Reforming banking’s risk culture requires breaking “accountability firewall”

Reforming banking’s risk culture requires breaking “accountability firewall”

September 11, 2013 @ 8:09 pm

By Guest Contributor

By Henry Engler, Compliance Complete

NEW YORK, Sept. 11 (Thomson Reuters Accelus) – If there is one part of the cultural makeup of Wall Street that remains firmly in place despite the financial crisis and subsequent avalanche of regulations, it is the reticence among those who lose money to come clean early.

Many of the most spectacular losses in recent years — whether the JPMorgan “London Whale” episode, the UBS “rogue trader” incident, or Jerome Kerviel’s manipulation of internal systems at Société Générale — have all had one thing in common: concealment of trades gone badly wrong, or at a minimum, a lack of transparency and early acknowledgement of losses. And if one can point to a single reason for such behavior, it is the well-known fact that raising the red flag would mean the individual responsible would be shown the door.

The blowup at JPMorgan was noteworthy not just for the size of the loss ($6.2 billion), coming in a unit that was supposed to hedge risk, but also for senior management’s role in cultivating a culture that discouraged individuals to identify problems.

“Ina (Drew) never wanted to hear bad news,” said a JPMorgan bank executive familiar with the management style of the former Chief Investment Officer where the loss was incurred.

In a lengthy piece by the New York Times [1] last year that examined the failure of controls at JPMorgan, CEO Jamie Dimon said: “Honestly, I don’t care what second-guessers say in life If anyone in the company knew, they should have said something. No one came to us beforehand and said we have a problem we should be looking at.”

Dimon’s comment could well have been made by other chief executives. In a scathing review of banking practices by the UK Parliamentary Committee on Banking Standards [2] earlier this year, the panel highlighted a disturbing lack of awareness and accountability by senior managers:

“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making… Ignorance was offered as the main excuse. It was not always accidental. Those who should have been exercising supervisory or leadership roles benefited from an accountability firewall between themselves and individual misconduct, and demonstrated poor, perhaps deliberately poor, understanding of the front line.”

The “accountability firewall” might well have been facilitated by management practices that hindered the type of information flow necessary in an effective risk culture. In a separate survey [3] by the London School of Economics, the findings of which are due to be updated in coming weeks, researchers pointed to the fear of punitive action as a primary concern. The study quoted one individual who summarized the views of many:

“One of the things that helps greatly with the flow of information through the organization is how it’s reacted to when it gets to the next level. So being able to report risks openly and honestly without getting your head bitten off from the second that’s done is crucial […] For example, if I told you something that might be happening you do not want your directors on your back saying ‘What have you told them? Why?’ So managing the flow of information through an organization to ensure key stakeholders are properly engaged is quite important […] to avoid the wrong reaction happening.”

What has led us to this state of affairs? And how might it be corrected?

Excesses of short-termism

Establishing a robust risk culture is a subject that management consultants have written volumes on. And when one scours the long list of recommendations, embedding risk awareness across the organization and fostering an environment in which people are comfortable challenging others without fear of retribution are critical components.

But this ideal state would appear far from the current reality at many institutions. In understanding what has led us to an environment of fear and lack of accountability, some argue that the finance sector has taken short-termism to the extreme. The enormous pressures that individuals are under to meet their financial targets, and how those goals are wrapped-up in the quest to meet quarterly revenue and profit objectives, create disincentives to identify risk events early.

“The connection that hasn’t been made is how short-termism invites corrupt behaviour — lawful, but corrupt” says Malcolm Salter of the Harvard Business School, who has written extensively on institutional corruption [4] on Wall Street. In order to rectify the problems, many banks have taken a much closer look at compensation policies, but this may not be enough. “Who is modeling the behavior at the banks?” asks Salter. “There is the cultural aspect of the business: how do you change that culture short of the firm having a breakdown.”

In the UK, the Committee on Banking Standards proposed a series of sweeping reforms aimed at establishing much great accountability on senior management. Among these would be the “replacement of the statements of principles and the associated codes of practice, which are incomplete and unclear in their application, with a single set of banking standards rules to be drawn up by the regulators. These rules would apply to both senior persons and licensed bank staff and a breach would constitute grounds for enforcement action by the regulators.”

