The new thrust of the regulatory agencies in the management of risk is a very real positive in the banking industry. It reinforces the efforts already under way among cutting edge banks. Unless the culture is supportive, this change will not work.
How management of risk is undertaken is all-important. Unfortunately, some approaches will be window dressing only. Some will present proper theory but poor practice. Most, it is hoped, will understand what the dynamics of the change require and will aggressively pursue these avenues.
The new approach to the management of risk embraces increasingly intricate activities. These range from new markets and products to risk- based capital allocation, credit scoring of commercial loans, and operational risks. They involve every aspect of the bank.
In an effort to have a positive impact, mathematical modeling to control risk is now being used. Acronyms abound - such as VAR (value at risk), EVA (economic value at risk), RORAC (return on risk-adjusted capital), and NIACC (net income after capital charge).
These are serious and worthwhile steps forward in terms of management aids. They are no more than aids, however. They in no way manage automatically or in all eventualities. They can help in making decisions, but they can't make decisions. They are merely useful tools.
Tools are necessary and helpful to the management of risk. What is really critical in the eyes of the regulators, however, is that there exist certain well-defined elements of management. These should cross over all of the activities of the bank.
*Policies and limits.
*Measurement and monitoring.
The proper management of risk must start and be driven by the highest level. Delegation to middle levels does not work. The board must have a clear understanding of what risks the institution is undertaking. It must receive sufficient reports to monitor them.
The basic strategies and the desired risk/earnings profile should be approved at this level. This approval also must involve the policies to measure and proactively manage risk. Ultimately the board is responsible. This responsibility cannot be delegated.
Together with senior management, the board must identify and have a working knowledge of the major areas where risk occurs. Ignorance is no excuse. Both the board and senior management must have and use adequate information to have a sense of dimension and to monitor the activities as they occur.
Senior management is responsible for adequate staffing. It must see to it that the bank performs as it should. This responsibility includes the quality of supervision.
Risk management is as important as line management. It must report at the same level of authority. The responsibility must also take into account the identification of what risks are to be controlled - be they new products or old - or the method of conducting the business. Just as important is ensuring that enough risk is taken to maximize earnings consistent with capital, liquidity, and market flexibility and the risk/earnings profile set by the board.
One example of enlightened management involves the better use of counsel. As banks continue to broaden their reach, lawyers always need to be involved at the front end. They need to evaluate the risks of any new product or any new business thrust prior to launch. Delicately put, this is the avoidance of 'strategic risk.'
Proper limits and policies for the risks being undertaken must be in place. They must be in use at all times and subject to continuing review. Measuring and monitoring of all material risks must be supported with timely management information systems and with whatever modeling may be appropriate and useful.
It should be recognized that the environment is not friendly to the comprehensive management of risk for many reasons. It is new, and gain comes with pain. There is a historical aversion to a "risk cop." Industry has downsized and diluted experience. Some mergers have not yet led to a clear, dominant culture. Mergers have led to chaos where internal stability is needed.
There is one key to success, or to failure. It is culture. There must be a culture that values the management of risk from the board and CEO down. If there is lack of seriousness or if only lip service is paid, the management of risk process will not work.
The lack of a strong and supportive culture can lead variously to regulatory enforcement, loss, expensive litigation with third parties, and damage to the company's reputation.
The regulators are worried about culture. They worry about lack of support from the top of the bank. In the case of some foreign banks operating in this country, regulators worry about the lack of stable home economies and supportive and effective supervisory systems in the home country, as well as different value systems and lack of cultural reinforcement from parent management.
The difference between "risk management" and the "management of risk" may seem trivial. It is not. It is a fundamental and far-reaching change. It provides the opportunity to management, not just to control risk, but to manage prospectively and to maximize earnings.
The only way to have successful risk management is to have the process driven from the top of the bank within a friendly and supportive culture.
Mr. Davis is president of Scarborough Partners, a financial services consulting firm in New York.