BANKTHINK
RISK DOCTOR

Banks Get a C+ in Postcrisis Risk Management

Print
Email
Reprints
Comments (2)
Twitter
LinkedIn
Facebook
Google+

To a recovering Chief Risk Officer masquerading as an academic, it seems an appropriate time as colleges around the country start back up for fall semester to think about grades.

With five years elapsed since the financial crisis, a question I am frequently asked is "how would you grade bank risk management compared to what it was right before the crisis hit"? Not unlike the grades of many of my students, the outcome for risk management is a mixed bag. And overall, while much progress has been made, banks get a C+ to show for their efforts.

We all know the stories about fairly well-known efforts in banking to hold in check risk management organizations before the crisis. Risk governance was for many institutions lacking with surprisingly little air cover given to those risk managers courageous enough to call it like they saw it without fear of retribution. Boards were not well-versed in risk management issues, in part reflecting a surprising and pervasive lack of risk expertise. Moreover, banks struggled with how they used risk management; some looked at it incorrectly as an audit function, others saw it as an oversight function and only a small segment viewed risk management as an integral part of the management team. The stature of the CRO and the risk organization then was directly proportional to the support provided by the CEO and board.

On the risk governance front, we've seen banks make some improvements, particularly where boards have started moving toward greater engagement on risk issues and where many banks are starting to have their CRO report to the board. Despite such efforts, risk governance remains an elusive concept for bankers to grasp, as underscored by incidents such as the JPMorgan Chase (JPM) London Whale trading case. While improvements have also been made in driving risk objectives into executive compensation, much work remains ahead to effectively align management interests with the long-term perspective of shareholders.

Beyond nagging governance issues that have yet to be effectively resolved since the crisis, a gaping hole that remains in many areas is bank risk management infrastructure. Before the crisis, many institutions underinvested in technology, people and data to support risk management, perceiving it as a cost center with no direct contribution to the bottom line. Whether shaped by the crisis or reacting to regulatory pressure afterward, banks seem to have moved away from the sometimes bitter tensions that pitted risk managers against the business. Investments in risk management are on the upswing, but five years since the crisis the industry still finds itself struggling with building an integrated risk infrastructure allowing senior management to stream in fresh data and risk assessments across business lines.

A bit more insidious within the risk management function itself is an orientation to define successful risk managers by their quantitative prowess. Analytics will always be an integral part of any effective risk management organization, but are we giving the next generation of risk managers the right mix of skill sets that make someone a risk leader as opposed to a risk analyst? The analytic toolkit has not progressed much from before the crisis. Value-at-risk models, infamous during the crisis and once again in the JP Morgan incident, suffer from a host of governance and other issues that should temper banks' enthusiasm for such models. We clearly cannot abandon these tools, but risk leadership is marked by a judicious balance of business acumen supported by empirical analysis. In this regard, the profession has not made sufficient strides in cultivating risk leaders as much as risk analysts.

Making matters worse, the industry has witnessed a shift from traditional bank risks (credit, market, liquidity and interest rate risks) to other risks such as operational, legal, reputational and regulatory risks. These latter risks, while not new, have become increasingly costly to banks in the wake of the crisis and as evidenced by the mortgage robosigning debacle, increasing cybersecurity breaches, massive mortgage settlements and civil money penalties imposed by regulators for a blizzard of violations. As a profession, we have marched on leveraging existing tools and developing others to help size the potential impact of these critical risks. However, applying industry-standard VaR techniques to quantifying the likelihood of infrequent but potentially severe operational breakdowns can be misleading without also bounding those models with expert judgment.

Banks should get an "A" for effort for attempting to address the many deficiencies in risk management that surfaced during the crisis. However, their execution has been lackluster.

It has been five years. By now, the banks should have accomplished more, and on that basis they merit an overall grade of C+. Despite having a reputation as a tough grader, in this case I find the results fit the grade, with NEEDS IMPROVEMENT the message at the top of the scorecard.

Clifford Rossi is the Professor-of-the-Practice at the Robert H. Smith School of Business at the University of Maryland.

JOIN THE DISCUSSION

(2) Comments

SEE MORE IN

RELATED TAGS

Comments (2)
But it isn't easy to be a risk manager at the banks nowadays when having to act upon distorted signals.

A risk manager of a bank, traditionally, had to look at the risks of the clients, the size of the exposures, if these were earning adequate risk-premiums, the duration of the positions, and a little bit on the other contract terms.

Not any longer. Now he has also to look at how much capital is required to hold that position, and since that is also based on the same perceived risk of the client, he can't make heads or tails out of it.

http://subprimeregulations.blogspot.com/2012/12/the-basel-ii-roulette-manipulation.html
Posted by Per Kurowski | Wednesday, August 21 2013 at 4:27PM ET
Back in 2008 when I was working for a firm selling risk management analytics and reporting tools into U.S. banks we used to joke that as far as banks were concerned a D(-) was a passing grade.

I agree, it is very differnet now, but I sense that as soon as the federal regulators take their eye off the ball, it will slide back. Banks in europe see risk as a competitive advantage. In the U.S., I believe it is still a cost of doing business, albeit a more expensive cost.
Posted by FutureBank | Thursday, August 22 2013 at 1:45PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Marketplace
Fiserv is a leading global provider of information management and electronic commerce systems for the financial services industry.
Learn More
Informa Research Services is the premier provider of competitive intelligence, mystery shopping, and compliance testing services to the financial industry.
Learn More
CSC is a leader in private-label, third-party loan servicing with 30+ years of proven experience in delivering effective, cost-effective solutions.
Learn More
Already a subscriber? Log in here
Please note you must now log in with your email address and password.