From Donald T. Vangel's perspective, the movement toward risk-based supervision reflects fundamental changes to the landscape of financial risk management. He ought to know; prior to becoming a partner in Ernst & Young's risk management and regulatory practice group this past summer, Vangel was a 17-year veteran of the Federal Reserve Bank of New York, where he served most recently as senior vice president responsible for oversight of domestic banks and the U.S. operations of foreign banks.
MS: What was your experience at the Federal Reserve Bank with regard to changes in risk management?
VANGEL: Clearly, supervisors recognize that the old fashioned, backward- looking approach to supervision is not particularly relevant to (the financial) industry, the dynamics of which suggest that the risk profile could change in a nanosecond. Historically, supervisors focused on scrubbing the loan book, where things didn't tend to happen quite so cataclysmically. But (they) really relied overall in terms of their assessment on the financial performance of the firm. That's not to say that they weren't looking at controls and risk management, but I would characterize the approach of examiners as (not) drilling down too deeply in terms of really testing transactions from cradle to grave to see how controls and risk management really worked. Or looking at models and the controls around them to get a handle on the integrity and robustness of risk management information. That's changed over the last couple of years.
MS: What drove the progression of supervision and how did it manifest itself in the financial industry?
VANGEL: A recognition-events such as Barings and Daiwa cemented it, but it was in train before that-that the dynamics of the business were changing. Toward the late '80s, the traditional approach really held sway. And, of course, the problems of the late '80s and early '90s were old fashioned credit cycle problems. Those occupied the supervisors' time fairly extensively. Many name institutions were struggling through that period Things like capital and reserves started really having meaning to the industry in ways that they didn't before.
As that problem was worked through and the supervisory committee took something of a breath because credit underwriting standards, reserves, and capital improved so substantially, the focus shifted toward the more dynamic aspects of the business: trading and capital markets activities and the management processes around risk. It's the nature of the supervisory business that you're never comfortable. You're trying to anticipate the next problem. Not that this wasn't happening in the early '90s; the Federal Reserve's examiners' trading manual came out in '93. The focus became risk management. And that's been and still is an evolving process.
MS: What is the intent of risk-based supervision?
VANGEL: What risk-based supervision really means is kind of a fluid concept. I define it as an approach to the examination that seeks to identify-with a lot of upfront analysis and discussions with management auditors, internal and external-the core risks of particular businesses that an institution is in, and then goes through a process which makes selection of which of those risks are material enough to warrant a real focused, on-site effort at the examination.
What that means is looking at businesses as opposed to looking at products. So you start blurring legal entity distinctions a little bit, but I think it's the only way to look at risk. Worrying about the management processes and controls surrounding that business and using supervisory resources much more selectively to focus on where you're likely to get the most bang for the buck in terms of insight into the real quality of the operation, and therefore, into the future prospects of the operation. Over time, the full scope examination that's been the traditional approach (will) evolve into a 12-month supervisory process where there are targeted reviews of particular areas, much the way an internal audit program works. Making a risk assessment of the various businesses, keeping it up to date; some you may look at once every year, some once every 18 months and some less frequently than that. And some, if there are particular issues, you may look at every six months. (This includes) developing testing approaches that look in very granular terms at what's being done in that business, how transactions are originated, booked, and settled. Looking at the integrity of process, both operationally and financially to see if there are vulnerabilities.
MS: How do you know what's adequate in this scenario?
VANGEL: In my judgement, it's a moving goal post. The examiner is basically being asked to determine whether the risk management and controls in a particular institution are commensurate with the nature of risks in its businesses and how it's positioned to expand that business over time. So you have the both the dynamics as the firm level-what are they doing today, where are they going, and how does the infrastructure likely to support that-and what are best practices in the industry generally.
MS: Are you advocating more self regulation on the part of financial institutions?
VANGEL: It's less an advocacy position than it's kind of the necessary direction for things to go. The supervisors have for quite a while now (been) reminding the constituency that, first and foremost, it's the responsibility of the board of directors and management of the institutions to address issues of undue risk at the firm level-not the supervisors. When you think about it, it's kind of inevitable for there to be a move toward greater and greater self regulation because the supervisors are never going to be close enough to the vagaries of the business to function as a first line of defense, much the way an internal auditor should not be the first line of defense.
It's like playing goal with no defense. What you really need to instill is a control culture right on the line the way manufacturing firms have done. Manufacturing firms have recognized for quite a while that quality control happens on the line, not in the back office. Banking firms are increasingly becoming aware of that. Managing operations risk is inherently the function of every business manager just as much as trying to generate profit is.
MS: Skeptics argue that self regulation only works when times are good? Do you agree?
VANGEL: There's going to be a move toward greater self-regulation. There's self interest that, in really bad times, is likely to get people not acting the way the official sector might act. Having said that, I'm not sure what the alternative is. There's moral hazard on the other side of the coin. For the industry to, in effect, lay off that responsibility (on the official supervisory community) doesn't make a lot of sense. Self- regulation can't function with an absence of official supervision because of that self interest. But the nature of what official supervisors do and what the industry does for itself has to evolve further. Market discipline obviously plays a very important role in a world of self regulation, and supervisors are increasingly inclined to use their enforcement authority do that.
MS: What about the debate of firmwide risk management?
VANGEL: It's a very challenging concept to bring into reality. If you look at particular risk buckets-take credit risk. The ability of substantial global firms to monitor credit risk globally on a counterparty by counterparty basis is probably there in many cases. Same for market risk. But integrating market, credit, operational-the real challenge for the industry is coming up for measures, definitions, and approaches for measuring operations risk on an enterprisewide basis. It's probably even true for funding and liquidity risk. High-level, asset/liability management, ALCO-type decisions are made at an enterprise level, but my thinking is that you can talk to the corporate treasurer at a multinational bank about funding and liquidity, but in crunch time, if you were to ask that person if he knew what was going on in terms of transactional liquidity around the globe I would wager that not all firms would have that information in some central point. Having said that, institutions worth their salt recognize that it's the goal because they run the businesses that way. So many of these things are technologically and quantitatively challenging. Unless it's viewed as both, you can have what is the worst of all possible worlds and that's the illusion of risk management and control. That is, looking at technology as the solution. My view is that technology never managed anything. (Firmwide risk management) is a technological and management challenge. All things are possible technologically; but implementation isn't that easy. It seems that competitive advantage goes to the firm with the most precise and comprehensive handle on its risk. Get rid of the risk that the market doesn't compensate you for, and you can strategize and price everything else commensurate with what the true risk is. In broad terms, that's a pretty powerful incentive to try and get there. But there are priorities and then there are priorities. -sraeel tfn.com