Financial Crisis: Where did Risk Management Fail?
By Gabriele Sabato
When examining the causes for the financial crisis, most people start directly with the real estate market focusing on the subprime mortgages and unscrupulous lenders and casting the blame on the unsustainable real estate bubble which began to collapse in 2006. Whereas this is true, it is not the whole story. A poor regulatory framework based on the belief that banks could be trusted to regulate themselves is, in my opinion, among the main sources of the crisis. It is quite obvious that regulators across the world have not efficiently monitored the risk management functions of most banks.
At the same time, risk management at most banking institutions has failed to enforce the basic rules for a safe business: i.e., avoid strong concentrations and minimize volatility of returns. Several excuses have been presented to hide this failure (e.g. limited role of risk management, inability to influence business decisions, incapacity of forecasting such a severe crisis, etc). Although some of these excuses may be partially true for some institutions, however I am convinced that the risk management function has clearly shown its significant weaknesses and failures.
The purpose of this study is to identify the reasons behind the failure of risk management and offer a view on how they can be solved or improved going forward if we want to ensure a sounder financial system than today’s one. In particular, I examine the following issues: 1) lack of a defined capital allocation strategy, 2) disaggregated vision of risks and 3) inappropriate risk governance structure.
Most banks used to grow their lending portfolios driven by market demand without a clear capital allocation strategy. Regulatory pressures, such as Basel II and a greater focus on corporate governance, have been a stimulus for many changes in the industry. One of these has been the recognition of the need to articulate risk appetite more clearly. Risk appetite translates risk metrics and methods into business decisions, reporting and day-to-day business discussions. It sets the boundaries which form a dynamic link between strategy, target setting and risk management.
Articulating risk appetite is a complex task which requires the balancing of many views. Some elements can be quantified, but ultimately it is a question of judgment. A bank with a well defined risk appetite framework will provide internal senior management and external stakeholders with a clear picture of where it currently stands and how it wants to grow in terms of concentration and expected returns of its assets.
In Section 2, I investigate how banks should define their risk appetite and how it should be used to facilitate better risk management practices and capital allocation strategies.Although many institutions, particularly the large national and international financial institutions, have already adopted Enterprise Risk Management (ERM) approaches, others are still using reactive rather than proactive methods of risk monitoring and detection. Typically, these methods are the traditional silo approaches to risk management and are rapidly becoming insufficient in preventing increasingly diversified risks (especially credit, market and operational risks). Silo-based approaches are reactive and their functions segregated; each silo has its own tools and applications to assist with specific management and reporting requirements. Problems arise because these independent systems do not communicate with one another and across business lines. A silo-view of risks is still a common practice at most banks and this does not allow senior management to have a full picture of risk concentrations and correlations. Similar assets, or assets with a high correlation between them, can seat in different books (e.g. credit and trading book) or off-balance and their risk may never be aggregated causing a significant understatement of the capital needed.
I will expand on this subject in Section 3 providing a view of what should be the minimum level of risk aggregation that would ensure avoiding “hidden correlations”.
Last, in Section 4, I analyze the current risk governance structure often in place at most banks in order to understand where the weaknesses are and how they can be addressed. This topic is extremely correlated with the previous ones. Only a clear, well-organized risk structure will be able to provide enterprise-wide risk measures and aggregate risks appropriately before reporting them to the CRO and ultimately to the Board. The risk function reporting lines have been underestimated for long time in the wrong belief that a good risk manager would be able to influence business decision providing a good set of analyses even without a clear authority to do that. This is definitely not true and the current crisis is an example of what can happen when the role of risk management is underestimated within a financial organization.
In Section 5, I draw my conclusions.