JPMorgan's trading loss should send shudders down the spine of shareholders, management and regulators. The once paragon of risk management has turned into a case study of what not to do.
If we have learned nothing from the financial crisis of 2008-2009 or any other notable financial disaster for that matter, it is that the catalyst of these events is deficient risk governance and management History is littered with spectacular risk management fiascos from MF Global to Amaranth LLC to Long-Term Capital Management. But unlike these others, what is spooky about the JPMorgan situation is that it wasn't supposed to happen.
Fortunately, its troubles provide industry and regulators with a wake-up call for addressing fundamental long-standing cultural biases and structural deficiencies with regard to the way risk management functions within a financial institution.
Foremost, the quality of the risk management function is set from the beginning by its board of directors. Without an active voice supporting a strong risk management culture, risk management has little chance of providing an effective counterbalance to risky strategies that lie outside the firm's risk appetite. In the case of JPMorgan, it seems less the fact that they did not support risk management, but they had little expertise to know what risk management entails.
Complicating matters is the age-old issue of how an iconic and strong chief executive can wield considerable power over the board and management, including setting the tone for how risk management operates within the firm. It isn't sufficient to establish a chief risk officer position and for that executive to report the CEO or board, as is the case for JPMorgan, rather, the CRO has to be empowered by the board to oversee all aspects of risk in an integrated fashion and to have deep expertise in that field.
The JPMorgan CRO only had partial oversight of the firm's risk management practices. Liquidity and interest rate risk oversight was performed by the now infamous chief investment office, according to JPMorgan’s annual report.
Interestingly, the position of CRO, unlike that of the CFO or head of a line-of-business tends to take on a variety of roles across the industry depending on the perceptions of the CEO and board of the risk management function. This diversity suggests that the industry continues to wrestle with whether the function is to be a watchdog or a lapdog. The answer is that it actually is neither, the risk management function should ideally be looked upon as the moral compass of the company, providing objective views on the strategic direction of the firm; not saying no all the time and not rubber stamping business strategy either.
Beyond the governance aspects of a quality risk management function lay the practices and controls that enable a firm to quickly size up emerging risks, establish clear rules defining permissible business activity and limit excessive buildups of risk.
Looking a bit further into the JPMorgan example, we now know that the models used to determine how much risk the firm was exposed to by the CIO trades was itself a work-in-progress and may have been operated by the trading group rather than the risk managers. Moreover, one has to call into question the size, complexity and opacity of the transactions and ask how that aligns to its risk vision. In the immediate example, the massive concentration of risk in a specific credit default index seems well outside of normal position limits that should be in place and closely monitored.