OCC Risk Czar: No One Way Is Best

As comptroller of the currency, Eugene A. Ludwig has taken some major steps to modernize bank supervision. Among them was creating an agency "risk czar" position last June.

G. Scott Calhoun, a 19-year veteran of the Comptroller' Office, got the job.

The agency is also in the midst of implementing a "supervision-by- risk" program announced a year ago. To keep a closer eye on risk-management procedures, bank regulators identified nine types of risk - credit, interest rate, liquidity, price, foreign exchange, transaction, compliance, strategic, and reputation.

In a recent interview with Management Strategies, Mr. Calhoun - whose official title is deputy comptroller for risk evaluation - talked about the supervision-by-risk program, the organizational changes under way at banks, and the importance of technology.

Are more banks opting to create a senior-level management position, or "risk czar," with overarching risk management responsibility?

The prevailing trend that we see is a senior individual being named to be responsible for risk management. But some institutions and some organizations have embodied that in their chief financial officer's role. Others have accomplished that through an individual or a committee responsible for risk management at an umbrella level of the organization.

We don't advocate any one blueprint or model. Rather, we are looking for a comprehensive and seamless risk-management process.

What about Citicorp and other money-centers that because of their mix of businesses have had these senior positions for a long time?

Clearly they have had risk management as a centerpiece of their business for some time. I don't want to say that necessarily they are much farther ahead of the curve than some of the regionals.

Regardless of whether or not you appoint an individual or a committee, the most effective risk management that we've seen is one that's embodied in the culture.

If you set up an organizational structure for risk management and don't have a sense of ownership for managing the risk in the line of business itself, I don't think that's the optimal methodology.

Having it as a policing mechanism, as a control feature, and as a function - to look at and test the parameters of risk taking - is very healthy. To separate the responsibility for risk management from those doing the business is not a healthy thing.

How much attention are you giving to the transaction risk, strategic risk, and reputation risk?

If you are asking what kind of a weighting do we have against each of those, we don't.

Are banks struggling to come up with ways to quantify areas like reputation risk?

Credit, interest rate, liquidity, and certainly price and foreign exchange risk are all much more quantifiable.

At the end of the day, transaction, compliance, strategic, and reputation risk are very difficult to mention in a number measurement. And frankly, a number of organizations are working on and struggling with an ability to come up with some kind of a quantifiable measurement for those.

Are significant cultural or management changes necessary to manage risk comprehensively and effectively?

Culturally, it is a trend to try to make certain businesspeople are responsible for the quality of the business they are booking across all these risks. But organizations are taking different approaches, and none is necessarily superior to the other about how the oversight role is structured. That can be in the form of a individual, committee, or series of individuals.

What else is important here?

One thing that can't be overlooked is how technology is going to be employed. I find it helpful to look at technology on three levels.

One is communications. When you are dealing with some of these risks, timely, efficient, fast communication of positions, exposures, and the like is increasingly important. That's particularly true when you are dealing in areas like price risk and foreign exchange risk.

Artificial intelligence is a second piece of technology. There is greater use of modeling, not only in terms of risk management after the fact, but also in risk selection at the beginning. Artificial intelligence is used to identify target markets and profile the types of deals and risk the institution is looking for in its portfolio.

The third piece is the data warehouse. That's where the organizations have the ability and the capacity to do data mining, look at the historical performance, and benchmark against past performance and competitor performance.

Technology is not only reshaping the industry, it is getting to be a critical cornerstone of an effective risk-management practice.

How does value-at-risk play into this?

Value-at-risk is certainly a hot topic, especially in areas such as traded products and interest rate risk. It is a tool with which to manage those and come up with some kind of an economic value, and it's going to be very important.

Having said that, I don't know that we at the OCC are prepared to say it is a requirement, or that it is an expectation. But certainly it is a tool, and a useful tool.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER