Risk Governance Seeing the Forest for the Trees

Printer version  PDF

by Andrew Kuritzkes

Confidence in the risk management practices of financial institutions is now at the lowest point in a generation. This has come as a shock for the industry, given the enormous effort expended over the last 20 years to establish the foundations of modern risk management. Developments since the late 1980s have revolutionized risk management through new quantitative techniques that allow bankers to disaggregate, price, package, hedge, and distribute risks that were previously undifferentiated, unmeasured, and illiquid.

So, how did the last 20 years of progress in risk management fail so many institutions so spectacularly?

While the industry at large was undoubtedly overconfident in its ability to quantify risk, the bigger problem lies in the way risks were governed and regulated at the top of the house. There was a collective failure to see the forest for the trees. Institutions employed weak oversight processes that ignored the compounding effects of individual risk decisions on a firm’s overall risk profile and allowed business strategies to be divorced from basic risk principles. Supervisors took false comfort in a regulatorycapital framework that was rooted in old-style balance sheet lending. And both practitioners and regulators overlooked inherently unstable funding structures that assumed continuous access to liquidity — the lifeblood of a financial firm.

It’s imperative that boards and senior executives begin addressing the problems of top-level risk governance even as the industry and governments wrestle with ongoing structural reforms to the financial system.

The first lesson from the crisis is that risk governance matters. The crisis exposed serious, unexpected weaknesses in top-level risk oversight at several of the world’s largest and most sophisticated financial institutions. There is a chorus of agreement on this point. Failings in risk governance were identified as a root cause of outsized losses by (among others) the International Senior Supervisors Group Report, the Corrigan Committee’s CRMPG III Recommendations, and the UBS Report to Shareholders.

In many cases, the risk governance failings resulted from an over-reliance on low-level risk decisions in siloed businesses, product lines, and trading desks that ignored how these exposures contributed to a firm’s overall risk profile. Senior decision-makers failed to ask the right questions about common exposures to underlying macro factors; key assumptions relating to basis risks for hedges; critical dependencies on the ability to selldown warehoused risks within assumed holding periods; and valuation discounts in periods of market stress and illiquidity. More fundamentally, many firms lacked a risk appetite framework for constraining overall risk taking within approved bounds. Instead, limits and approval structures were set based on notions of how much loss was acceptable for an individual position or transaction, without considering compounding losses elsewhere within the firm. The failure to anticipate liquidity knock-ons and infections across asset classes meant, in some cases, that the risk of the whole was greater than the sum of the parts.

At the same time, some of the hardest hit firms pursued strategies based on revenue or market share, or had highly concentrated business models, that were dangerous – or even reckless – from a risk perspective. There are many examples, including Merrill Lynch’s market share push in CDOs, Wachovia’s disastrous entry into the California mortgage market through the purchase of Golden West Financial, and Bear Stearns’s dependence on mortgage securitization. Not surprisingly, Oliver Wyman has found that banks with top-line revenue growth of greater than 25% between 2004 and 2006 experienced trading and credit losses in 2007 that were almost twice as large as those of banks with more stable growth.

Failures in firm-level governance were compounded by the Basel II capital framework that was rooted in an outdated buy-and-hold model of commercial lending. Pillar I of Basel II adopted highly prescriptive rules for traditional credit risks (and also for market and operational risks), but imposed no explicit capital charge for asset/liability risks, business risks, and reputation effects – each of which played a prominent role in the crisis. Maturity transformation, asset/liability mismatches, and resultant basis risk were critical features of off-balance sheet conduits and SIVs, which were ignored under the Basel II framework (and also in the internal models of many bank sponsors).

Reputational risks that led, for example, Citigroup (and others) to consolidate their SIVs on balance sheet, Goldman Sachs to inject capital to prop up an ailing hedge fund, and Bank of America to backstop money market mutual funds at risk of “breaking the buck” all imposed significant costs that are disregarded under Basel II. And business risk – in particular, lack of diversification of the business model – created unique vulnerabilities for firms dependent on the mortgage sector, such as Bear Stearns, Indy Mac or Northern Rock, and is similarly ignored under Basel II.