The rules proposed, and which have been embraced by the UK government, are intended to shift the burden of proof of management failure away from the regulator and onto senior management, who will have to “demonstrate that they took all reasonable steps to prevent or offset the effects of a specified failing.” But the new regulatory standards are only UK-specific. International coordination is needed to guard against regulatory arbitrage.

Indeed, what Salter and others see within the industry are ongoing attempts to “game” the system, and legally circumvent many of the regulations that have been piled on since the 2008 crisis. It is this legal gaming, if you will, that remains problematic when envisioning an enhanced risk culture and ethical banking environment. To change that type of behavior requires the type of leadership from the top that we have yet to see, and a regulatory environment that enforces accountability.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus [5]. Compliance Complete provides a single source [6] for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus [7])

[1] New York Times: http://www.nytimes.com/2012/10/07/magazine/ina-drew-jamie-dimon-jpmorgan-chase.html?pagewanted=all&_r=0

[2] UK Parliamentary Committee on Banking Standards: http://www.parliament.uk/documents/banking-commission/Banking-final-report-volume-i.pdf

[3] separate survey: http://www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Risk-culture-interim-report.pdf

[4] institutional corruption: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2247545&download=yes##

[5] Thomson Reuters Accelus: http://accelus.thomsonreuters.com/

[6] provides a single source: http://accelus.thomsonreuters.com/solutions/regulatory-intelligence/compliance-complete/

[7] @GRC_Accelus: https://twitter.com/GRC_Accelus

© Thomson Reuters 2011. All rights reserved. Users may download and print extracts of content from this website for their own personal and non-commercial use only. Republication or redistribution of Thomson Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Thomson Reuters. Thomson Reuters and its logo are registered trademarks or trademarks of the Thomson Reuters group of companies around the world.

Thomson Reuters journalists are subject to an Editorial Handbook which requires fair presentation and disclosure of relevant interests.

JP Morgan fined $920m and admits wrongdoing over ‘London Whale’

US’s biggest bank to pay penalties to US and UK regulators for ‘unsound practices’ relating to $6.2bn losses last year

JP Morgan has agreed to pay about $920m in penalties to US and UK regulators over the “unsafe and unsound practices” that led to its $6.2bn London Whale losses last year.

The US’s biggest bank will pay $300m to the US office of the comptroller of the currency, $200m to Federal Reserve, $200m to the securities and exchange commission (SEC) and £137.6m ($219.74m) to the UK’s financial conduct authority.

JP Morgan admitted wrongdoing as part of the settlement, an unusual step for a finance firm in the crosshairs of multiple legal actions.

“JP Morgan failed to keep watch over its traders as they overvalued a very complex portfolio to hide massive losses,” co-director of the SEC’s division of enforcement, George Canellos, said.

“While grappling with how to fix its internal control breakdowns, JP Morgan’s senior management broke a cardinal rule of corporate governance and deprived its board of critical information it needed to fully assess the company’s problems and determine whether accurate and reliable information was being disclosed to investors and regulators.”

In a statement the OCC blamed “unsafe and unsound practices related to derivatives trading activities conducted on behalf of the bank by the chief investment office (CIO)”, for the fine.

The OCC said its inquiries had found inadequate oversight and governance to protect the bank from material risk, inadequate risk management, inadequate control over pricing of trades, inadequate development and implementation of models used by the bank, and inadequate internal audit processes.

The US authorities are still pursuing JP Morgan. The Justice Department is pursuing criminal charges against some of the bankers responsible for the massive loss. In an indictment unsealed in federal court this week Javier Martin-Artajo, who oversaw trading strategy at the bank’s London office, and Julien Grout, a trader who worked for him, were charged with securities fraud, conspiracy, filing false books and records, wire fraud and making false filings to the SEC.

Grout’s lawyer said this week that his client was being “unjustly played as a pawn in the government’s attempt to settle its highly politicized case against JP Morgan Chase”.

The bank also faces another fine from the commodity futures trading commission which is still investigating whether the bank is guilty of market manipulation.

Jamie Dimon, the bank’s chairman and chief executive, initially dismissed the mounting losses at the bank’s London offices as a “tempest in a teapot”. In a statement Dimon said: “We have accepted responsibility and acknowledged our mistakes from the start, and we have learned from them and worked to fix them. Since these losses occurred, we have made numerous changes that have made us a stronger, smarter, better company.”

