I. Bank enterprise risk management evolution
Initially bank risk management functions evolved as a close partner with the business to provide an independent evaluation for the purpose of avoiding losses, and optimizing the risk-return equation. Prior to 2000, the main responsibilities were evaluating credit risk primarily for bank loans, market risk positions for trading desks, and setting of exposure limits. Metrics such as economic capital and Risk-Adjusted Returns on Capital (RAROC) existed, with the objective of optimizing business decision-making on client profitability, and pricing of the corporate loan product.
In the phase from 2000-2007 prior to the financial crisis, the introduction of Basel II led to changes in the bank risk measurement and management model. Greater reliance was placed upon credit risk rating models, Value at Risk for the trading book, and a new emphasis on operational risk covering business practices, especially rogue trading and underwriting risks, technology systems failures, and natural catastrophes. From a governance perspective, many large banks focused on appointing a Chief Risk Officer and establishing an independent ERM function that reported directly into the company CEO. Previously the risk function tended to be managed by the individual business units, and sometimes was incorporated into other functions such as the CFO office.
Then in 2007-08 the world, particularly in the US and Europe, experienced the financial crisis. Both banks and regulators were woefully underprepared for the shocks in liquidity risk, securitization, and derivatives counterparty CVA risk that devastated some of the largest banks. Basel II and bank capital models were over-reliant on statistical models that not incorporate a wide enough range of potential stress shocks, and did not sufficiently measure illiquidity of trading markets and the impact of large “carry” trades. Other accounting nuances such as consolidation events being triggered under FIN 46 and impairment of Available For Sale securities further impacted the balance sheets and P&L of the banks. From a cultural perspective blatant weaknesses in governance were identified ranging from bank Risk Committees not meeting on a regular frequency, to compensation incentives that were overly short-term weighted, and shortcomings in basic data and systems where one could not readily obtain accurate exposure information for a given product type (often as a result of the years of mergers, and partial integration of legacy systems).
In response to the bank financial crisis, there was a flurry of new regulations focused on liquidity risk, leverage, Basel III, stress testing, securitizations, SIFIs and CVA. The regulators identified the deficiencies of over-reliance on statistical models, and the need to supplement with stress testing approaches. This led to the rollout of what is now known as the Comprehensive Capital Adequacy Review (CCAR), and the annual evaluations of bank solvency in baseline, adverse, and severely adverse scenarios. Model risk management became a new set of policies, and elevated in organizational importance. Culturally Dodd-Frank was consequential in the US for its restrictions on proprietary trading under the Volcker rule, emphasis on living wills, stress testing, and the need to identify Material Risk Takers, specific individuals within a firm that could make decisions impacting the aggregate solvency of the firm. As a result of these changes, bank risk functions became much more aligned with policy, Compliance and Legal functions of the bank, and placed less emphasis on risk-return optimization and some of the original business unit applications that were part of the original purpose of risk metrics. The main purpose of the Chief Risk Officer was to manage the implementation of new regulations, and avoid headline losses.
Now we are entering an era of risk management, where the priorities are shifting towards cybersecurity and digital risk, sovereign risk, comprehensive stress testing at all organizational levels for all risk types, Big Data management, operational risk, model risk management, and talent alignment and incentives. While standard credit and market risk functions exist, increasingly firms are moving towards a portfolio management approach given the size of these risk types. The accuracy and timeliness of the information about these risks are proving to be as critical a problem to be addressed as the risk metrics and policies themselves. The importance of blockchain technologies for transactions and reconciliations will also transform banking, in addition to risk data. This will be described further in the next sections.
II. Roles and Objectives of the Chief Risk Officer and Enterprise Risk Management function
The primary responsibilities for the Chief Risk Officer are (1) maintaining adequate capital and solvency, (2) managing the liquidity risk profile including intraday, and (3) facilitating an appropriate risk-return optimization, and risk tolerance. The CRO of the past needed to focus on quantitative techniques, risk policy, and strategy. Now the CRO must also have responsibility for an immense data management and aggregation capability, and partner with compliance on cybersecurity defenses. The demand of the new regulatory paradigm requires greater collaboration with Legal, and has brought much more of a policy and regulatory implementation emphasis since the financial crisis.
