If risk management is an art, JPMorgan Chase (JPM) is widely considered to be the financial industry's Michelangelo.
We know this because the company came through the 2008 crisis better than the majority of its peers.
But what to make, then, of the amateur mistakes revealed by the massive trading losses clocked by the $2.3 trillion-asset company's chief investment office?
This office exists primarily to accomplish a pretty tame task — invest excess liquidity.
Yet according to chairman and CEO Jamie Dimon, the unit's synthetic credit portfolio "morphed." Testifying before the Senate last week and the House on Tuesday, Dimon didn't do much to explain how or why.
"This portfolio morphed into something that, rather than protect the firm, created new and potentially larger risks," Dimon told the Senate Banking Committee. "As a result, we have let a lot of people down, and we are sorry for it."
Answers like that earned Dimon a gentle pass through the Senate Banking Committee last week and while the House Financial Services Committee challenged him more on Tuesday, members didn't follow up on that central issue.
But risk management experts are focused on how this "morphing" was allowed to occur and are appalled by what they consider to be fundamental lapses at JPMorgan.
To start with, the company's chief risk officer didn't have enough control over the CIO unit's risk officer.
"It really started from the moment that the CIO's office could actually manage its own risk without really coming back and informing the rest of the bank," said Clifford Rossi, a former banker and executive-in-residence at the University of Maryland's Robert H. Smith School of Business. "The most important risk management failure comes to the lack of integration of the CIO risk committee with the rest of the company."
Odd, too, that the company's CRO John Hogan is not running JPMorgan's internal investigation into what went wrong. That job was given to Mike Cavanaugh, the head of treasury and securities services and former CFO.
Next, the CIO unit's losses were discovered after a change was made to its value at risk model, and yet weeks after the trading losses surfaced, no one can explain who approved the model change or whether the bank's primary regulator was notified.
JPMorgan says it changed its model in January because it back-tested better than the model the company had been using. In other words, when old data was run through the new model, the results more closely mirrored reality than with the original model. Okay, fine. Circumstances change. But what threw the new model so far off?
Sen. Richard Shelby, R-Ala., asked that during the Senate Banking hearing.
Here is Dimon's answer: "You know, I — I'm gonna have to give you more detail later. But both these models backtest and have backtested better than the old model, is what I believe. And so these are statistical testing of how it would've — what would've been more accurate looking back over the last year or the last three years. But I think I mentioned, with models, that the future is not the past. Things change: concentration, liquidity, people's views about Europe, credit spreads, high yield versus investment grade. And the old model was better at predicting some of the things that happened in April and May than the new model."
It's hard to tell what Dimon was trying to say, but he did not explain why the two models produced such different results.
Which leads to point #3 — why didn't JPMorgan run the new and the old models in tandem for some period of time? That's standard procedure for model changes, and it's included in the federal guidance regulators released in April 2011 on model governance.
"Models are regularly adjusted to take into account new data or techniques, or because of deterioration in performance. Parallel outcomes analysis, under which both the original and adjusted models' forecasts are tested against realized outcomes, provides an important test of such model adjustments," the guidance reads. "If the adjusted model does not outperform the original model, developers, users, and reviewers should realize that additional changes—or even a wholesale redesign—are likely necessary before the adjusted model replaces the original one."
If JPMorgan did any "parallel outcomes analysis" Dimon didn't bother to mention it. If the company ends up being hit with an enforcement action by regulators, it could very well be because it did not follow this guidance.
It's also pretty clear that compensation policy and practice in the chief investment office did not reward risk mitigation. And the unit either had no risk limits or they were ignored.
How about reverse stress-testing? This is another a common risk-management practice designed to imagine worst-case scenarios and work backward to figure out what could lead to disaster. Dimon never mentioned whether the chief investment office bothered to conduct any reverse stress-tests.
"You can have the best risk management system in place but you have to have an ability to step back and really powerfully ask yourself, 'How can we lose money?'"a former regulator said. "If this group had posed the question, 'How could we lose a large amount of money?' somebody should have said, 'Gee we are outsized in these certain markets, and if that ever got detected, we could get picked off.'"
So how does a risk management artist like JPMorgan get so many basic things wrong?
One possible answer is that Dimon put too much trust in someone he'd worked with for decades, the investment officer's leader, Ina Drew.
Dimon conceded as much during his Senate testimony.
"The CIO unit had done so well for so long that I think there was a little bit of complacency about what was taking place there, and maybe there was overconfidence," he told senators.
In another question from Shelby, Dimon was asked what he had learned from the mess.
"I think no matter how good you are, how competent people are, never get complacent in risk. Challenge everything. Make sure people on risk committees are always asking questions."
Dimon assured Shelby that, "In the rest of the company, we have those disciplines in place. We didn't have it here. And that's what caused the problem."
Let's hope Dimon is right (and that federal regulators verify it), and that the rest of the industry also learns a lesson from this mess.
Risk management is only as good as the people behind it, and every institution has to ensure that its risk executives are empowered and respected.
New rules from the Federal Reserve Board should elevate risk managers at the largest banks.
But if the industry ever hopes to get out from under the mountain of rules governing its operations it must embrace risk management as tightly as it does revenue generation or cost containment.
It can't be an afterthought or a sideshow. It has to be the rudder that guides the company's decisions and keeps it on course.