This week in a letter to staff he warned: “Unfortunately, we are all well aware of the news around the legal and regulatory issues facing our company, and in the coming weeks and months we need to be braced for more to come.”

The admission of wrongdoing is a major victory for the SEC. US judges in recent years have questioned fines where banks were allowed to neither admit nor deny wrongdoing. Judge Jed Rakoff blocked a 2011 SEC settlement with Citigroup because he said the lack of an admission of wrongdoing made it impossible for him to determine whether the fine was “fair, reasonable, adequate and in the public interest”.

 

theguardian.com © 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved. | Use of this content is subject to ourTerms & Conditions | More Feeds

 

Dimon: JPM ‘Simplifying’ Its Business, Improving Compliance

 

Dimon: JPM ‘Simplifying’ Its Business, Improving Compliance

SEP 17, 2013 10:42am ET
 

WASHINGTON — JPMorgan Chase (JPM) is focusing on simplifying its businesses and improving compliance with regulatory requirements, Jamie Dimon said in an e-mail to employees on Tuesday.

The bank’s chairman and chief executive said that its recent exit from the student lending business and elimination of its physical commodities sales and trading businesses was an attempt to “refocus our priorities.”

“We have been asking our senior people to eliminate products and services that are not essential to serving our customers and are not core to our business,” Dimon wrote.

In the lengthy e-mail, Dimon said the bank is also working to confront the regulatory challenges facing it, including reviewing its foreign correspondent banking business, improving oversight of outside vendors, and adding regulatory compliance staff.

The e-mail comes as JPMorgan Chase nears a $750 million to $800 million settlement with regulators related to last year’s “London Whale” trading scandal. An announcement could come as early as this week.

It also is yet another sign of a newly resurgent Dimon who, after the criticism he took over the Whale incident, successfully fought off an attempt by shareholders to strip him of his chairman title earlier this summer. Since then, he has become more outspoken about the issues facing the industry and his institution.

The regulatory settlement is expected to include an admission of wrongdoing by the bank. Although Dimon did not reference it directly, he said in his e-mail that if “you don’t acknowledge mistakes, you can’t fix them and learn from them.”

“So now, as in the past, we are recognizing our problems, rolling up our sleeves and fixing them,” Dimon wrote.

That includes a renewed focus on the bank’s foreign correspondent banking business, an area that has gotten several large banks, including HSBC and Standard Chartered, into trouble recently with U.S. regulators.

JPMorgan Chase was slapped with a consent order from the Office of the Comptroller of the Currency in January over “critical deficiencies” with respect to its anti-money laundering practices. Many observers expect regulators to impose a monetary penalty on the bank soon over those failures.

Dimon said JPMorgan Chase is strengthening its internal controls “particularly around ‘Know Your Customer’ and transaction monitoring.”

He also said the bank is stepping up supervision of outside vendors, yet another area that has tripped up the bank.

“If a vendor or partner engages with our customers, we need to be as vigilant about their practices as we are about our own, particularly if they interact directly with customers,” Dimon wrote. “We are also proactively trying to decrease the number of vendors we have, which reduces complexity in our business and creates more jobs internally.”

Earlier this summer, JPMorgan Chase halted most sales to third-party collectors of credit card debts amid regulatory concerns over how it pursues payments from customers who are delinquent.

Dimon said that the bank has significantly boosted compliance resources, adding roughly 3,000 employees this year that are dedicated to risk, compliance and control efforts. The bank has also provided 750,000 hours of regulatory and control-related training related to topics like anti-money laundering and Dodd-Frank implementation, he said.

Dimon added that he has also tried to build a “more open and transparent relationship with our regulators.” He held town halls for examiners with the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corp. in May and June. He also held a corporate town hall with bank employees who “regularly interact with regulators.”

“We discussed our culture of transparency, stressing the necessity of fully and accurately reporting material issues to our regulators in a timely manner and responding promptly to their requests,” Dimon said.

Dimon concluded by pledging to create a “best-in-class operating system” for the bank.

“Never before have we focused so much time, effort, brainpower, technological power and money on a single, enterprise-wide objective,” Dimon wrote. “Make no mistake — we are going to get this right.”

