their risk management abilities, but they also recognize where there are gaps,” said Sidani. “Where concerns linger particularly is around operational risk, with a number of recent headlines – like management breakdowns and large-scale cyber-attacks – underscoring the important impacts this area can have on an institution’s reputation. This is a gap that may trigger significant operational risk combined with reputational risk that needs to be properly addressed.”

According to the report, operational risk, which is a key component of Basel II, has been a continuing challenge for institutions. The lack of ability to measure operational risk and the complexity of many operational processes are key causes of this. Only 45 per cent of firms rated themselves as extremely or very effective in this area, down slightly from 2010.

 

Deloitte’s survey assesses the risk management programs, planned improvements, and continuing challenges among global financial institutions. The eighth edition surveyed chief risk officers – or their equivalent – at 86 financial institutions, and represents a range of financial services sectors, including banks, insurers, and asset managers, with aggregate assets of more than $18 trillion. The survey was conducted from September to December 2012.

 

The report may be viewed at http://www.deloitte.com/us/globalrisksurvey

 

The 3 Ms of Risk Management

The 3 Ms of Risk Management

 

 

 

Recent market event have pointed to increasing volatility. As has happened all too many times in the past, risk management disasters continue to plague the industry and show up on the front page of the newspapers. Given the potential for these disasters to occur, lets discuss some required risk management capabilities.

 

Consider the following scenarios:

 

A major market move occurs. The Chief Risk Officer (“CRO”) of a broker/dealer wants to know right now what effect this has on the firm. Are they better or worse off? What actions should be taken? To determine the best course of action the CRO needs to know real-time what the positions are and the potential P&L effect. The CRO must also be able to perform a risk analysis immediately. As we have seen, inability to do this will consume resources, raise the firm’s risk profile and possibly cause losses as a result of the market move.

 

A major firm announces a significant profit restatement. The CRO of a major retail brokerage wants to know which accounts will be affected the most. The CRO needs to know real-time which accounts have concentrations in that industry and SIC code. Since it isn’t clear yet what the full effect of the restatement will be on security prices, can the CRO perform a what-if analysis on specific accounts to determine the potential effects on the firm and the accounts so that proper actions can be taken? Inability to do this real-time will consume resources and increase the risk profile of the firm and the accounts.

 

In both cases, could the CRO have set up early warnings so that the risk systems would have generated alerts as to problem positions or accounts when specific actions occur so that the CRO can spend less time finding risks and more time managing risks?

 

The industry has spent many dollars effecting comprehensive risk management capabilities. Ultimately risk management is, however, a process that requires tools and the right mindset, not just a system that measures risk. The purpose of risk management is the following: minimize the probability that an error occurs AND that it goes unnoticed. To do that, a firm must have all the components of effective risk management. The firm must have the ability to perform the 3 Ms of Risk Management: Measurement, Monitoring and Management of risk. In this paper, we will outline the basic capabilities of each of the three areas.

 

 

Risk Measurement

 

All firms must have the capability to measure their risks. Most firms have risk measurement systems. However, there is a lot more to it than that. Risk measurement involves ALL aspects of the capability to measure risk, not just having systems. To measure risk effectively and accurately, the firm must have accurate and timely information as to its positions, its counterparties and all relevant information regarding its positions and counterparties. This information should ideally be available on a real-time basis as markets move very rapidly and soon the risk analysis may no longer be valid. Measuring this information solely on an overnight (or end of day) basis will not be sufficient as market conditions change during the day, and customer and counterparty activity changes the firm’s risk profile constantly. It is also not sufficient to simply do this several times a day. As market conditions change, the value of the firm’s and its customers’ positions changes accordingly, either favorably or unfavorably. In addition, as customers do trades during the day the firm must be able to track its customers’ accounts as they transact business. This information must be accurate, accessible in a timely manner and able to be retrieved from the firm’s computers and sent to the relevant analytical models for risk evaluation. During some recent risk events, many firms learned that they could not do this effectively, much to their dismay.

 

So what does effective risk measurement entail? Several key components are required:

 

The risk measurement methodologies used must accurately measure the risks. There are many different ways to measure risks and firms use most of them. The two basic necessities for a risk measurement methodology to be effective are that they must reflect the risks they measure and all relevant parties must understand them.

 

Different kinds of firms will require different kinds of risk measures. The measures needed for a portfolio-based approach to risk measurement are not exactly the ones needed for a retail operation. The portfolio approach requires position, position attribute, counterparty and counterparty attribute data. A retail operation will require all that and extensive information at the account level so it can see what individual accounts are doing real-time.

 

The firm must be able to examine its risks at any level and aggregate up or drill down to any desired degree. For example, a broker dealer must be able to measure risk by security, security type, counterparty and type, industry or SIC classification, currency, geographical location, etc. The B/D should then be able to aggregate up or drill down in any direction (for example by country by currency or vice versa). A retail brokerage should be able to measure risk by account, by account type, by industry, SIC code, etc, and aggregate up. They should also be able to drill down to the account level after starting with a portfolio approach. In addition, a retail brokerage needs to perform sophisticated margin calculations on a wide variety of products. Also, they would need to be alerted when specific activities occur in selected accounts, e.g., large trades or prohibited activities.

 

The firm must be able to perform scenario and what if analysis on a real time basis for any of its risk measurement categories. For a retail operation, this means even at the account level.

 

The analytical models used to measure risk must be accurate and measure the right risks. The models must be appropriate to the business and the products. Different products may require different kinds of models and there is nothing wrong with that. Use as many models as is necessary and no more.

The inputs to the models must be accurate. Many firms have a problem with their data and getting it to the right system at the right time. The data must be accurate, clean, and timely. This applies to model-generated data (including the results of risk analysis) as well as historical market data. Without accurate inputs, the model will give misleading results, leading to inaccurate decision-making.

 

The connections between the systems must be accurate. Feeder systems must feed the inputs to the risk model on a timely and accurate basis, just as the risk system must feed other systems in the same manner.

 

The systems must work automatically. You should not have to do anything extra for the system to be measuring risk accurately and timely.

 

The firm should periodically assess its systems and their ability to perform, effecting updated capabilities when necessary.

 

 

Risk Monitoring

 

For effective risk management to take place, risks must be monitored. A firm that simply measures risk three thousand ways but does not monitor it on a timely basis will likely suffer at some point. Risk monitoring includes all aspects of ensuring that accurate risk measurement information is available to the right people on a timely and accurate basis. What does effective risk monitoring entail? Several key capabilities are required.

 

The firm must have timely and accurate risk information available to the right people at the right time.

The firm must have a set of comprehensive risk reports generated during the day. The reason that a set of reports is necessary is that different levels of management require different levels of risk information. The key criterion is that the reports reflect the degree of granularity and breadth of information required to optimize the decision-making capabilities of the party that gets the reports.

The firm must also have this information available on a real-time basis. This means that it must be available online for the parties that require it so they can see what is going on at all times. The same issues of granularity and breadth apply here.

 

The risk systems should have the capability to alert the proper manager when preset conditions occur so that proactive risk management can occur. The firm should set up a variety (as many as needed) of risk conditions that different managers are concerned with. These conditions should also be set in a variety of ways. The parties could set up criteria that will generate alerts. The relevant manager could then drill down into the alert to investigate further. The proper action could be taken.

For example, a B/D could set these alerts to show limit utilization above a certain level (e.g., 75%) and by security, currency, counterparty, trading ledger, industry or geographic location. The system alerts the appropriate level(s) of management when the condition is met. The alerts should also happen as a result of a what-if or scenario analysis, alerting the appropriate party to what could happen under certain conditions. For example, an alert could occur if a major market move would cause an X% loss in a particular security. Management can then examine the alert and take appropriate action, if any. These alerts are set by management and should reflect the conditions with which management is currently concerned.

For a retail operation, this would include all the above. It would also need to include alerts at the account level such as a big trade or an account that is utilizing an increasing portion of its credit and is heading toward a potential margin call. For example, an alert could occur if an X% market move would cause a margin call in a large (or small) account(s). Management can set up appropriate conditions for accounts it wishes to monitor and be alerted when those conditions are met. Management can then examine further and take the appropriate action, if any.

In addition to all the reports and alerts, managers must effectively communicate with each other so that they are aware of current conditions.

 

 

Risk Management

 

The first two steps in the process provide the analytics and the tools that managers at all levels must have in order to make effective decisions regarding risks. The final step in the process may be the simplest to explain. After all the risks that can be measured are monitored (those that can be measured. Not all risks can be measured and you should not try!), and after the correct monitoring systems and procedures are in place, the final step in the process is actually managing the risk. This simply means management decision-making when called for, based on the information that is available. Managers at every level must be ready to take appropriate actions when a condition exists that warrants attention. This means proactive actions. Remember that not every risk condition or situation requires action. It possible that, for example, that a limit is exceeded on a trading floor and management becomes aware of it. After reviewing the excess, determining the cause and discussing the possible harm, the appropriate managers may let it stand and take no action. Or, an alert can be generated on a specific account. After drill down and review, management decides no action is called for.

 

Some of the critical aspects of managing risk effectively are:

 

The proper analytical tools must be used so that the information to decide possible courses of action is reliable

The proper risk monitoring capabilities, including alerting capabilities that provide this information on a real time basis, must be in place

A risk-oriented mindset must exist in all employees. Senior management must drive this mindset from the top down. Everyone bears some of the responsibility, not just management and risk managers

A willingness to be proactive regarding risk management, treating risk management as a business partner, not simply part of a compliance function

 

Conclusion

 

As we all know, there are many crucial aspects to implementing effective risk management capabilities at a firm. It is critical that each phase be implemented at any firm that wishes to effectively manage its risks. This can be summarized relatively simply. The tools for measuring risk must be accurate as must be the inputs to those tools. This means models must be accurate. Data must be clean. The technology behind the system should help the risk management process by identifying risk so that managers gave increased resources for managing risks. Real-time capability is required; batch processes won’t cut it any more. The outputs of the risk measurement process must be available on a real time basis so that managers understand what is happening as it is happening and can take appropriate action. This means everyone gets the info when they need it. Systems that inform management of current conditions go a long way to helping the process. Finally, everyone should consider risk management as part of his or her job. Effective risk management is possible when these conditions are met.