Strengthening risk management
In principle, effective risk management should lie at the heart of financial services business. The proper evaluation, and pricing, of risk is essential to all forms of banking, insurance and investment management. Like all businesses, banks in particular are risk-taking and risk managing organizations. But unlike other businesses, the leverage inherent in fractional reserve banking makes banks uniquely susceptible to mismanagement of risk; and this carries particular threats to the wider economy.
In practice, the financial crisis revealed in the starkest possible terms that banks were woefully incompetent in understanding the risks they were accepting and in responding accordingly. Despite the best efforts of regulators and supervisors, and no doubt the best intentions of senior managements, banks systematically under-priced risks; and in a number of cases they allowed unacceptable practices to develop which ultimately threatened the stability of the whole financial system.
In the wake of the crisis, the G20 Leaders identified as a priority a need for more intense and effective supervision in future, particularly as it related to systemically important financial institutions (SIFIs). Through the Financial Stability Board (FSB), they have set regulators the task of making the supervision of financial institutions more intense, effective and reliable. Their challenge is to define a revised threshold of sustainable returns for shareholders which also offers safety and soundness for the wider economy and society.
This work is being led by the FSB’s Standing Committee on Supervisory and Regulatory Cooperation, which has set up a dedicated working group for the purpose (the FSB Supervisory Intensity and Effectiveness Group, chaired by the Superintendent of Financial Institutions).
Regulation is not sufficient
Supervision and regulation alone are insufficient to drive a significant improvement in risk management and overall financial stability. Indeed, excessive reliance on regulation and on rules to translate those regulations into practice may even increase risk. There are plenty of indications that in the lead up to the crisis banks and bankers were happy to abide by the letter of regulation, giving little real thought for the potential consequences. The fact is that an effective risk culture is essential to ensure that both the letter and the spirit of regulation are respected. In their November 2012 Progress Report on the issue, the FSB noted that ‘Establishing a strong risk culture at financial institutions is an essential element of good governance.’1
In defining what determines appropriate and effective risk management, it is helpful to distinguish two contrasting elements. The first is the explicit design and operation of the risk management system. This includes definition of risk appetite, governance, capabilities and reporting (see Table 1). The second element is the nature of the risk culture in the organization – ‘the way we do things round here’ – and whether it is conducive to people behaving in the correct and desired manner independent of specific system provisions (see Table 2).
Different banks vary significantly in the balance they exhibit between these two elements of explicit system and implicit culture. In many cases, these differences reflect contrasting corporate histories and current characteristics. Some banks have a very strong culture
created over generations and passed down from senior executives to new recruits. People acquire an instinctive understanding of ‘the way we do things round here’ as they progress through the organization, so that they instinctively reflect and embody its specific corporate risk culture. Other banks are much more highly prescriptive and legalistic, with elaborate rule-books and less reliance on people doing the right thing naturally.
Both sets of characteristics have strengths and weaknesses. The implicit model works well in smaller, more localized banks. But since it depends on a rich understanding and internalization of culture, it cannot easily cope with rapid expansion, geographical dispersion or high rates of staff turnover. Globalization, and the transition from the partnership model to limited liability, has substantially weakened its power in recent decades.
The explicit, highly prescriptive model is more suited to large and dispersed banks; it can cope with high turnover and corporate expansion, and is superficially more appropriate to the contemporary world of rules-based supervision. But in practice it is too expensive to build a risk system which can cope with every eventuality, and impossible for such a system to keep pace with business developments. It also carries very real dangers: employees may come to feel that everything which is not forbidden is actually allowed. In this respect, it damages the personal integrity and moral code which should be at the heart of behaving properly.
In consequence, most SIFI-banks need to focus much more attention on developing good risk culture; and many smaller banks need to stiffen their systems to improve robustness and future sustainability. Every bank needs to target its desired position on the system-culture continuum. But in the end, an effective risk culture is paramount. An effective risk system is a necessary but not sufficient prerequisite for an effective risk culture.
Assessing risk system and culture
Multiple methodologies can and should be used to assess the current risk system and risk culture and determine the actions necessary to move to the desired position. These include:
- self-reporting: various risk and control self assessments
- observations by Internal Audit: changes over time in type, severity and frequency of findings, completion rates, etc; comments on behaviors
- questionnaires: is the risk system perceived to be effective? is the risk culture perceived to be effective?
- focus groups: cross-geography, cross functions (LOB and support), multiple levels
- structured Interviews: senior executive, line and support functions.
In addition, scenario immersion and role-playing can be very valuable in exploring different behaviors in different circumstances, and can illuminate implicit assumptions and attitudes. They can reveal inconsistencies in incentives, targets and rewards and conflicts with desired risk behavior.
The result should be an assessment of the effectiveness of the risk system and risk culture in terms of:
- what’s not said
- say-do gaps
- issues/areas of incompleteness
- areas of strength
- deeper dives
- confidential comments.
Embedding effective risk management
Changing a bank’s risk culture is a fundamental change challenge. It should be clear that it involves developing aspects both of the risk management system and the risk management culture, and of rebalancing emphases between the two. Like all culture change, it requires inspiring people, and demonstrating commitment and compliance from the top.
What is also important, in the context in which risk management is developing after the crisis, is that external stakeholder expectations are managed in such a way that they are consistent with what is achievable and what is necessary if a more robust and stable financial system is to be created. Excessive short-termism, and demands for returns on equity which were incompatible with stable risk management, were among the prime conditions which allowed the crisis to develop. The transition to a permanently less risky, lower-return environment will be painful.
It will depend in part on admitting that after an era of disintermediation in both commercial and retail banking, and an excessive reliance on quantification and models, we need to relearn some of the lessons of the past, and focus on behavior and culture which encourage safety and soundness.
It will also depend as much on shareholders, rating agencies and analysts adjusting their frameworks of performance assessment as it will on boards and senior executives creating a more appropriate and sustainable risk culture.