Risk management became a bedrock conversational topic for banks and regulators following the 2008 meltdown.

From compensation clawbacks to stress tests to trading desk cultures, the concept is integral in discussing a still-shaky financial system. In an era when even industry insiders concede the country's largest banks are too big to fail, better risk management is seen as the only way to avoid another crisis.

At the same time, the term's become awfully amorphous: Was Libor rigging a risk management failure? If Value at Risk is a deeply flawed model, what's better? And isn't every decision-maker in a bank supposed to manage risk?

On July 16 American Banker sat down to discuss these matters with three risk management practitioners, all of whom weathered the 2008 financial crisis in prominent positions.

Thomas Day, now at Sungard, served as the Office of Thrift Supervision's risk management officer between early 2008 and 2010. Donald Truslow, now the head of the Financial Stability Industry Council, was Wachovia's chief risk officer until a few months before the bank nearly failed and was sold to Wells Fargo. Clifford Rossi, now a professor at the University of Maryland, left a series of emails flagging Countrywide's shoddy controls before leaving the firm for Citigroup, where he headed consumer financial risk during the aftermath of the financial crisis.

GAUGING RISK FROM OUTSIDE

An early stumbling block in setting up a robust and disciplined risk management program at a bank is the difficulty of knowing what such a thing would look like. Especially from the outside, gauging the sincerity of a company's promise of disciplined risk management can be hard to do.

Coming out of the crisis, banks and regulators have broadly recognized that pay incentives must be adjusted for risk, and that risk managers need direct access to senior executives and the board. But a company's overall risk appetite also deserves more attention from outsiders looking to gauge its riskiness, the panelists said.

"A firm needs to clearly identify just how much appetite it has for risk, how much volatility it is willing to take on in its businesses," says Truslow, arguing that the important thing is that management clearly inform employees and shareholders of its tolerance. If management won't frankly describe the possible downsides of significant business moves, outsiders should be wary.

According to Day, judging the quality of risk management comes down to whether the company remains within the boundaries it has set for itself.

"If it's not explainable within the context of the firm's risk appetite, then I've got a problem with that," he says.

The backgrounds of a bank's senior management can also say much about their approach to risk, says Rossi.

"There probably is to a certain extent some cultural differences that exist between traditional commercial banking and the folks that sort of rise up or over from the trading organizations," he says, though not all traders are prone to gambling. If management emphasizes disciplined controls, they will filter down through the organization.

PRIMITIVE, AMORPHOUS, AND ESSENTIAL

Regulators and investors struggling to get a handle on a bank's risk-taking are in good company. Even for those mandated to keep a lid on exposures inside an institution, measuring risk is tough. During the crisis and after, regulators and bankers have wrestled with how to quantify the possibility of loss.

JPMorgan Chase's disastrous trading losses — and profit restatements — in its chief investment office illustrated this trouble, with the bank failing to realize, even after media warnings, that its initial estimates of its exposure were wildly optimistic.

"Some of that is far more art than it is science, because, you know, the infrastructure of some of these banks won't accommodate real-time risk management," says Day. "It accommodates … the 4:15 [p.m.] report type thing, maybe. And so you have to have risk managers at the business line."

The problem of a bank's visibility into its own portfolio can certainly be mitigated by improving technology, but Truslow argues that "bringing the business judgment and that subjectivity and the art is really what's most important."

Even if the risk management discipline itself resists quantification, banks could do more to prepare their risk management staff.

"Some [risk management] certification programs just don't get into things like business model risk," Day says.

Rossi also questions the comprehensiveness of current industry training.

"These certification programs, they're highly quantitative-oriented in the sense that we're talking about how we build this model or looking at these correlation structures," he said. "That's one important dimension of risk management, but that's not where it's really at."

To both train new risk managers and improve a financial institution's existing team, the panelists suggested that the industry should bring back the practice of rotating risk management staff through various divisions of the bank — and requiring up-and-coming executives elsewhere to serve a stint monitoring exposure.

Such practices amount to "cross-fertilization," Truslow says. "To be able to ask those questions but still understand the organizational context over time, I wonder if that's something that the industry would be wise to kind of get back to."

WHAT'S OP RISK? WHAT ISN'T?

Market risk has been a longstanding part of bank risk managers' portfolios. So have credit and interest rate risk. But in the wake of an unprecedented series of self-inflicted wounds by major banks, the panelists argued that the industry needs to speedily improve its dexterity with operational risks.

The industry was aware of business process and control failures before. But sloppy underwriting and servicing mistakes proved every bit as painful for many institutions as crisis-related credit losses. More recently, many of the world's largest banks have been flagged for serious anti-money laundering control breakdowns, and many more now face untold legal risk from rigging one of the world's key benchmark interest rates, LIBOR.

