Everyone is a risk professional

How did we get to this position?
Prybylski: As we’ve looked across the industry at what’s worked and what didn’t leading up to the financial crisis, we’ve identified a number of key themes. They’re consistent with the lessons-learned papers that have come from some of the regulators:
1. Operational units—business units and risk units—worked in silos and didn’t see the collective amount of risk.

2. The level of exposure to highly complex products was greater than the firms’ ability to understand how those products would react to periods of stress.

3. Independent oversight did not, and does not, replace a lack of a risk culture. You can have risk measurement models—RAROC, VAR, etc.—but if you don’t have an organization where everyone is a risk professional, and where the CEO is the ultimate risk professional, then you won’t have a risk culture.

In Ernst & Young’s annual study on risk governance in banking [“Navigating the Crisis,” released Dec. 17, 2008], only 14% of the 36 major global banks you studied indicated they have a consolidated view of risk. Did that number surprise you?
Prybylski: It was lower than I would have thought. If you wound the clock back pre-crisis I think you would have found that a much higher percentage thought they had a very good view of risk. They now know they didn’t, and you’re seeing much more focus on risk culture and liquidity over the last 18 months as the crisis has played out.

Still, risk management has had a higher profile in banking over the last ten years. But it doesn’t seem to have been enough for the institutions that got into difficulty. Why is that?
Prybylski: I wouldn’t focus backwards and say it wasn’t enough. What came before were building blocks, such as steps to build up independent risk management groups, and to implement risk oversight and risk measurement tools, such as value at risk. Now we need to look ahead and determine what additional building blocks must be added to complete the risk management framework.

Many times when people say there was a failure of risk management, they’re referring just to the independent control groups. But risk management is much broader than that. There is the risk management of the business strategy—of balancing the risk and return in an organization.

Going forward, when people talk about the need to improve risk management, they should be talking about the entirety of risk management—the balancing of risk/return, the allocation of capital, the definition of the risk appetite, the linkage to the business strategy. All that is a shared responsibility of the board, senior management, the front office, and the control groups, and supported by the culture. But that’s a step that you could not take unless you had already strengthened your independent risk group.

Are banks essentially going to internalize the government’s stress tests?
Prybylski: Clearly we’re coming out of a period of significant market stress. Few bankers would come back and say, “Our stress test nailed it.” In fact, many times they may say, “Even if we had put forward these scenarios two years ago to our board or management, they wouldn’t have viewed them as plausible.”

So some changes are needed. These include making stress-test models more factor-based—meaning taking into account outside market factors that hit multiple risks and multiple business units—having better linkages across risk, and defining the scenarios so they reflect changing market composition and business strategy. Also, stress testing will be just one of a number of risk measurement tools. The mantra going ahead will be “multiple views of risk measurement.” The mistake is overreliance on one tool, be it value at risk, stress testing, or concentration risk. It’s not that that one tool is the problem, it’s the over-reliance on one tool that may create blind spots in your risk measurement perspective.

From what you say, it seems that risk management, for all its technical aspects, is as much art as science….
Prybylski: The way I would phrase that is, the risk management process, framework, and tools should support a firm’s risk return decisionmaking. To inform those decisions you need to know the firms’ risk appetite and its definition of business strategy. So when we’re talking about that risk return decision process, it is business judgment and technical risk analysis.

How can a bank make risk everyone’s business?
Prybylski: Here are some of the key steps:
• You need to establish clear levels of risk accountability within the organization. To do that you must set the tone from the top, that risk management is everyone’s job. (One example of this is the CEO who acts like the chief risk officer—calling individual desks or traders about a risk report to make the statement, “I’m engaged in this decision.”)

• Communication must be clear and consistent. Everyone needs to know the company’s risk appetite; that’s not just the job of the independent risk function.

• There needs to be empowering of the risk-control groups. A lot of conversation today is about whether the control group has “a strong seat at the table.” Many companies we work with have gone back and looked at key management committees or governance boards to make sure there is a proper risk-return balance.

Incentive compensation, is that another key factor?
Prybylski: Clearly if you’re going to talk about culture and risk management you need to look at the incentive reward system to make sure they’re all properly aligned.

How do banks identify emerging risk?
Prybylski: If you don’t identify the risk, it’s hard for the next steps to happen. Risk identification is a shared responsibility between the businesses and the control groups. In the end, the businesses are closest to the risk origination and the risk exposure. However, there need to be some new processes put in place that lead to more brainstorming [at the business level] about what could go wrong, as opposed to having the input be top down. Clearly there were some risks that weren’t identified, leading to the current situation.

One hallmark of the successful financial institution is the ability to not only innovate new financial instruments and quickly distribute them to their clientele, but also the ability to build control and oversight processes, and scale those up quickly as well. You need to balance high-growth prospects with your return and risk profile.

To sum up, there are three questions banks should ask themselves going forward to focus on improved risk management:
1. Is your risk culture where it needs to be?
2. When you’re assessing adequacy of returns, are you considering multiple views of risk?
3. Do you have an integrated view of risk and financial information?