 

Deloitte survey: Financial institutions increasing focus on risk management

Thursday 22, August 2013 by Robin Amlôt

Deloitte survey: Financial institutions increasing focus on risk management

 

Heightened regulatory scrutiny and greater concerns over risk governance have led financial institutions to elevate their focus and attention on risk management, a new global survey from Deloitte finds. In response, banks and other financial services firms are increasing their risk management budgets and enhancing their governance programs.

 

According to Deloitte’s eighth biennial survey on risk management practices, titled “Setting a Higher Bar,” about two-thirds of financial institutions (65 per cent) reported an increase in spending on risk management and compliance, up from 55 per cent in 2010.

 

A closer look at the numbers finds, though, that there is a divergence when it comes to the spending patterns of different-sized firms. The largest and the most systemically important firms have had several years of regulatory scrutiny and have continued their focus on distinct areas like risk governance, risk reporting, capital adequacy and liquidity. In contrast, firms with assets of less than $10 billion are now concentrating on building capabilities to address a number of new regulatory requirements, which were applied first to the largest institutions and are now cascading further down the ladder.

 

“The financial crisis has led to far-reaching major changes of doing business in financial institutions’ risk management practices, with stricter and ruled based regulatory requirements demanding more attention from management and increasing their overall risk management and compliance efforts,” said Joe El Fadl, Financial Services Industry Leader at Deloitte Middle East. “That said, risk management shouldn’t be viewed as either a regulatory burden or a report destined to gather dust on a shelf. Instead, it should be embedded in an institution’s framework, philosophy and culture for managing risk exposures across the organisation.

“Knowing that a number of regulatory requirements remain in the queue, financial institutions have to be able to plan for future hurdles while enhancing their risk governance, enhancing management capabilities with better risk awareness using data analytics, and improving in data quality,” added El Fadl. “Those that do will be well placed to steer a steady course though the ever-shifting risk management landscape.”

The majority of the institutions participating in the survey (58 per cent) plan to increase their risk management budgets over the next three years, with 17 per cent anticipating annual increases of 25 per cent or more. This is not a trivial matter as 39 per cent of large institutions – particularly those based in North America – reported having more than 250 full-time employees in their risk management function.

 

Risk management moves up the boardroom agenda

Alongside increased spending, risk management has also significantly risen up the agenda in the boardroom. According to the survey’s results, 94 per cent of company boards now devote more time to risk management oversight than five years ago, and 80 per cent of chief risk officers report directly to either the board or the chief executive officer (CEO). Additionally, 98 per cent of company boards or board-level risk committees regularly review risk management reports, an increase from 85 per cent in 2010.

 

“Regulators have been focusing more and more on the role of the board of directors in risk governance, engaging them to approve the institution’s risk appetite and risk policies, overseeing their implementation by management and increasingly looking to understand the challenge that the board makes in its oversight of the financial institution’s risk management of key issues,” said Fadi Sidani, partner in charge, Enterprise Risk Services at Deloitte Middle East.

Other major findings in the survey include:

Almost three out of four risk managers rated their institution to be either extremely or very effective in risk management overall, an increase from 66 percent in 2010’s survey results.

 

The impact of increased regulation is having a significant effect on business strategy and the bottom line, with 48 percent of firms confirming that they have had to adjust product lines and/or business activities, a percentage that doubled from 24 percent in 2010.

The use of institution-wide enterprise risk management (ERM) programs is continuing to grow. Today, 62 percent of financial institutions have an ERM strategy in place, up from 52 percent in 2010, while a further 21 percent are currently building a program. The total of 82 percent of firms either with or building an ERM program is significantly up from 59 percent in 2008.

 

Institutions are increasingly confident about their effectiveness in managing liquidity risk (85 percent rate themselves as extremely or very effective vs. 77 percent in 2010); credit risk (83 percent against 71 percent in 2010); and country/sovereign risk (78 percent vs. 54 percent in 2010).

 

Stress testing has become a central plank in many institutions’ risk management efforts. Eighty percent of the institutions surveyed stated that stress-testing enables a forward-looking assessment of risk, and 70 percent said that it informs the setting of their risk tolerances.

Technology used to monitor and manage risk is a particular concern and, according to the report, significant improvements in risk technology are needed. Less than 25 percent of institutions rate their technology systems as extremely or very effective while 40 percent of institutions are concerned about their capabilities in the management of risk data.