"How to measure [operational risk] is still pretty primitive in a lot of the organizations that I've worked with, which run from some of the biggest banks to some fairly mid-tier organizations," says Day. "A lot of work needs to be done."

Good luck quantifying it, says Truslow.

"I've seen a lot of institutions get very focused on coming up with measurements for operational risk," he says, arguing that they'd be better off simply focusing on building up a framework for flagging questionable practices.

The near-universal failure to clearly flag Libor manipulation suggests that such a protocol has yet to be found in the industry, Day says.

"It is suspicious that it wasn't dug into in a deeper fashion," Day says of Libor-rigging. "This is one that should have risen to the top."

Whether by bringing in outsiders or staff from other sections of the bank, institutions would do well to gain outside perspective, he and others recommended.

The goal is to have "a sharp person that asks maybe the real basic questions," Truslow says. "The assumption is, 'of course they're controlled properly.' "

RISK MANAGEMENT AND TRANSPARENCY

Risk management in banking benefits from transparency and blunt talk, the panelists said.

Both risk managers and senior executives "have to embrace the notion that risk management is not there just to throw the red flag," Rossi says.

That notion requires restraint on the part of the risk manager, and tolerance for dissent from executives.

"I talk a lot about not having air cover," says Rossi. "That risk manager has to feel unencumbered, to be able to say what they need to say in front of senior management and not feel threatened that they may not be there in a few months."

That doesn't mean the risk manager gets a veto.

"You can only use that once or twice," Rossi says. More typically, the risk manager should defer to executives after making his case. "Once all the information has been put in place, then it's up to the business heads."

Leaving records indicating that a risk manager has serious qualms about a business endeavor can be a dicey matter. But if anyone at a company is reluctant to share such concerns, Rossi says, the business has a very serious problem.

"That's not the way to run the business in my mind," he said.

Truslow had another suggestion for how to instill more respect for managing risk: pay the people who do it more.

"The compensation programs, it seems to me, have to get on par with the line of business compensation structures," he says.

DODD-FRANK — THE GOOD AND THE BAD

While none of the panelists were thrilled with Washington's overall response to the financial crisis, they credited some of the government's actions for improving risk management standards.

"The recovery and resolution planning process, the living wills … that has the potential to help improve some of these internal processes," Day says, because it forces companies to examine their own nuts and bolts. But "the emphasis… has been far too much on the living will, the resolution side, as opposed to recovery."

And Washington could do more. Efforts to promote a strong risk management culture would likely benefit from a clear message that the government would not tolerate financial misconduct. Following the corporate accounting scandals at the beginning of the last decade, the government came down hard on shoddy practices. It is "unique" that it hasn't done the same since 2008, Day says. "I think things like that would help, because it does drive home the fact that this is serious, and for misbehavior and misconduct there are ramifications."

Regulators must also do more to lower the contagion risk from shocks to the system, Truslow says. It may be naïve to think that risk managers can serve as the bulwark of systemic crisis prevention.

"If you look at Dodd-Frank, it almost acts as if regulators and better risk management will solve the next crisis," Truslow says. "And I'm not sure that that's true."

WHAT'S NEXT

As for the nature of that possible "next crisis," the panelists diverged in their predictions.

Truslow says that cybersecurity is "at the top of my list," citing a rise in state-sponsored hacking and the sensitivity of financial data.

"Banks and large financial institutions are basically information companies," he says, arguing the dizzying pace of new technologies will give rise to a "cat and mouse game" between the industry and those who wish to destabilize or steal from it.

Rossi cites liquidity risk as his top concern. While the Basel capital standards have made some progress, the crisis in the commercial paper markets in 2008 reflected a huge blind spot for the risk management profession, he says.

"And I don't think that we have given it its just due, and we shouldn't be reliant on the liquidity ratios from Basel to guide us," he says.

Day agrees, noting that liquidity hasn't been a focus of government stress tests.

"They probably need another stress test for liquidity that's done, although that probably wouldn't be received real well by the industry," he says.

But Day cites the yield curve as his principal concern. With 10-year Treasury yields mired well below 2% and few lending opportunities, banks are "looking at net interest margin pressures that they've not seen in a lifetime," he said. "So they're cutting staff. But they're managing the same or bigger portfolios of risks.

"It's as if we're doing everything we can to create another bubble, and eventually we will get one," Day says. "I really worry that the financial incentives in the market, as presented by the yield curve and spreads, could induce some people to take risks that they're not as well acclimated to manage."

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.