Banks Get a C+ in Postcrisis Risk Management

To a recovering Chief Risk Officer masquerading as an academic, it seems an appropriate time as colleges around the country start back up for fall semester to think about grades.

With five years elapsed since the financial crisis, a question I am frequently asked is "how would you grade bank risk management compared to what it was right before the crisis hit"? Not unlike the grades of many of my students, the outcome for risk management is a mixed bag. And overall, while much progress has been made, banks get a C+ to show for their efforts.

We all know the stories about fairly well-known efforts in banking to hold in check risk management organizations before the crisis. Risk governance was for many institutions lacking with surprisingly little air cover given to those risk managers courageous enough to call it like they saw it without fear of retribution. Boards were not well-versed in risk management issues, in part reflecting a surprising and pervasive lack of risk expertise. Moreover, banks struggled with how they used risk management; some looked at it incorrectly as an audit function, others saw it as an oversight function and only a small segment viewed risk management as an integral part of the management team. The stature of the CRO and the risk organization then was directly proportional to the support provided by the CEO and board.

On the risk governance front, we've seen banks make some improvements, particularly where boards have started moving toward greater engagement on risk issues and where many banks are starting to have their CRO report to the board. Despite such efforts, risk governance remains an elusive concept for bankers to grasp, as underscored by incidents such as the JPMorgan Chase (JPM) London Whale trading case. While improvements have also been made in driving risk objectives into executive compensation, much work remains ahead to effectively align management interests with the long-term perspective of shareholders.

Beyond nagging governance issues that have yet to be effectively resolved since the crisis, a gaping hole that remains in many areas is bank risk management infrastructure. Before the crisis, many institutions underinvested in technology, people and data to support risk management, perceiving it as a cost center with no direct contribution to the bottom line. Whether shaped by the crisis or reacting to regulatory pressure afterward, banks seem to have moved away from the sometimes bitter tensions that pitted risk managers against the business. Investments in risk management are on the upswing, but five years since the crisis the industry still finds itself struggling with building an integrated risk infrastructure allowing senior management to stream in fresh data and risk assessments across business lines.

A bit more insidious within the risk management function itself is an orientation to define successful risk managers by their quantitative prowess. Analytics will always be an integral part of any effective risk management organization, but are we giving the next generation of risk managers the right mix of skill sets that make someone a risk leader as opposed to a risk analyst? The analytic toolkit has not progressed much from before the crisis. Value-at-risk models, infamous during the crisis and once again in the JP Morgan incident, suffer from a host of governance and other issues that should temper banks' enthusiasm for such models. We clearly cannot abandon these tools, but risk leadership is marked by a judicious balance of business acumen supported by empirical analysis. In this regard, the profession has not made sufficient strides in cultivating risk leaders as much as risk analysts.

Making matters worse, the industry has witnessed a shift from traditional bank risks (credit, market, liquidity and interest rate risks) to other risks such as operational, legal, reputational and regulatory risks. These latter risks, while not new, have become increasingly costly to banks in the wake of the crisis and as evidenced by the mortgage robosigning debacle, increasing cybersecurity breaches, massive mortgage settlements and civil money penalties imposed by regulators for a blizzard of violations. As a profession, we have marched on leveraging existing tools and developing others to help size the potential impact of these critical risks. However, applying industry-standard VaR techniques to quantifying the likelihood of infrequent but potentially severe operational breakdowns can be misleading without also bounding those models with expert judgment.

Banks should get an "A" for effort for attempting to address the many deficiencies in risk management that surfaced during the crisis. However, their execution has been lackluster.

It has been five years. By now, the banks should have accomplished more, and on that basis they merit an overall grade of C+. Despite having a reputation as a tough grader, in this case I find the results fit the grade, with NEEDS IMPROVEMENT the message at the top of the scorecard.

Clifford Rossi is the Professor-of-the-Practice at the Robert H. Smith School of Business at the University of Maryland.