 

Progress in linking risk management with compensation has changed only incrementally since 2010’s survey results. Currently, 55 percent of institutions incorporate risk management into performance goals and compensation for senior management, which is little changed from 2010. The use of “clawback” provisions in executive compensation, however, has increased (41 percent vs. 26 percent of institutions in 2010).

 

“Financial institutions are becoming increasingly confident in their risk management abilities, but they also recognize where there are gaps,” said Sidani. “Where concerns linger particularly is around operational risk, with a number of recent headlines – like management breakdowns and large-scale cyber-attacks – underscoring the important impacts this area can have on an institution’s reputation. This is a gap that may trigger significant operational risk combined with reputational risk that needs to be properly addressed.”

According to the report, operational risk, which is a key component of Basel II, has been a continuing challenge for institutions. The lack of ability to measure operational risk and the complexity of many operational processes are key causes of this. Only 45 per cent of firms rated themselves as extremely or very effective in this area, down slightly from 2010.

 

Deloitte’s survey assesses the risk management programs, planned improvements, and continuing challenges among global financial institutions. The eighth edition surveyed chief risk officers – or their equivalent – at 86 financial institutions, and represents a range of financial services sectors, including banks, insurers, and asset managers, with aggregate assets of more than $18 trillion. The survey was conducted from September to December 2012.

 

The report may be viewed at http://www.deloitte.com/us/globalrisksurvey

 

Eight Ways to Move Toward a Culture of Compliance

Originally Published June 7, 2013, 12:01 AM ET

Eight Ways to Move Toward a Culture of Compliance

More than just a set of policies and procedures, effective compliance risk management at the enterprise level can be viewed as a cultural ethic that should function like any other business asset that reaches across an organization. An effective way to get there is through a risk intelligent framework that brings compliance into the open, running throughout all business processes, with responsibility shared among all employees.

“A risk intelligent framework can be a radical shift from the way most companies see compliance today,” says Donna Epps, a partner and U.S. co-leader of Governance and Risk Management at Deloitte Financial Advisory Services LLP. “To move a company in that direction, the chief compliance officer will need to gain the backing and support of stakeholders from across the organization, including executive peers, business-unit and functional leaders, and the board of directors.”

Following are eight initiatives a Chief Compliance Officer (CCO), working with the CFO, can lead to help bring about a more holistic program of compliance risk management through a risk intelligent approach and elevate awareness at the enterprise level.

1. Get the Top Brass on Board

The road to holistic risk compliance can be much smoother if the CEO, CRO and the board of directors understand what the CCO is trying to do and why they should want to help. Risk intelligent compliance requires clear channels of communication between the compliance risk management program and the enterprise risk management (ERM) program, and the CRO’s engagement is critical. Luckily, the CRO’s shared interest in improving risk management effectiveness can make risk intelligent compliance a relatively easy sell.

The CEO’s role in supporting risk compliance is to empower the CCO with the authority needed to drive meaningful change, as well as to provide the necessary investment, political support, and, if needed, enforcement. Gaining the CEO’s support can require the CCO to make clear the risk management benefits of robust compliance processes, as well as collateral benefits of cost reduction and revenue enhancement. Any up-front investments must also be addressed early, such as the purchase of more effective technology to replace spreadsheet-based tracking and reporting.

The board of directors can play a role in holding management accountable for results of the enhanced programs. “The CCO’s task is to set expectations, develop metrics and establish milestones that are both substantive and realistic, as well as establish a multiyear master plan,” says Scott Baret, partner, Governance, Regulatory and Risk Strategies, Deloitte & Touche LLP, who also serves as global leader, Financial Services Enterprise Risk Services. “Many boards prefer to spend time on risk management rather than on compliance, so CCOs may want to consider framing board discussions in the context of ERM.”

2. Take the Company’s Bearings

Like any transformation, the pursuit of risk intelligent compliance begins with understanding the current state. Important questions include:

What are the company’s current compliance obligations and risks?

Who owns each risk?

What controls are in place against them?

How does the organization respond to control failures?

How are remediation priorities set?

What supporting technologies are used?

3. Develop the ERM-aligned Compliance Risk Management Program

Coordinating compliance risk management with ERM provides CCOs the operational basis for establishing, strengthening and validating the link between compliance and enterprise value. How a CCO accomplishes this at any particular company will depend greatly on internal organizational dynamics. “For insights on how to maintain effective cross-communication with ERM, the CCO may want to look at the way the internal audit function interacts with ERM to evaluate company risks,” says Mr. Baret.

