It's not enough to manage liquidity risk, credit risk, market risk, reputation risk, regulatory risk and legal risk. Banks must understand how these risks interact with and affect one another.
Widespread failure to do so before the financial crisis resulted in a huge tax that the industry has been paying since 2008 and continues to pay, in many forms: Legions of compliance hires; massive repurchase requests on poorly underwritten mortgages; a tsunami of civil litigation and out-of-court settlements; unprecedented regulation; product and market restrictions that will remain for years to come.
Traditionally, bank risk has been organized and managed according to risk type. Credit risk departments rarely connected with their counterparts in operational, market or liquidity risk functions, for example. Yet actions taken, or not, in one area clearly have material consequences on the whole institution – as well as the industry.
The mortgage crisis highlighted significant linkages between risks. Fundamental gaps in the quality of infrastructure for sourcing and processing loans led to unexpected fraud losses and loan repurchases. Operational deficiencies gave way to credit performance issues that in turn ignited investor concerns at institutions with significant exposures to the riskiest segments of the mortgage market. A liquidity crisis for these firms ensued that eventually spread across the industry. A byproduct from this cascade of risk events was a significant increase in reputational, regulatory and legal risk for institutions.
While there has been some improvement over time in coming to grips with risk at an enterprise level, gaps remain in our ability to specify the spillover effects from one risk type into other areas. The risk profession moved over the last decade or more to greater reliance on analytic techniques to measure credit and market risks. But other risk types, such as regulatory, reputation and legal risk, have increasingly become significant drags on earnings. These risks are not well suited to quantitative analysis.
Current practices to assess how these risks might arise from other risks lack rigor in systematically establishing reasonable exposure levels for management.
Banks woefully underestimated the cost of operational risks before the crisis, in part due to an inability to take an integrated view of risk impacts across a company. Many firms today believe they are addressing such issues by establishing an enterprise risk management framework and developing risk data warehouses. Such frameworks and databases provide management with an alignment of risk across the institution and ability to roll up risk exposures within and across lines of business.
However, in rare instances does this technology do what is needed to truly identify, measure and manage the kind of risk intersections that were in evidence during and after the crisis.
For example, companies made decisions in 2005 based largely on the benefits of short-term process efficiencies and market share objectives in a highly competitive market. The introduction of low and no-documentation programs, outsourcing of critical functions such as appraisal and due diligence reviews, and reducing risk, collections and default staffing greatly weakened operational risk infrastructure. Companies gave little consideration to the regulatory, legal and reputation risks to their businesses, or to the system at large, and their strategies failed spectacularly. Rarely if ever did firms attempt to determine what the incremental cost from poor operational controls would mean in terms of these risks. These risks do not lend themselves to easy quantification, and even if they were, a general lack of integration across risk areas limited the extent to which a comprehensive estimate of product risk could be developed.
Technology alone is no substitute for expert judgment. Risk management teams need to be more tightly integrated in ways that go well beyond current practices in enterprise risk management. Business decisions must take into consideration downstream impacts on reputational, regulatory and legal risk more than ever before. This requires development of risk control assessment processes that map infrastructure quality to risk levels. Unquestionably there is a degree of subjectivity embedded in such processes that will send shivers up the spines of quantitatively oriented risk managers. But an exercise that directly takes into account all potential long-term risks from a business process has the best chance of mitigating unexpected losses.
Moreover, strategic planning sessions should tie the level of business and risk infrastructure to business objectives. Where infrastructure quality is not sufficiently robust to take on higher risk activities, it should be acknowledged and built into plans that restrict business activity until improvements addressing deficiencies have been made. Boards, investors and regulatory agencies also must begin focusing more on what actions management is taking to better understand linkages between risks.
For example, there remains some fragmentation in risk assessment at bank boards. Credit risks might find their way into board credit committees, while market, liquidity and interest rate risks are reviewed by board finance or asset-liability committees. And audit committees might be looking at operational risks while compliance risks may fall under a legal committee.
Recent moves to establish risk committees for the largest banking institutions address this issue. But this effort is not uniform across the industry and some risks may still wind up outside the purview of the risk committee.
Finally, banks must incorporate views on systemic risk into their business decisions. Institutions can no longer afford to consider their own actions against risk outcomes in isolation from the market at large. The spillover effects from riskier institutions expose all firms to greater costs. Anticipating emerging systemic threats and appropriate responses is a critical safeguard in an increasingly integrated financial system.
Clifford Rossi is the Professor-of-the-Practice at the Robert H. Smith School of Business at the University of Maryland.