It is too much to ask that the regulatory framework operate with perfect foresight and anticipate the causes of the next financial crisis. Nevertheless, the enormous international effort to comply with Basel II arguably led to a “crowding out” of scarce internal risk resources that were diverted from new problems or more pressing risk issues by the need to get over the Basel finish line.

Looking back on the history of Basel II, the lesson for the industry is that there is a regulatory caveat emptor: there should be no false comfort in regulatory compliance. The best firms will always be several steps ahead of the regulators. Risk governance should be a core competence of every board. Firms must tailor their risk framework for their unique business mix, risk profile, and strategy — rather than rely on the regulators to get it right for them.

The crisis that began with U.S. subprime mortgages has now become a full-blown funding and liquidity crisis. A major accelerant has been the role of maturity transformation – the funding of long-term mortgages and other securitized assets with short-term liabilities. Maturity transformation was a critical feature of SIVs and conduits, but also of investment banks dependent on customer and repo financing and on commercial banks now prone to a seizing up of the interbank market and the flight of uninsured deposits. There is a lesson here that dates back to the Renaissance and is as old as banking itself. A feature of every banking panic is that problems begin on the asset side of the balance sheet and end on the liability side.

Both the industry and regulators missed the overriding importance of funding and liquidity as contributors to the current crisis. The dependence on short-term funding created an inherently fragile business model that is leading to unprecedented changes in market structure. The most obvious sign of this is the demise of independent U.S. investment banks through the failures of Bear Stearns and Lehman, the shotgun merger of Merrill Lynch with Bank of America, and the conversions of Goldman Sachs and Morgan Stanley into bank holding companies. It is also reflected in moves by national governments in Europe to protect bank deposits and guarantee interbank lending, as well as to inject public sources of capital into the banking system.

Top-level governance must assess the resilience of funding and liquidity sources. While firms could not have been expected to protect themselves fully against the unprecedented disruptions of the current market, certain structures (such as SIVs and conduits) were inherently unstable and uniquely prone to funding crises. A critical part of internal governance and regulatory oversight going forward must be an assessment of the stability of the business model to a loss of confidence of investors and counterparties and a sudden withdrawal of funding sources.

Looking ahead, firms need to address gaps in risk governance that cut across these problems as a matter of priority. Three key fixes include:

Establishing a firm-wide risk committee
The best firms have put in place a senior firm-wide risk committee comprised of business line, finance and risk executives, typically including the firm’s CEO. Such a committee should be responsible for defining, with the board, the firm’s overall risk appetite; approving major transactions above a firm risk threshold; establishing limit structures and risk policies for use within individual businesses; and also, importantly, for ongoing monitoring of the firm’s strategic-risk profile. As has been widely reported in the press, Goldman Sachs uses such a top-level risk committee to manage its consolidated firm-wide risks, and this group was credited with making the decision to reduce Goldman’s exposure to U.S. subprime mortgages at the start of 2007.

Developing a strategic risk assessment capability
The top-level risk committee needs to be supported by a robust strategic risk assessment process. Such a process should identify major downside risks at the firm level, such as risks that could cause a significant earnings hit, capital write-down, or liquidity event over the next one to six quarters. This capability is critical for taking action to hedge or reduce risks in anticipation of economic or market events. An effective strategic-assessment process needs to consider the full range of earnings, solvency, liquidity, business and reputational risks. It also needs to adopt a forward-looking perspective, and to be informed by scenario analyses and stress tests, rather than being based solely on a rear-view mirror view of traditional risk metrics.

Integrating risk with business strategy and compensation
Top-level risk governance must also be based on the recognition that risk management and business strategy are inextricably linked. Senior decision makers need to consider a range of plausible downside scenarios in formulating strategies, committing capital, and setting growth targets. Risk – and return on risk – need to be core parts of any performance measures, and explicitly factored into incentive and compensation schemes. As obvious as this principle sounds, it was routinely overlooked by firms in the rush for revenues during the bull market.

While many implications of the crisis could not have been anticipated, the lessons above were hiding in plain view. Practitioners and policy makers need to spend as much time focused on the “big picture” as on the discrete building blocks of modern risk management.

Andrew Kuritzkes is a partner and senior member of Oliver Wyman’s Finance and Risk practice. He can be reached at .