4. Align the Compliance Function

The process of aligning compliance activities and investments with business priorities starts with the compliance function itself. The CCO should allocate the compliance function’s activities across the company’s compliance risks according to the relative importance of each compliance risk to enterprise value. In some cases, this may mean deploying people and infrastructure to countries, programs and/or activities where greater investment seems counterintuitive. In others, it may mean scaling back on one or more “sacred cows.” In either case, the CCO should be able to back up his or her decisions with reasons that tie solidly back to ERM priorities.

The corollary is that CCOs themselves should prioritize requests for investments in the compliance function based on their expected risk management benefit. Barring obvious infrastructural or resource gaps, the choice of what to ask for first may sometimes come down to a frank judgment call.

5. Lobby Hard for Effective Technology

The “right” technology and data architecture, both within and outside the compliance function, can go a long way toward improving compliance efficiency and effectiveness. Automating controls, for instance, can help lower costs and increase reliability, especially if the controls are first rationalized to reduce duplication. Companies can also avail themselves of a growing array of tools to support the compliance risk management process, some stand-alone, some sold as part of larger “enterprise governance, risk and compliance” solutions.

Some of the newer compliance tools feature: automated monitoring of regulatory releases; workflow capabilities to facilitate compliance process execution and tracking; and integrated “front end” interfaces that allow users to execute, document and track compliance activities in multiple areas from a single point of access.

6. Piggyback on Each Other’s Work

Looking for ways to reduce duplication of effort with other internal groups can help a CCO stretch the compliance function’s limited budget and resources. In particular, the CCO should enlist internal audit in supporting compliance oversight by testing and auditing compliance-related internal controls and business processes. Compliance personnel can advise internal audit on what tests would be most useful to the compliance function, as well as on what tests might be better left to the compliance function’s specialists to perform.

7. Foster a Culture of Compliance

Changing corporate culture can take years. CCOs should expect to work with the office of the CEO—as well as human resources, legal and communications—to supervise the change initiative and supply compliance-specific guidance as needed. Important areas to address include:

Performance management and compensation

Training

Leadership development

Communications

8. Participate in Strategic Planning

The risk intelligent CCO should help leaders set a strategy that takes compliance into appropriate account by bringing relevant compliance perspectives to the strategic planning process. For instance, the CCO should explain what compliance obligations are associated with each of the strategic options being considered, help evaluate the likely compliance risk associated with each option and describe the nature and extent of the investments that may be needed to maintain compliance risk exposures within acceptable tolerances under a variety of conditions. “Once the strategy is set, the CCO should help the company understand and prepare to address compliance obligations that are expected to arise in execution,” adds Ms. Epps.

Related Resources

Aligning Compliance Risk Management to Business Priorities

The Risk Intelligent Chief Compliance Officer

This publication contains general information only and Deloitte LLP and its subsidiaries (“Deloitte”) are not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright © 2013 Deloitte Development LLC.

The 3 Ms of Risk Management

The 3 Ms of Risk Management

 

 

 

Recent market event have pointed to increasing volatility. As has happened all too many times in the past, risk management disasters continue to plague the industry and show up on the front page of the newspapers. Given the potential for these disasters to occur, lets discuss some required risk management capabilities.

 

Consider the following scenarios:

 

A major market move occurs. The Chief Risk Officer (“CRO”) of a broker/dealer wants to know right now what effect this has on the firm. Are they better or worse off? What actions should be taken? To determine the best course of action the CRO needs to know real-time what the positions are and the potential P&L effect. The CRO must also be able to perform a risk analysis immediately. As we have seen, inability to do this will consume resources, raise the firm’s risk profile and possibly cause losses as a result of the market move.

 

A major firm announces a significant profit restatement. The CRO of a major retail brokerage wants to know which accounts will be affected the most. The CRO needs to know real-time which accounts have concentrations in that industry and SIC code. Since it isn’t clear yet what the full effect of the restatement will be on security prices, can the CRO perform a what-if analysis on specific accounts to determine the potential effects on the firm and the accounts so that proper actions can be taken? Inability to do this real-time will consume resources and increase the risk profile of the firm and the accounts.