Inherent in this business model is the implementation of a cultural paradigm to realize the importance of the 3 lines of defense. Risk management goes beyond just individual “yea or nay” decisions on individual deals and transactions by a risk officer. It is at the heart an awareness of risk appetite, marginal risk impacts, and an understanding of overall optimization of the business.
Line of Defense
|Level 1: Front office||Every risk type can ultimately be traced back to an individual business unit or product line. Risk management begins with all transactors, bankers, and traders knowing their customer, understanding the products being sold, and capturing the proper risk and financial information necessary for future management of the account. This requires robust risk policies, guidelines, and incentives that balance a risk-return optimization aligned with corporate strategic objectives.|
|Level 2: Risk management||At both the individual transaction and portfolio levels, an independent risk function is critical for signing off on risk quantification, risk approvals especially for large and complex transactions, model risk management, and ensuring accurate and timely systems for risk reporting.|
|Level 3: Audit||As a final set of checks and balances it is important for an Audit function to verify the existence of all necessary documentation, ability to comply with Sarbanes-Oxley reporting process standards, and track improvements to models and processes where deficiencies have been identified.|
III. Elements of a Program to Actualize the new ERM paradigm
Now that the objectives, culture, and 3 lines of defense are solidly in the mind of the Chief Risk Officer, with an independent governance organizational solution in place, a program is still required to realize this future vision. Fulfilling this vision requires appointing senior bank officers to lead these initiatives, and they might very well be roles that report into the Chief Risk Officer or deputies.
|ERM Program Element|
|A. Capital management and solvency||This encompasses stress testing, including the Fed’s CCAR, new rules for market risk such as FRTB, understanding operational risk loss profiles, ALM and CVA risk management|
|B. Liquidity risk management||Liquidity risk includes new rules on the LCR / NSFR, intraday risk management, collateral, funds transfer pricing, contingency funding plans|
|C. Model risk management||Ensuring that all quantitative models have independent checks and validation processes, performing as expected within a certain degree of model error, and have appropriate documentation for ownership transfer|
|D. Cybersecurity and digital risk||This includes protecting a bank’s systems from internal and external threats. Also compliance procedures and standards for password protection and data archiving. Includes a program for safeguarding against threats from the dark web. Insurance products to mitigate this risk are also critical.|
|E. Blockchains and technological transformation||Risk management reporting and “big data” management have become central themes. The world of distributed ledger technology, and cryptocurrencies will continue to evolve and the modern Chief Risk Officer will need to adapt the organization to new markets, products, and systems reconcilement processes|
|F. Sovereign risk||Much of the risk on bank balance sheets is comprised of government and sovereign entity exposures. Managing and mitigating sovereign and political risk, including cross-border exposure is critical in this international banking landscape, and the consequences for the consumer and corporate portfolios.|
|G. Risk-return optimization||Beyond risk avoidance, a state-of-the-art risk organization focuses on achieving an optimal return on risk profile. This involves setting target and hurdle rates, aligned with the budget process. This also requires business applications and tools to calculate returns for individual transactions, and determine appropriate tradeoffs and comparisons to risk limits. At the portfolio level also important to understand hedging strategies and their impact on risk-return levels.|
|H. Talent, culture and incentives||A strong risk management culture requires a team that can collaborate, determine prudent tradeoffs, and operate within a compensation framework that incentivizes long-term value creation and avoidance of headline losses. Functions that require technical and quantitative expertise need to have budget for the level of resources required. A process for continuous learning and development is essential, especially given the dynamic nature of the regulatory environment.|
To conclude, these are exciting times with remarkable advances in technology and globalization. That said we are living in a much more interconnected world, with potentially greater levels of risk contagion in future crises. Implementing a Enterprise risk management vision outlined above will create a sustainable culture for long-term balanced risk-taking and wealth creation.