 

In both cases, could the CRO have set up early warnings so that the risk systems would have generated alerts as to problem positions or accounts when specific actions occur so that the CRO can spend less time finding risks and more time managing risks?

 

The industry has spent many dollars effecting comprehensive risk management capabilities. Ultimately risk management is, however, a process that requires tools and the right mindset, not just a system that measures risk. The purpose of risk management is the following: minimize the probability that an error occurs AND that it goes unnoticed. To do that, a firm must have all the components of effective risk management. The firm must have the ability to perform the 3 Ms of Risk Management: Measurement, Monitoring and Management of risk. In this paper, we will outline the basic capabilities of each of the three areas.

 

 

Risk Measurement

 

All firms must have the capability to measure their risks. Most firms have risk measurement systems. However, there is a lot more to it than that. Risk measurement involves ALL aspects of the capability to measure risk, not just having systems. To measure risk effectively and accurately, the firm must have accurate and timely information as to its positions, its counterparties and all relevant information regarding its positions and counterparties. This information should ideally be available on a real-time basis as markets move very rapidly and soon the risk analysis may no longer be valid. Measuring this information solely on an overnight (or end of day) basis will not be sufficient as market conditions change during the day, and customer and counterparty activity changes the firm’s risk profile constantly. It is also not sufficient to simply do this several times a day. As market conditions change, the value of the firm’s and its customers’ positions changes accordingly, either favorably or unfavorably. In addition, as customers do trades during the day the firm must be able to track its customers’ accounts as they transact business. This information must be accurate, accessible in a timely manner and able to be retrieved from the firm’s computers and sent to the relevant analytical models for risk evaluation. During some recent risk events, many firms learned that they could not do this effectively, much to their dismay.

 

So what does effective risk measurement entail? Several key components are required:

 

The risk measurement methodologies used must accurately measure the risks. There are many different ways to measure risks and firms use most of them. The two basic necessities for a risk measurement methodology to be effective are that they must reflect the risks they measure and all relevant parties must understand them.

 

Different kinds of firms will require different kinds of risk measures. The measures needed for a portfolio-based approach to risk measurement are not exactly the ones needed for a retail operation. The portfolio approach requires position, position attribute, counterparty and counterparty attribute data. A retail operation will require all that and extensive information at the account level so it can see what individual accounts are doing real-time.

 

The firm must be able to examine its risks at any level and aggregate up or drill down to any desired degree. For example, a broker dealer must be able to measure risk by security, security type, counterparty and type, industry or SIC classification, currency, geographical location, etc. The B/D should then be able to aggregate up or drill down in any direction (for example by country by currency or vice versa). A retail brokerage should be able to measure risk by account, by account type, by industry, SIC code, etc, and aggregate up. They should also be able to drill down to the account level after starting with a portfolio approach. In addition, a retail brokerage needs to perform sophisticated margin calculations on a wide variety of products. Also, they would need to be alerted when specific activities occur in selected accounts, e.g., large trades or prohibited activities.

 

The firm must be able to perform scenario and what if analysis on a real time basis for any of its risk measurement categories. For a retail operation, this means even at the account level.

 

The analytical models used to measure risk must be accurate and measure the right risks. The models must be appropriate to the business and the products. Different products may require different kinds of models and there is nothing wrong with that. Use as many models as is necessary and no more.

The inputs to the models must be accurate. Many firms have a problem with their data and getting it to the right system at the right time. The data must be accurate, clean, and timely. This applies to model-generated data (including the results of risk analysis) as well as historical market data. Without accurate inputs, the model will give misleading results, leading to inaccurate decision-making.

 

The connections between the systems must be accurate. Feeder systems must feed the inputs to the risk model on a timely and accurate basis, just as the risk system must feed other systems in the same manner.

 

The systems must work automatically. You should not have to do anything extra for the system to be measuring risk accurately and timely.

 

The firm should periodically assess its systems and their ability to perform, effecting updated capabilities when necessary.

 

 

Risk Monitoring

 

For effective risk management to take place, risks must be monitored. A firm that simply measures risk three thousand ways but does not monitor it on a timely basis will likely suffer at some point. Risk monitoring includes all aspects of ensuring that accurate risk measurement information is available to the right people on a timely and accurate basis. What does effective risk monitoring entail? Several key capabilities are required.

 

The firm must have timely and accurate risk information available to the right people at the right time.

The firm must have a set of comprehensive risk reports generated during the day. The reason that a set of reports is necessary is that different levels of management require different levels of risk information. The key criterion is that the reports reflect the degree of granularity and breadth of information required to optimize the decision-making capabilities of the party that gets the reports.

The firm must also have this information available on a real-time basis. This means that it must be available online for the parties that require it so they can see what is going on at all times. The same issues of granularity and breadth apply here.

 

The risk systems should have the capability to alert the proper manager when preset conditions occur so that proactive risk management can occur. The firm should set up a variety (as many as needed) of risk conditions that different managers are concerned with. These conditions should also be set in a variety of ways. The parties could set up criteria that will generate alerts. The relevant manager could then drill down into the alert to investigate further. The proper action could be taken.

For example, a B/D could set these alerts to show limit utilization above a certain level (e.g., 75%) and by security, currency, counterparty, trading ledger, industry or geographic location. The system alerts the appropriate level(s) of management when the condition is met. The alerts should also happen as a result of a what-if or scenario analysis, alerting the appropriate party to what could happen under certain conditions. For example, an alert could occur if a major market move would cause an X% loss in a particular security. Management can then examine the alert and take appropriate action, if any. These alerts are set by management and should reflect the conditions with which management is currently concerned.

For a retail operation, this would include all the above. It would also need to include alerts at the account level such as a big trade or an account that is utilizing an increasing portion of its credit and is heading toward a potential margin call. For example, an alert could occur if an X% market move would cause a margin call in a large (or small) account(s). Management can set up appropriate conditions for accounts it wishes to monitor and be alerted when those conditions are met. Management can then examine further and take the appropriate action, if any.

In addition to all the reports and alerts, managers must effectively communicate with each other so that they are aware of current conditions.

 

 

Risk Management

 

The first two steps in the process provide the analytics and the tools that managers at all levels must have in order to make effective decisions regarding risks. The final step in the process may be the simplest to explain. After all the risks that can be measured are monitored (those that can be measured. Not all risks can be measured and you should not try!), and after the correct monitoring systems and procedures are in place, the final step in the process is actually managing the risk. This simply means management decision-making when called for, based on the information that is available. Managers at every level must be ready to take appropriate actions when a condition exists that warrants attention. This means proactive actions. Remember that not every risk condition or situation requires action. It possible that, for example, that a limit is exceeded on a trading floor and management becomes aware of it. After reviewing the excess, determining the cause and discussing the possible harm, the appropriate managers may let it stand and take no action. Or, an alert can be generated on a specific account. After drill down and review, management decides no action is called for.

 

Some of the critical aspects of managing risk effectively are:

 

The proper analytical tools must be used so that the information to decide possible courses of action is reliable

The proper risk monitoring capabilities, including alerting capabilities that provide this information on a real time basis, must be in place

A risk-oriented mindset must exist in all employees. Senior management must drive this mindset from the top down. Everyone bears some of the responsibility, not just management and risk managers

A willingness to be proactive regarding risk management, treating risk management as a business partner, not simply part of a compliance function

 

Conclusion

 

As we all know, there are many crucial aspects to implementing effective risk management capabilities at a firm. It is critical that each phase be implemented at any firm that wishes to effectively manage its risks. This can be summarized relatively simply. The tools for measuring risk must be accurate as must be the inputs to those tools. This means models must be accurate. Data must be clean. The technology behind the system should help the risk management process by identifying risk so that managers gave increased resources for managing risks. Real-time capability is required; batch processes won’t cut it any more. The outputs of the risk measurement process must be available on a real time basis so that managers understand what is happening as it is happening and can take appropriate action. This means everyone gets the info when they need it. Systems that inform management of current conditions go a long way to helping the process. Finally, everyone should consider risk management as part of his or her job. Effective risk management is possible when these conditions are met.

 

 

Dodd Frank Collateral Exposure for a Bank

Bank Derivative Holdings = $ One Trillion

Initial Margin 10% = $ 100 Billion

Variation Margin 1%-5% = $1 to $ 5 Billion

Collateral Management is a new business process requiring investment and technology.

Bank Reorganization may be needed.

New interbank collateral trading processes need to be implemented with resultant trading agreements.

New business area for interbank brokers and central bankers.